Cybersecurity & Tech Foreign Relations & International Law

Expanding Surveillance Powers? Israel’s Draft Bill to Revise Shin Bet Law

Amir Cahane
Thursday, March 21, 2024, 9:11 AM
The bill provides the government with certain novel surveillance and remote interference authorities.
Isaac Herzog hosting the heads of the Shin Bet, October, 2021 (Amos Ben Gershom, https://commons.wikimedia.org/wiki/File:Isaac_Herzog_hosting_the_heads_of_the_Shin_Bet,_Nadav_Argaman_and_Ronen_Bar,_October_2021_%28GPODBG_7006%29.jpg; Public Domain)

Published by The Lawfare Institute
in Cooperation With
Brookings

On Dec. 11, 2023 the Israeli Ministry of Justice published a draft bill to amend the Israel Security Agency (ISA) Law, which governs the authorities conferred to the ISA—also known as Shin Bet, Shabak, or the General Security Service (GSS). The draft bill, which focuses primarily on the agency’s surveillance powers, extends the scope of the ISA’s statutory duty to perform security vetting—adding to its ambit third parties, which are not directly employed by government bodies but nonetheless are exposed to classified materials—and authorizes the ISA to employ malware measures, among other changes. 

Background

The ISA’s surveillance measures were brought to light during the coronavirus pandemic, as the Israeli government opted to openly rely on the “Tool,” the ISA’s communications metadata database, to geolocate coronavirus carriers and persons with whom they had been in close contact. This Israeli Snowden moment—which unveiled the ISA’s robust gathering of communications metadata for more than two decades—has prompted litigation in connection with its use for epidemiological purposes. However, as the coronavirus pandemic slowly faded away, and the reliance on counterterrorism measures for coronavirus-related location tracking was phased out (and reintroduced briefly following the emergence of the omicron variant), the “regular” ISA use of the Tool for counterterrorism, counterespionage, and other purposes has carried on. 

The existing legal framework authorizing the Tool is the short Section 11 of the ISA Law, under which the prime minister is empowered to mandate licensed telecommunications service providers to transfer to the ISA certain categories of data the ISA requires to fulfill its statutory duties. “Data” is broadly defined in the statute as “data, including communications data and excluding the contents of any conversation”—with “conversation” defined by the Wiretap Act as the following: “aurally or electronically, including by phone, radio phone, cellular phone, facsimile, telex, teleprinter or between computers.” Accordingly, all types of metadata are capturable under the ISA Law, including traffic, location, identification, and web usage data. The ISA Law does not require any ex ante judicial review of the service’s metadata surveillance practices. The use of data obtained under the ISA Law is subject only to the authorization of the ISA director. Such authorization may be given for periods not exceeding six months, and it may be renewed indefinitely. The rules promulgated under the ISA Law that govern the use, retention, security, and processing of such data are set by the prime minister, and like all rules set under the provisions of the ISA Law, they remain classified.

This skeletal framework—whose substantial safeguards and oversight mechanisms are classified—was challenged last year in the Israeli Supreme Court by the Association for Civil Rights in Israel. The petitioners challenged the framework on several grounds. They argued that the ISA authorization under Section 11 to “bulk collect” the communications metadata belonging to Israelis is not sufficiently explicit; substantial issues are left under Section 11 to be decided by the prime minister in classified rules, in violation of the Israeli “primary arrangements” doctrine (according to which general policy and its guiding principles must be enshrined in statute); the approval mechanisms lack judicial ex ante review; Section 11 authorization should be limited to a narrower set of purposes (security vetting activities should be excluded, for example); Section 11 does not contain special protective measures for privileged professionals and journalists; and there are insufficient ex post and real-time independent expert oversight mechanisms.

This case, which is still pending, is one of the catalysts of the proposed amendments in the draft bill, which introduces changes to Section 11. Another recent petition, also pending, argues that, in light of recent revelations of the Israeli National Police’s (INP’s) use of the NSO Group’s malware (Pegasus) and the subsequent report on the matter by the Ministry of Justice, neither the INP nor the ISA can use malware without explicit statutory authorization. 

Database Acquisition

Section 8A of the proposed legislation offers a framework for handling databases, which echoes the U.K.’s Investigatory Powers Act notion of bulk personal datasets. According to the bill, the ISA shall be authorized to receive or collect a database that is required for purposes of the ISA’s core statutory duties—the prevention of illegal activities threatening national security and the democratic order, as well as the protection of individuals, information, and places determined by the government to be in need of protection. The bill does not define or elucidate the terms “receive” or “collect,” which may refer to one-time acquisition as opposed to continuous online siphonage of a database, or to the measure of consent by the database owner to share the data. 

The breadth of the ISA’s authority to acquire databases under the bill depends on the sensitivity of the content within those databases. The proposed definition of “sensitive data” includes data regarding one’s personal, political, or religious views and data revealing details about one’s intimate affairs (such as sexual conduct and preferences, family relations, and private conduct), unless data in those two categories “may establish actual concerns of illegal activities.” Also included in the sensitive data bucket, though without the “illegal activities” caveat, are medical and genetic data, data that is confidential by law (excluding confidentiality stemming from the Protection of Privacy Law), contents of conversations within the meaning of the Wiretap Act, financial data, and biometric identifiers. The ISA may not collect databases that contain solely sensitive data. However, the ISA can acquire nonsensitive data from datasets that contain both sensitive and nonsensitive data so long as the acquisition excludes all sensitive data.

The EU Commission recently determined that the Israeli legal framework of government access to personal data provides an adequate level of protection for data transfers from the EU. While the current statutory surveillance powers of the ISA may be reconciled with EU adequacy standards, legislators should nonetheless tread cautiously in the context of the EU when considering the bill, as the commission will continue to monitor future developments. The significant carve-outs of types of data from the proposed database acquisition powers based on data sensitivity may represent the bill’s drafters’ efforts to prompt a favorable EU adequacy decision. 

Under the proposed legislation, in response to an application by the ISA director, the prime minister, after receiving the opinion of the attorney general, may approve an acquisition of a database by the ISA. In his approval, the prime minister shall consider whether the infringement of such acquisition on privacy rights is proportional to the degree to which it advances the ISA’s core statutory duties. Such approval remains in effect for up to two years and may be renewed indefinitely for periods not exceeding two years subject to a similar application procedure. 

The ISA may use databases acquired under the proposed Section 8A in pursuing all of its statutory purposes (which include, alongside ISA’s core statutory duties, security vetting or setting security procedures for certain government and private organizations). The bill further stipulates that the ISA director may authorize ISA employees to use such databases for periods not exceeding 12 months, which may be renewed. The use, deletion, and retention of such databases will be governed under internal ISA classified rules. 

Under the proposed Section 8B, the ISA director shall be authorized to allow the transfer of any database acquired pursuant to Section 8A to another party, which will be authorized to hold such data under the ISA’s classified rules. Those databases will not include data about Israeli residents. 

Remote Searching

Another array of surveillance powers stipulated by the bill are related to remote searching. The bill explicitly expands the ISA’s search powers to include cyber intelligence capabilities. Under the proposed revisions to Section 10 of the law, the prime minister may authorize ISA employees to search a computer remotely, without the knowledge of its owner, provided that the prime minister is convinced that the targeted device contains information essential to the fulfillment of ISA’s core statutory duties (or any other activity deemed necessary to national security interests by the government and authorized by the Knesset’s Intelligence and Secret Services Subcommittee). Such authorization shall be granted provided that it is the least intrusive means of obtaining this information.

The only ex ante judicial review of ISA secret searches—remotely or physically—applies to certain protected professionals (lawyers, medical doctors, social workers, psychologists, and clerics) whose devices, premises, or belongings may be secretly searched only if they are suspected to be involved in a crime that threatens national security, and subject to a court order pursuant to an application by the ISA director.

Cyber Measures

While the bill mostly outlines surveillance powers, its introduction of remote interference powers is its prominent novelty. The ISA amendment bill permits the ISA director—with the prime minister’s approval—to authorize ISA employees to penetrate and disrupt computers and devices (the bill does not note whose computers or devices). Under the proposed Section 10A, the prime minister may give such authorization to disrupt or interfere with the operations of a computer, as well as its software or data, provided that such cyber operation is a vital counterterrorism or counterespionage measure against a threat to human lives or national security. 

Further, such authorization shall be granted provided that there are no alternative measures less intrusive for the rights at stake that can be reasonably employed to achieve these ends. Applications targeting protected professionals shall be subject to the attorney general’s approval. 

The “Tool” Revised? Metadata Acquisition 

The proposed amendment bill also tackles the bulk metadata collection powers of the Tool under Section 11. The bill provides a new definition of “data”: “communications data as defined in the [classified ISA] rules … as well as technical communication systems data, excluding content data and including internet usage data that are not the contents of human communications.” The definition provides two important clarifying points. First, this makes clear that under the existing catch-all definition of “data” in the ISA Law, web users’ URL history is included (this also could have been inferred from the recent statutory prohibition on systematic consumption of online terror content). Second, the reference to a classified definition of communication data leaves open the possibility of the potential wide scope of types of data that might be captured by the term.

Under the current legal framework, the prime minister may establish in classified rules which data the ISA needs and may obtain from a telecommunications provider. The bill stipulates that the prime minister, prior to authorizing the ISA to obtain access to certain categories of data, must consider the privacy infringements involved and must be convinced that the benefits of the acquisition outweigh the harms of those infringements. Similar considerations are to be applied by the ISA director when ordering a telecommunications provider to produce the ISA with said data. Such an order will be classified and effective for a period not exceeding five years. It’s also worth noting that web history data may be used for the ISA’s core statutory duties only. 

The bill further stipulates that after acquisition of the metadata, its use is subject to authorization by the ISA director on a year-to-year basis. Such use is required under the bill to minimize privacy infringements. For that purpose, the classified rules shall determine matters such as the way the data is processed, retained, and accessed as well as particular protective arrangements for privileged professions. The ISA shall provide classified reports—quarterly to the attorney general and the prime minister, and annually to the Knesset’s Intelligence and Secret Services Subcommittee—on the acquisition and use of metadata under Section 11.

Oversight and Emergency Procedures

The bill does not amend the existing ex ante oversight regime, which mostly relies on authorization from the prime minister. The bill, however, introduces emergency procedures that allow the ISA director to authorize database acquisition, remote searching, and cyber measures when the prime minister is not available. In these cases, the prime minister and the attorney general will be notified promptly, and the prime minister may retroactively revoke such authorization (in the case of cyber measures, the attorney general may also revoke emergency authorizations). However, the use of a database acquired pursuant to an emergency procedure will be subject to approval by the prime minister. 

The bill leaves in place the same institutional actors entrusted with ex post oversight, to which the ISA reports. Under the bill, the ISA must provide quarterly classified reports to the attorney general and to the prime minister on databases acquired under Section 8A, databases transferred to other parties under Section 8B, and the acquisition and use of metadata under Section 11, as well as monthly reports on remote searching activities and cyber operations to the attorney general. Similar classified reports on the use of all these powers must be provided annually to the Knesset’s Intelligence and Secret Services Subcommittee.

Although the bill outlines minimal requirements as to the content of the periodic reports to the Knesset subcommittee and to the prime minister, the existing lack of transparency and problematic oversight mechanisms remain. While the attorney general may provide some external ex post review of the ISA’s surveillance practices, no judicial or independent ex ante authorization has been introduced. And no institutional reforms, such as a much needed independent expert oversight body, were suggested in the bill.

Classified Data Governance and Future Expansion of Powers

Two remaining provisions in the proposed bill regard all the surveillance powers discussed so far. Section 11B provides that the prime minister shall set classified rules regarding retention periods, as well as deletion and purging of data obtained by the ISA pursuant to these surveillance measures. Retention periods must not exceed five years unless the ISA director determines otherwise regarding certain data that the director decides are required for a specific investigation. 

Section 11A is an attempt at future proofing. It stipulates that if data are required for the prevention of offenses that fall under the purview of the ISA’s core statutory duties (or any other duty set by the government and authorized by the Knesset’s Intelligence and Secret Services Subcommittee), and the surveillance powers afforded by the proposed bill do not cover their acquisition or use, then the ministerial committee on ISA matters (with the approval of the parliamentary subcommittee) may grant the ISA the necessary authorization for a period of one year, which may be extended for another year. 

Conclusion

Some commentators in Israeli media have framed the proposed bill as an attempt by the government to cement new authoritarian powers during the ongoing crisis in Gaza. This view of the bill appears to be sensationalist, as it is more likely that the proposed amendments to the ISA Law, which focus mostly on powers challenged by the current litigation, were prompted by these cases

However, whether the bill is a deliberate authoritarian move or an attempt to buttress the ISA Law during ongoing constitutional proceedings, the bill remains problematic. As discussed above, the bill refrains from introducing institutional change to the oversight ecosystem and relies on executive ex ante authorization for its surveillance powers, supplemented by parliamentary ex post oversight. 

While the bill introduces new statutory surveillance powers, such as database acquisition, remote searching, and offensive cyber authorities, it is highly likely that the ISA has been in practice using these capabilities under an expansive reading of the existing law. Accordingly, it is plausible that the current litigation serves as a catalyst for the ISA to codify this reading into statutory law.

However, “codify” may be a misleading term. The vague language of the bill, in conjunction with the continued deferral of substantial issues to classified executive rules, and the temporary authorization procedure for surveillance practices not covered under the ISA Law, provide the ISA with interpretational leeway to introduce new surveillance measures with no public scrutiny.


Amir Cahane is a research fellow in the 3 Generations of Digital Rights ERC Project, and a research fellow in The Federmann Cyber Security Research Center—Cyber Law Program, Hebrew University of Jerusalem.

Subscribe to Lawfare