March 2020

The Chilling Effect: Online Surveillance in the Days of Corona

By: Amir Cahane

Read More

למאמר בעברית לחצו כאן


Prior to the announcement by Prime Minister Netanyahu that “digital means employed in the war on terror” will be used in the struggle against the outbreak of the Coronavirus,[1] epidemiological investigations relied mainly on the questioning of carriers and manual inspection of data concerning their use of credit cards and public transportation charge cards.[2]

The Prime Minister did not provide any details regarding the means to which he was referring, but according to reports in the press,[3] the tool referred to is cellular location tracking with the goal of identifying and verifying the movements of Corona patients and those they come into contact with – rather than monitoring their compliance with self-isolation duties. However, according to the same reports, these tools have already been used to verify epidemiological investigations. Was the Prime Minister hinting that even more invasive technologies than cellular location could be introduced, such as those used in China[4] (or even in Iran[5]), and for additional purposes: not only locating those who came into contact with Corona patients and might have been infected, but also – despite the statements made by law enforcement and security authorities – to enforce the isolation instructions?

Metadata – data that do not include the content of the communications[6] - can reveal extensive information about any person’s actions and conduct.[7] Although it seems at the present that the “digital means” to which the Prime Minister referred relate solely to location data, these means entail considerable violations of the right to privacy and create a potential chilling effect on freedom of movement as well as individual autonomy.[8]

The Communications Data Law authorizes the Israel Police to acquire communications data, including location data for end-use devices, for the purposes of law enforcement and saving lives.[9] The Israel Security Agency Law empowers the ISA to receive various categories of data, including communications data, from the licensed telecommunication provider for the purposes of performing its functions.[10] The Israeli legislator did not envisage the use of location data as an ancillary tool in an epidemiological investigation – and possibly, in the future, as a supporting tool for enforcing isolation.[11]

It is unclear at this point whether the use by the police of location data in the context of verifying epidemiological investigations is based on a broad interpretation of the goal of “saving lives” included in the permitted goals for securing communications data in the Communications Data Law, or on the purpose of discovering and preventing offenses or discovering offenders (insofar as the conduct of carriers of the Coronavirus in the public domain constitute an “act of negligence liable to disseminate a disease with mortal danger.”)[12] The use of communications data through the police would appear to be subject to a judicial order, since urgent permits not requiring a judicial order are limited to 24 hours.[13]

However, the rhetoric of the use of “digital means for the war on terror” helps to frame the Corona crisis in a security context (the securitization of health),[14] thereby preparing the ground for the charging of the ISA with this task. Even if special emergency regulations are not enacted for this purpose, communications data may be used in accordance with the ISA Law, which enables the government to add functions to the ISA’s functions as stipulated in the law.[15] This enables the circumvention of the procedural and substantive safeguards in the Communications Data Law, including judicial review, which does not apply to the use of communications data for security purposes; it also permits action under the legal veil of secrecy behtnid which the ISA operates, particularly regarding the scope of information collected in order to identify potential carriers, its use, processing, dissemination and retention.[16]

Of the three alternatives, it would seem that it is proper to confine ourselves to the first – acquisition of Coronavirus carriers' (and potentially infected persons) location data for the purpose of saving life. From a psychological standpoint, this alternative emphasizes the value of protecting human life in the context of confronting the Coronavirus, and does not diminish the dignity of carriers by criminalizing or securitizing the disease. From a procedural standpoint, acquiring communications data pursuant to the Communications Data Law provides for a minimal level of ex ante judicial review of the process.

Unlike within the context of criminal investigations or counterterrorism activities, the secrecy entailed by epidemiological investigations is intended to protect the personal privacy of the carriers and those with whom they came into contact, and not to conceal the mere fact of their investigation. Accordingly, it is both possible and desirable to remove much of the cloak of secrecy surrounding the “digital means” to which the Prime Minister referred. Even if these means in themselves must remain confidential (in order to maintain special intelligence collection capabilities), the rules that apply to the online monitoring for the purposes of thwarting and containing the spread of the Coronavirus must be made known, and carriers (and potential carriers) subject to monitoring must be informed of this.

At the time of writing, the emergency regulations under which the ISA will be granted emergency powers to locate carriers and those in their surroundings have not yet been approved and published. According to reports, it seems that these regulations will restrict the ISA to use these powers solely for the purpose of the struggle against the Coronavirus and for a period of 30 days.[17]

However, even according to an interpretative approach permitting the monitoring of carriers of the disease for the purpose of saving lives, privacy protection safeguards should be in place. Restrictions should be placed on the permitted period of time of collection; its retention period; and ensuring that the information is properly secured, its dissemination limited, it is used solely for the purpose for which it was acquired (identifying carriers), and any publication thereof is made while maintaining the privacy of carriers as much as possible.[18] These rules cannot be based solely on ex ante judicial review (which in any case is absent in the emerging format based on the ISA’s authorities). An external oversight body is also required to examine their implementation post factum,[19] as well as on an ongoing and daily basis. The absence of such a body is evident in Israel even in normal times.[20]

Authorizing the ISA to assist in locating potential Coronavirus carriers raises again the issue of the absence of specific external and independent oversight body reviewing the agency’s activities (and those of the intelligence community in general). There is a need for an active and effective oversight body, with powers, that can declare certain surveillance means to be unlawful, suspend their activation, or prevent them in advance,[21] and that can also grant personal relief to those whose rights were violated through such actions.[22] European law also regards such powers as the yardstick for the effectiveness of oversight.[23]

The UK’s Independent Reviewer of Terrorism Legislation chose the title “A Question of Trust” for his report on the investigatory powers under British law, and with good reason.[24] It is impossible to completely eradicate the concerns that the rise of the Orwellian spy state in its Chinese incarnation may raise. However, these concerns can be moderated through maximum transparency, full and effective supervision, and the adoption of rules securing a due balance between current needs and the protection of human rights.



[*] Originally posted on March 16, 2020 in Hebrew, prior to the enactment of the Emergency Regulations for ISA and Police location tracking of Coronavirus carriers. A subsequent account of the regulations can be found at Amir Cahane, "The Israeli Emergency Regulations for Location Trancking of Coronavirus Carriers" Lawfare (21.3.2020)


[1] “Netanyahu: We will use digital means to locate where sick people have been,”,7340,L-3801070,00.html (14 March 2020), Ynet [in Hebrew]

[2] Roni Linder, “People are shocked when they find out that they have Corona, in some cases people hide information,” TheMarker (8 March 2020), [in Hebrew]

[3] Netael Bendel, Noa Landau and Josh Breiner, “Attorney General approves Cuber Tech to Track Coronavirus Patients,” Haaretz (15 March 2020),; Netael Bendel, Noa Landau, and Jonathan Liss, “Government supports location of telephones of Corona patients; Subcommittee of Foreign Affairs and Defense Committee will decide,” Haaretz (15 March 2020), [in Hebrew].          

[4] Alexandra Ma, "How the coronavirus outbreak could help fuel China's dystopian surveillance system" Business Insider (2.2.2020), available at; Lily Kuo, "'The new normal': China's excessive coronavirus public monitoring could be here to stay" The Guardian (9.3.2020) available at; Eamon Barrett, "The coronavirus is giving China cover to expand its surveillance. What happens when the virus is gone?" Fortune (2.3.2020), available at           

[5] The Iranian case is different. In Iran, an application monitoring Corona symptoms was disseminated with the encouragement of the Ministry of Health, but proved in fact to be as monitoring application, possibly for broader purposes than thwarting and containing the epidemic. See: Researcher: Iran’s coronavirus ‘detection’ app could have spied on users" The Week (10.3.2020) available at ; David Gilbert, "Iran Launched an App That Claimed to Diagnose Coronavirus. Instead, It Collected Location Data on Millions of People." Vice (14.3.2020) available at

[6] The definition of “communications data” in the Communications Data Law is narrower, defining the term as data of identification, location, and traffic. According to the ISA Law, “information” means any information that is not content data, including communications data.     

[7] For example, a report issued in March 2015 by the Intelligence and Security Committee (ISP) of the UK parliament noted that the Government Communications Headquarters (GCHQ) believes that in the context of bulk collection, data ancillary to the content data (i.e. metadata) are significantly more valuable than the content data themselves. Intelligence and Security Committee of Parliament, Privacy And Security: A Modern And Transparent Legal Framework (12.3.2015); European Commission For Democracy Through Law, Report On The Democratic Oversight Of Signals Intelligence Agencies , Para. 48 (15.12.2015) (hereinafter: “the Venice SIGINT Report”); Parliamentary Joint Committee on Intelligence and Security, Review of the mandatory data retention regime, submission 29 by the Law Council of Australia, Para. 71 (18.7.2019); Daragh Murray & Pete Fussey, Bulk Surveillance in the Digital Age: Rethinking the Human Rights Law Approach to Bulk Monitoring of Communications Data, 52 Israel Law Review 31–60 53-55 (2019).

[8] An example in the context of CCTV cameras on the street is the concern expressed by Judge Hermlin in Parking Case 72118789, State of Israel v David Mizrahi (7.10.2018). See also: Deborah Hurley, Taking the Long Way Home: The Human Right of Privacy, in Privacy in the Modern Age: The Search for Solutions (Marc Rotenberg, Julia Horwitz, and Jeramie Scott, Eds., 2015). More recently, Bagaric, Loberg & Hunter proposed a model for electronic surveillance (using automated means to monitor a wide range of behaviors based on a dedicated network of sensors, rather than online monitoring means) as an alternative to imprisonment, emphasizing the potential for the panopticonic deterrence of criminals. See: Mirk Bagaric, Dan Hunter and Colin Loberg, Introducing Disruptive Technology to Criminal Sanctions: Punishment by Computer Monitoring to Enhance Sentencing Fairness and Efficiency 85 Brook. L. Rev 39-403 (forthcoming, 2019; 26.3.2019 Draft).

[9] Criminal Procedure Law (Enforcement powers – Communication Data), 5768-2007, SH No. 2122 p.72 (Isr.) (Hereinafter: "Communication Data Law"). See also "Systematic Government Access to Private-Sector Data in Israel: Balancing Security Needs with Democratic Accountability" in Bulk Collection: Systematic Government Access to Private-Sector Data 91-110  100-103 (Fred H. Cate and James Dempsey, eds., 2017)

[10] Section 11 of the Israel Security Agency Law, 5762-2002, SH. No. 1832, 179 (hereinafter: “the ISA Law”). For an annotated translation of the Section's provisions, see Tene, ibid, at 103-106.

[11] Under the UK Investigatory Powers Act acquisition of communications data is authorized for the purposes of protecting public health; see Investigatory Powers Act 2016, Art. 61(7)(e), c.25 (Eng.) (hereinafter: “the Investigatory Powers Act (IPA”). However, the identity of the authorities empowered under the act to obtain the data (such as the Healthcare Products Regulatory Agency or the Counter Fraud Services of the various health services in the kingdom see. Schedule 4 of the act), it is clear that the British legislator was not cognizant of the possibility that location data could be used to confront an outbreak of an infectious disease.

[12] Section 218 of the Penal Code, 5737-1977, SH No. 5737, 226 (hereinafter: “the Penal Code”).

[13] Section 4 of the Communications Data Law.

[14] Jeremy R. Youde, "Biosurveillance as National Policy: The United States’ National Strategy for Biosurveillance" The Politics of Surveillance and Response to Disease Outbreaks 137-155 146-148 (Sara E. Davis and Jeremy R, Youde, eds., 2015.

[15] Section 7(B)(b) of the ISA Law. The addition of these functions is subject to the approval of the Knesset Committee for ISA Affairs (the Intelligence and Secret Services Subcommittee of the Knesset Foreign Affairs and Security Committee).

[16] All these will be established in rules (section 11(B), (D), and (E) of the ISA Law) whose publication is prohibited (section 19(A) of the ISA Law).

[17] According to Bendel, Landau, and Liss (note 3 above), “the decision will be valid solely for the struggle against Corona and for 30 days, after which all the information will be completely erased. The ISA will not make any other use of the information, and it will be forwarded directly to the Ministry of Health, which will send the notifications to telephones. The violation of the guidelines will be considered a criminal offense.”

[18] See, for example, Jelena Gligorijevic, "Coronavirus, Media Reportage and Patient Privacy" Inforrm's Blog (7.3.2020) available at .

[19] Hans Born and Gabriel Geisler Mesevage, Introducing Intelligence Oversight in Overseeing Intelligence Services: A Toolkit 3-24 20 (Hans Born and Aidan Wills, eds.,2012); Sarah Eskens, Ot van Daalen and Nico van Eijk, Ten standards for oversight and transparency of national intelligence services IViR (Institute for Information Law, 2015); Monica den Boer, Conducting Oversight in Overseeing Intelligence Services: A Toolkit 69-88, 79 (Hans Born and Aidan Wills, eds.,2012); A/HRC/14/46, HRC report on Compilation of good practices on legal and institutional frameworks for intelligence services and their oversight para. 13, 32, 35 (2010). See also the recommendations of the Venice SIGINT Report, note 7 above, paras. 118, 120.

[20] Amir Cahane and Yuval Shany, “Partly undercover: Judicial Review of Online Surveillance in Israel” Parliament 83 (6.2.2019) [in Hebrew]:

[21] Council of Europe Commissioner for Human Rights, Democratic and effective oversight of national security services 11-13 (2015); EU Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU, vol. II 14 (2017) (hereinafter: “FRA 2017b”); HRC 2010, note 19 above, paras. 32,35; Eskens, van Daalen & Van Eijk, note 19 above, 38.

[22] Hans Born and Ian Leigh, Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of Intelligence Agencies 109r (2005); Craig Forcese, Handling Complaints about Intelligence Services in Overseeing Intelligence Services: A Toolkit 181-200 195 (Hans Born and Aidan Wills, eds.,2012; HRC 2010, ibid., para. 18; FRA 2017b, 14; Venice SIGINT Report, note 7, para. 26.

[23] See for example, Weber and Saravia v. Germany, No.54934/00 Eur. Ct. H.R. (2006), para 80,167; Klass & Others v. Germany, No. 5029/71, Eur. Ct. H.R. (1978), para 21,53,56.

[24] David Anderson, A Question of Trust: Report of the Investigatory Powers Review , Chapter 13 (2015).



Read Less

Route Hijacking and DoS in Off-Chain Networks

By: Saar Tochner    Posted previously at Medium

Read More

In our new paper, we uncovered a new denial-of-service (DoS) attack that could sabotage payments on the Lightning Network. This method exploits the routing mechanism to attract and hijack transactions using a small number of channels owned by the attacker.
Through our experiments, just five new channels (costing less than 1$) are enough to draw the majority (55% — 75%) of the traffic between nodes. With 30 channels the attacker will hijack more than 80% of all transfers.

Off-chain peer-to-peer networks (a.k.a. payment channel networks)
are a promising approach to mitigate Bitcoin’s scalability problem, which currently supports only dozens of transactions per second.

What is the Lightning Network?

The nodes in the lightning network avoid the overhead of a global consensus for each transaction. Every pair of nodes locks money on the blockchain, which creates a logical “channel” for payments. A payment through this channel is simply an agreement on a new division of the locked funds. Blockchain transactions are only used when opening and when closing the channel.


The Lightning Network’s graph, where channels are edges.

Things get a bit more complex when some sender wants to send money to a node he is not directly connected to. In this mechanism, the source node finds a path in the network’s graph and performs an atomic transfer of money on all channels in the path. To incentivize nodes to participate, the source node pays a fee for using each channel. Nodes publish this fee for all to see, and senders can choose which route they prefer. This is done using a routing algorithm, which prefers routes with lower fees (other parameters are also considered).

Route Hijacking

The attack we present is to strategically create channels with low fees, which attract many nodes to route through them. The attacker then deliberately fails to execute transfers, thereby executing a wide DoS attack.

Route hijacking

We studied the three major implementations of the Lightning Network (LND, Eclair, C-Lightning) and simulated each nodes’ decisions for routes. In general we find that all three implementations are similarly susceptible, in spite of their slightly different routing mechanisms.

We base our experiments on the topology of the actual network (which is publicly shared in order to allow nodes to route). Since we do not know the real pattern of transfers, we assume that every pair of nodes in the network tries to execute a single transaction between them.

The following figure shows what percentage of the paths we are able to hijack as a function of the number of channels the attacker added to the network.


An attacker that creates 5 channels with the “right” nodes will hijack more than 50% of the transactions in the network. If he will create 30 channels, then he will hijack 80%.

The liquidity that the attacker needed to place in each channel, is just the maximum over the size transactions he wishes to block.

We can additionally evaluate how many nodes in the current graph can collude to perform a hijack (e.g., if the attacker is already embedded in the network graph). The figure below shows the number of transactions that are currently routed through the most influential nodes.


The percentage of transactions the route through the “strongest” nodes

All three implementations randomize over routes to some extent (thus they won’t always use the lowest fee route). C-lightning’s approach was to add “fuzz”, which is random noise to the “weight” function of channels. Fuzz was added as a multiplier to the fee. We notice that this form of noise does little to stop the attack since we use much lower fees than others in the network.


Attacker hijack nodes that use fuzz because of extremely low fees

A second approach, taken by Eclair, was to uniformly select one of the top three routes. This too fails badly as a defensive strategy against our attack, and in some cases makes things worse.

The example below explains why: if a source is trying to route to the target, then he will be hijacked with probability 0.5. But, with Eclaire’s “top 3” approach, he will be hijacked with probability 0.66.


Choose uniformly from the top 3 routes is worse than choosing randomly between the optimal routes

Lastly, LND’s approach punishes nodes along a route that recently failed to forward a transaction. Weight is added to every channel in this route (the specific failing channel is unknown due to onion routing). This method should make the node more resilient to hijacking and denial of service over time.


Too much time passes between trials, which makes the penalty small

In order to avoid blocking failed routes for prolonged periods of time, LND’s penalty decreases over time. The exact formula for the decay depends on two parameters: n (which is hardcoded to be 100), and h that denotes the number of hours from the last failure to route. The figure to the left shows the impact of the attack for various values of these parameters.

Note that during the attack, the attacker can increase the time that passes between transaction failures (timeouts in lightning can even be several days!) and can thus decrease the penalty for past failing routes.


We consider routing hijacks an important threat to the network. If relaying nodes are to gain from participating, they will try to extract fees, and attackers that are willing to forgo these fees will be able to attract traffic. On the other hand, if senders randomize on routes with no regard to fees, intermediaries will raise transfer fees and use of the network will be prohibitively expensive. Attackers may be difficult to identify, since they can use more than a single nodes (a Sybil attack).

Currently implemented methods for routing do not adequately protect the network, however we are hopeful! Since we first published our paper (6 months ago), routing mechanisms were significantly improved. Specifically, LND has implemented the above method during that period. Unfortunately, as described broadly in the paper, the network is still vulnerable, and further work on routing is needed.

We encourage you to look at more details in our full version of the paper, we welcome any question, constructive feedback, and future cooperation.

Read Less