The Chilling Effect: Online Surveillance in the Days of Corona

By: Amir Cahane

למאמר בעברית לחצו כאן

 

Prior to the announcement by Prime Minister Netanyahu that “digital means employed in the war on terror” will be used in the struggle against the outbreak of the Coronavirus,[1] epidemiological investigations relied mainly on the questioning of carriers and manual inspection of data concerning their use of credit cards and public transportation charge cards.[2]

The Prime Minister did not provide any details regarding the means to which he was referring, but according to reports in the press,[3] the tool referred to is cellular location tracking with the goal of identifying and verifying the movements of Corona patients and those they come into contact with – rather than monitoring their compliance with self-isolation duties. However, according to the same reports, these tools have already been used to verify epidemiological investigations. Was the Prime Minister hinting that even more invasive technologies than cellular location could be introduced, such as those used in China[4] (or even in Iran[5]), and for additional purposes: not only locating those who came into contact with Corona patients and might have been infected, but also – despite the statements made by law enforcement and security authorities – to enforce the isolation instructions?

Metadata – data that do not include the content of the communications[6] - can reveal extensive information about any person’s actions and conduct.[7] Although it seems at the present that the “digital means” to which the Prime Minister referred relate solely to location data, these means entail considerable violations of the right to privacy and create a potential chilling effect on freedom of movement as well as individual autonomy.[8]

The Communications Data Law authorizes the Israel Police to acquire communications data, including location data for end-use devices, for the purposes of law enforcement and saving lives.[9] The Israel Security Agency Law empowers the ISA to receive various categories of data, including communications data, from the licensed telecommunication provider for the purposes of performing its functions.[10] The Israeli legislator did not envisage the use of location data as an ancillary tool in an epidemiological investigation – and possibly, in the future, as a supporting tool for enforcing isolation.[11]

It is unclear at this point whether the use by the police of location data in the context of verifying epidemiological investigations is based on a broad interpretation of the goal of “saving lives” included in the permitted goals for securing communications data in the Communications Data Law, or on the purpose of discovering and preventing offenses or discovering offenders (insofar as the conduct of carriers of the Coronavirus in the public domain constitute an “act of negligence liable to disseminate a disease with mortal danger.”)[12] The use of communications data through the police would appear to be subject to a judicial order, since urgent permits not requiring a judicial order are limited to 24 hours.[13]

However, the rhetoric of the use of “digital means for the war on terror” helps to frame the Corona crisis in a security context (the securitization of health),[14] thereby preparing the ground for the charging of the ISA with this task. Even if special emergency regulations are not enacted for this purpose, communications data may be used in accordance with the ISA Law, which enables the government to add functions to the ISA’s functions as stipulated in the law.[15] This enables the circumvention of the procedural and substantive safeguards in the Communications Data Law, including judicial review, which does not apply to the use of communications data for security purposes; it also permits action under the legal veil of secrecy behtnid which the ISA operates, particularly regarding the scope of information collected in order to identify potential carriers, its use, processing, dissemination and retention.[16]

Of the three alternatives, it would seem that it is proper to confine ourselves to the first – acquisition of Coronavirus carriers' (and potentially infected persons) location data for the purpose of saving life. From a psychological standpoint, this alternative emphasizes the value of protecting human life in the context of confronting the Coronavirus, and does not diminish the dignity of carriers by criminalizing or securitizing the disease. From a procedural standpoint, acquiring communications data pursuant to the Communications Data Law provides for a minimal level of ex ante judicial review of the process.

Unlike within the context of criminal investigations or counterterrorism activities, the secrecy entailed by epidemiological investigations is intended to protect the personal privacy of the carriers and those with whom they came into contact, and not to conceal the mere fact of their investigation. Accordingly, it is both possible and desirable to remove much of the cloak of secrecy surrounding the “digital means” to which the Prime Minister referred. Even if these means in themselves must remain confidential (in order to maintain special intelligence collection capabilities), the rules that apply to the online monitoring for the purposes of thwarting and containing the spread of the Coronavirus must be made known, and carriers (and potential carriers) subject to monitoring must be informed of this.

At the time of writing, the emergency regulations under which the ISA will be granted emergency powers to locate carriers and those in their surroundings have not yet been approved and published. According to reports, it seems that these regulations will restrict the ISA to use these powers solely for the purpose of the struggle against the Coronavirus and for a period of 30 days.[17]

However, even according to an interpretative approach permitting the monitoring of carriers of the disease for the purpose of saving lives, privacy protection safeguards should be in place. Restrictions should be placed on the permitted period of time of collection; its retention period; and ensuring that the information is properly secured, its dissemination limited, it is used solely for the purpose for which it was acquired (identifying carriers), and any publication thereof is made while maintaining the privacy of carriers as much as possible.[18] These rules cannot be based solely on ex ante judicial review (which in any case is absent in the emerging format based on the ISA’s authorities). An external oversight body is also required to examine their implementation post factum,[19] as well as on an ongoing and daily basis. The absence of such a body is evident in Israel even in normal times.[20]

Authorizing the ISA to assist in locating potential Coronavirus carriers raises again the issue of the absence of specific external and independent oversight body reviewing the agency’s activities (and those of the intelligence community in general). There is a need for an active and effective oversight body, with powers, that can declare certain surveillance means to be unlawful, suspend their activation, or prevent them in advance,[21] and that can also grant personal relief to those whose rights were violated through such actions.[22] European law also regards such powers as the yardstick for the effectiveness of oversight.[23]

The UK’s Independent Reviewer of Terrorism Legislation chose the title “A Question of Trust” for his report on the investigatory powers under British law, and with good reason.[24] It is impossible to completely eradicate the concerns that the rise of the Orwellian spy state in its Chinese incarnation may raise. However, these concerns can be moderated through maximum transparency, full and effective supervision, and the adoption of rules securing a due balance between current needs and the protection of human rights.

 

 

[*] Originally posted on March 16, 2020 in Hebrew, prior to the enactment of the Emergency Regulations for ISA and Police location tracking of Coronavirus carriers. A subsequent account of the regulations can be found at Amir Cahane, "The Israeli Emergency Regulations for Location Trancking of Coronavirus Carriers" Lawfare (21.3.2020) https://www.lawfareblog.com/israeli-emergency-regulations-location-track...

 

[1] “Netanyahu: We will use digital means to locate where sick people have been,” https://www.calcalist.co.il/local/articles/0,7340,L-3801070,00.html (14 March 2020), Ynet [in Hebrew]

[2] Roni Linder, “People are shocked when they find out that they have Corona, in some cases people hide information,” TheMarker (8 March 2020), https://www.themarker.com/allnews/.premium-1.8637388?lts=1584220242283 [in Hebrew]

[3] Netael Bendel, Noa Landau and Josh Breiner, “Attorney General approves Cuber Tech to Track Coronavirus Patients,” Haaretz (15 March 2020), https://www.haaretz.com/israel-news/.premium-israel-to-use-cyber-tech-to-track-coronavirus-patients-1.8675008; Netael Bendel, Noa Landau, and Jonathan Liss, “Government supports location of telephones of Corona patients; Subcommittee of Foreign Affairs and Defense Committee will decide,” Haaretz (15 March 2020), https://www.haaretz.co.il/news/1.8677291 [in Hebrew].          

[4] Alexandra Ma, "How the coronavirus outbreak could help fuel China's dystopian surveillance system" Business Insider (2.2.2020), available at https://www.businessinsider.com/coronavirus-china-surveillance-police-state-xinjiang-2020-2; Lily Kuo, "'The new normal': China's excessive coronavirus public monitoring could be here to stay" The Guardian (9.3.2020) available at https://www.theguardian.com/world/2020/mar/09/the-new-normal-chinas-excessive-coronavirus-public-monitoring-could-be-here-to-stay; Eamon Barrett, "The coronavirus is giving China cover to expand its surveillance. What happens when the virus is gone?" Fortune (2.3.2020), available at https://fortune.com/2020/03/01/coronavirus-china-surveillance-tracking/.           

[5] The Iranian case is different. In Iran, an application monitoring Corona symptoms was disseminated with the encouragement of the Ministry of Health, but proved in fact to be as monitoring application, possibly for broader purposes than thwarting and containing the epidemic. See: Researcher: Iran’s coronavirus ‘detection’ app could have spied on users" The Week (10.3.2020) available at https://www.theweek.in/news/world/2020/03/10/irans-coronavirus-detection-app-could-have-spied-on-users-researcher.html ; David Gilbert, "Iran Launched an App That Claimed to Diagnose Coronavirus. Instead, It Collected Location Data on Millions of People." Vice (14.3.2020) available at https://www.vice.com/en_us/article/epgkmz/iran-launched-an-app-that-claimed-to-diagnose-coronavirus-instead-it-collected-location-data-on-millions-of-people.

[6] The definition of “communications data” in the Communications Data Law is narrower, defining the term as data of identification, location, and traffic. According to the ISA Law, “information” means any information that is not content data, including communications data.     

[7] For example, a report issued in March 2015 by the Intelligence and Security Committee (ISP) of the UK parliament noted that the Government Communications Headquarters (GCHQ) believes that in the context of bulk collection, data ancillary to the content data (i.e. metadata) are significantly more valuable than the content data themselves. Intelligence and Security Committee of Parliament, Privacy And Security: A Modern And Transparent Legal Framework (12.3.2015); European Commission For Democracy Through Law, Report On The Democratic Oversight Of Signals Intelligence Agencies , Para. 48 (15.12.2015) (hereinafter: “the Venice SIGINT Report”); Parliamentary Joint Committee on Intelligence and Security, Review of the mandatory data retention regime, submission 29 by the Law Council of Australia, Para. 71 (18.7.2019); Daragh Murray & Pete Fussey, Bulk Surveillance in the Digital Age: Rethinking the Human Rights Law Approach to Bulk Monitoring of Communications Data, 52 Israel Law Review 31–60 53-55 (2019).

[8] An example in the context of CCTV cameras on the street is the concern expressed by Judge Hermlin in Parking Case 72118789, State of Israel v David Mizrahi (7.10.2018). See also: Deborah Hurley, Taking the Long Way Home: The Human Right of Privacy, in Privacy in the Modern Age: The Search for Solutions (Marc Rotenberg, Julia Horwitz, and Jeramie Scott, Eds., 2015). More recently, Bagaric, Loberg & Hunter proposed a model for electronic surveillance (using automated means to monitor a wide range of behaviors based on a dedicated network of sensors, rather than online monitoring means) as an alternative to imprisonment, emphasizing the potential for the panopticonic deterrence of criminals. See: Mirk Bagaric, Dan Hunter and Colin Loberg, Introducing Disruptive Technology to Criminal Sanctions: Punishment by Computer Monitoring to Enhance Sentencing Fairness and Efficiency 85 Brook. L. Rev 39-403 (forthcoming, 2019; 26.3.2019 Draft).

[9] Criminal Procedure Law (Enforcement powers – Communication Data), 5768-2007, SH No. 2122 p.72 (Isr.) (Hereinafter: "Communication Data Law"). See also "Systematic Government Access to Private-Sector Data in Israel: Balancing Security Needs with Democratic Accountability" in Bulk Collection: Systematic Government Access to Private-Sector Data 91-110  100-103 (Fred H. Cate and James Dempsey, eds., 2017)

[10] Section 11 of the Israel Security Agency Law, 5762-2002, SH. No. 1832, 179 (hereinafter: “the ISA Law”). For an annotated translation of the Section's provisions, see Tene, ibid, at 103-106.

[11] Under the UK Investigatory Powers Act acquisition of communications data is authorized for the purposes of protecting public health; see Investigatory Powers Act 2016, Art. 61(7)(e), c.25 (Eng.) (hereinafter: “the Investigatory Powers Act (IPA”). However, the identity of the authorities empowered under the act to obtain the data (such as the Healthcare Products Regulatory Agency or the Counter Fraud Services of the various health services in the kingdom see. Schedule 4 of the act), it is clear that the British legislator was not cognizant of the possibility that location data could be used to confront an outbreak of an infectious disease.

[12] Section 218 of the Penal Code, 5737-1977, SH No. 5737, 226 (hereinafter: “the Penal Code”).

[13] Section 4 of the Communications Data Law.

[14] Jeremy R. Youde, "Biosurveillance as National Policy: The United States’ National Strategy for Biosurveillance" The Politics of Surveillance and Response to Disease Outbreaks 137-155 146-148 (Sara E. Davis and Jeremy R, Youde, eds., 2015.

[15] Section 7(B)(b) of the ISA Law. The addition of these functions is subject to the approval of the Knesset Committee for ISA Affairs (the Intelligence and Secret Services Subcommittee of the Knesset Foreign Affairs and Security Committee).

[16] All these will be established in rules (section 11(B), (D), and (E) of the ISA Law) whose publication is prohibited (section 19(A) of the ISA Law).

[17] According to Bendel, Landau, and Liss (note 3 above), “the decision will be valid solely for the struggle against Corona and for 30 days, after which all the information will be completely erased. The ISA will not make any other use of the information, and it will be forwarded directly to the Ministry of Health, which will send the notifications to telephones. The violation of the guidelines will be considered a criminal offense.”

[18] See, for example, Jelena Gligorijevic, "Coronavirus, Media Reportage and Patient Privacy" Inforrm's Blog (7.3.2020) available at https://inforrm.org/2020/03/07/coronavirus-media-reportage-and-patient-privacy-jelena-gligorijevic/ .

[19] Hans Born and Gabriel Geisler Mesevage, Introducing Intelligence Oversight in Overseeing Intelligence Services: A Toolkit 3-24 20 (Hans Born and Aidan Wills, eds.,2012); Sarah Eskens, Ot van Daalen and Nico van Eijk, Ten standards for oversight and transparency of national intelligence services IViR (Institute for Information Law, 2015); Monica den Boer, Conducting Oversight in Overseeing Intelligence Services: A Toolkit 69-88, 79 (Hans Born and Aidan Wills, eds.,2012); A/HRC/14/46, HRC report on Compilation of good practices on legal and institutional frameworks for intelligence services and their oversight para. 13, 32, 35 (2010). See also the recommendations of the Venice SIGINT Report, note 7 above, paras. 118, 120.

[20] Amir Cahane and Yuval Shany, “Partly undercover: Judicial Review of Online Surveillance in Israel” Parliament 83 (6.2.2019) [in Hebrew]: https://www.idi.org.il/parliaments/25693/25702

[21] Council of Europe Commissioner for Human Rights, Democratic and effective oversight of national security services 11-13 (2015); EU Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU, vol. II 14 (2017) (hereinafter: “FRA 2017b”); HRC 2010, note 19 above, paras. 32,35; Eskens, van Daalen & Van Eijk, note 19 above, 38.

[22] Hans Born and Ian Leigh, Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of Intelligence Agencies 109r (2005); Craig Forcese, Handling Complaints about Intelligence Services in Overseeing Intelligence Services: A Toolkit 181-200 195 (Hans Born and Aidan Wills, eds.,2012; HRC 2010, ibid., para. 18; FRA 2017b, 14; Venice SIGINT Report, note 7, para. 26.

[23] See for example, Weber and Saravia v. Germany, No.54934/00 Eur. Ct. H.R. (2006), para 80,167; Klass & Others v. Germany, No. 5029/71, Eur. Ct. H.R. (1978), para 21,53,56.

[24] David Anderson, A Question of Trust: Report of the Investigatory Powers Review , Chapter 13 (2015).