When Mr. Israeli goes out into the street, who sees him, who photographs him, and where is that information kept? When Ms. Riki Cohen goes to see her medical specialist, what does he know about her? When Ruti from Petah Tikva flies abroad, where is that information kept and which members of the government can see it? When Samir picks up the telephone to call his friend Tamir, who else knows about the conversation?
Wednesday this week was International Data Privacy Day – a 34-year-old global initiative whose purpose is to raise awareness about the data privacy of private individuals, companies and businesses. It is observed in 27 European countries under the name Data Protection Day, and in the United States as Data Privacy Day. Various agencies are trying to put the subject of data privacy and civil rights in that context, together with existing means of protection, on the agenda.
Already a major topic in the world, the issue of data privacy has become even more central in the past year or two, with the reporting of espionage by government agencies such as the National Security Agency, or NSA, in the U.S. or the GCHQ in Britain.
In Israel, the issue of data privacy barely makes a ripple. Except for a few hard-core devotees of the issue, most of them lawyers, it is hard to point to any agency that leads the field or represents private citizens who face threats to their privacy that come from large companies or state institutions.
Why is this? Maybe the security situation has convinced Israelis to trust the government and security agencies blindly, and allow them a great deal of freedom to act. We should note that the protection of privacy is a basic constitutional right in Israel, which is protected by the Basic Law: Human Dignity and Liberty, and so can be compromised only in the main legislative framework and for good reason.
“The topic of data privacy – one of the most talked-about topics in the world – isn’t part of the discourse in Israel,” says attorney Niv Sever of the M. Firon & Company law office in Ramat Gan, who can easily be included on the list of hard-core devotees of the data-privacy issue.
“Almost nobody talks or writes about it. Newspapers don’t go wild about it because businesses make money from information about customers. Google makes money from it, of course, but Supersol also wants to know a lot about you, and so do the credit and insurance companies. TheMarker may be different from that perspective, because it sees itself as protecting those who don’t read it, too,” he says.
The law known as the “Big Brother Law” is one of the biggest threats to privacy in Israel. Formally speaking, the law is an amendment to the General Criminal Procedure Law, which allows law-enforcement authorities – the Israel Police and other investigative agencies – to ask phone and mobile companies for information about their customers. The law went into effect in June 2008, after a prolonged fight.
The law gives the police and the authorities the power to ask the companies for specific information about their customers, such as their home address, bank account details, list of calls and text messages (not the content, but their destinations and the dates on which they were sent), and even location statistics.
The problem with the law is threefold. First, it was stipulated that the police could ask the phone and mobile company for information only with a warrant from a judge, but it left a loophole open: Paragraph 42C of the law states that in a critical case, they may ask the phone company for information about the customer without a warrant or judicial supervision.
The second problem with the law is that it gives the police and the authorities the power to ask for information about offenses that are not severe, in other words misdemeanors rather than felonies. The police, for their part, have stretched the boundaries of the law to the limit. During the first year that the law was in effect – from June 2008 to June 2009 – the police asked the phone and mobile companies for 12,000 information printouts. A year later, the number of requests for information had soared to 17,000, or approximately 50 per day.
The cabinet is due to vote on two proposal that are supposed to better prepare the country for the age of cyber warfare. The two proposals are called “Promoting National Preparation for Protecting Cyberspace” and “Promoting National Regulation and Government Leading in Cyber Protection.” At the basis of the resolutions lies the establishment of a national cyber authority inside the Prime Minister’s Office responsible for the protection of cyberspace. The new authority will absorb most of the powers of the Data Protection Authority of the Shin Bet security service.
Almost everyone agrees that cyber is a new field in modern warfare, and that Israel must be prepared for the new era. But what about individual rights? Quite a few experts on the topic, including Ravia, are raising a red flag and warning that while the authority is vitally important, it needs checks and balances.
More recently – at the end of November – the government adopted Resolution 2258, which deals with “obtaining of personal information from airlines about passengers on inbound or outbound flights or on flights passing through the State of Israel.” The steps were taken as part of the war on Islamic terrorism and particularly on Islamic State, the militant group that has seized much of Syria and Iraq, though the resolution itself states that its purpose is to “strengthen the ability in the field of counterterrorism and the fight against serious crime.”
Under 2258, airlines will have to give API (advanced passenger information) and PNR (passenger name record) data to the government. API data are general basic information that has to do with ticketing, the flight path and the passenger, such as his or her passport number and nationality.
The PNR data, however, is more sensitive. It includes confidential commercial information that the airline has about the customer, including data about frequent-flier membership, the passenger’s credit card, any partners on the flight that he or she may have, information about connecting flights, the travel agency through which the flight was booked, and even the passenger’s hotel and rental-car information.
Today there are 39 countries that collect API data and only nine that collect PNR data, although a proposed government resolution states that three countries have declared that they intended to develop a system to collect PNR data.
Sever, the attorney, claims that this is just another case, like the cyber authority, in which officials have run forward without stopping to think about the implications on individuals.
“The flight database provides the government with an enormous amount of data, including how many times I flew, whom I flew with and the kashrut standard of the food I ordered,” says Sever. “Questions such as who can gain access to the information and under what conditions they request it were not asked. We can also wonder whether this information will be available to the tax authorities. All of this is being done in haste, with no public discourse.”
The threat to privacy isn’t just limited to people flying in and out of Israel – it also reaches people walking down a neighborhood street. At the heart of the largest surveillance project in Israel’s history, known as City without Violence, is the networking of local authorities using security cameras throughout the area. The program, which has been developed by Dr. Orly Innes since 2008, includes 50 networks with about 2,400 security cameras as of October 2012.
A major debate is taking place today about the cameras’ effectiveness in preventing crime. On the project’s website may be found a professional survey of the literature on the subject and a study by the Public Security Ministry’s research department about experience with the topic throughout the world. The study shows that the closed-circuit cameras have a limited effect on reducing violence. “It has been found that the closed-circuit cameras have a significant effect on reducing property crimes and rioting. But as far as violent crime, the reported results were not found to be unequivocal: No reduction was found in most cases that were surveyed,” the report says.
The Movement for Freedom of Information in Israel asked the Public Security Ministry and various municipalities for information about the surveillance cameras in the cities. The statistics are made public here for the first time about Israel’s four largest cities.
Tel Aviv is the most highly networked city with security cameras. There are 160 active cameras there and no decoy cameras. The cameras run 24 hours a day. The Tel Aviv municipality invested a total of 6 million shekels ($1.5 million) in the project. What do they get in exchange? According to statistics that the municipality gave to movement officials, in 2013 its hotline alerted the police six times in all, even as people were being constantly monitored. In 2014 only 15 alerts of crimes were provided to the police by the cameras.
One of the fascinating stories about the data privacy of Israel’s citizens broke with hardly any noise at all. It is called “The Unified Medical Record” and its goal is to ease the bureaucracy in the healthcare system by enabling any caretaker to seek the medical record of any patient without interference of the health maintenance organization, hospital or the patient’s regular physician.
The project got underway in 2012 and a year ago it began to be put into operation. While its goals are laudatory, as in other such undertakings little consideration was given to personal privacy.
Participating in the registry isn’t voluntary; people are put into it automatically and can only be removed if they file an opt-out form at their HMO. In addition, the number of people with the privilege of examining a patient’s record is quite broad, including every physician, medical student and medical specialist. Nurses can see all patient data except for pathologies; paramedical workers have access to partial information in files.
The lack of privacy was so blatant that the Israel Law, Information and Technology Authority at the Justice Ministry raised a red flag, saying the project should be halted at once. The Health Ministry did not respond to questions about the project.
“Why does an eye doctor need to know the sexual preference of a patient, or if the patient had an abortion?” asks Sever. “Today your medical records from the day you are born is available to every nurse. It’s not a big problem to photograph it This is information that drug companies and insurers would love get a hold of.”
Several voluntary organizations in Israel have tried to put the issue of privacy into the public agenda. The best known of these is the Movement for Digital Rights. Since 2009, it has published position papers and sought to alert the public to problems.
In addition, the Israel Bar Association has a committee for the defense of privacy, which has testified at Knesset committee hearings on the matter. Attorney Avner Pinchuk, who is responsible at the Association for Civil Rights in Israel for information and privacy, operates a blog call pratiut.com.
Inside the government, the Justice Ministry’s Law, Information and Technology Authority is the address to go, although its name doesn’t suggest that. It is responsible for ensuring that the 1981 Law for the Protection of Privacy is properly enforced. The law, however, has not been updated to reflect a world of computer networks, smartphones and social networks, a problem that the authority readily admits. An amendment that would have widened the authority’s purview has been stuck in the Knesset Law Committee for two years.
Another Justice Ministry body, the Public Committee for the Protection of Privacy, has not been operating for five years. Since 2010, no justice minister has taken the trouble to appoint committee members.