Before the cabinet circumvented the Knesset Monday night to approve emergency measures allowing the Shin Bet security service to track the location of coronavirus patients, Haaretz has learned that legal advisors to the Knesset’s Foreign Affairs and Defense Committee submitted a long list of comments and questions about the proposal. The government ignored these concerns and approved the law over the objections of the subcommittee for secret services.
Among other concerns, the advisors asked for clarification on how data would be collected and stored, what technological means would be employed, whether the data will be used for enforcement purposes, when data would be erased, and urged different regulations for data collection regarding confirmed coronavirus patients and those who had been in contact with them.
The advisors stressed that public health is not part of the Shin Bet’s responsibilities and the introduction for the new regulation should more clearly explain the justification for such an unusual move.
The regulation uses the term “technological information,” without further specification or explaining how it differs from other forms of information. The advisors suggested that the regulation define the term and establish exactly what information the Health Ministry will give the Shin Bet and vice versa.
The legal advisors voiced concern that the proposal did not make clear exactly when the Shin Bet could start tracking a person’s location data, arguing that there should be a defined period during which a person’s data could be tracked. The advisors recommended “a period of 14 days before the symptoms of the disease appeared or from the day when the suspicion first arose that led to the patient being tested for the virus, whichever is relevant.” Regarding the question of who is suspected of being a corona carrier, the advisors suggested “a patient who was sent to be tested for the virus but has not yet received the results.”
They also thought the definition of “people who have been in contact” with suspected carriers was too vague. For instance, they asked, how close to the patient did you have to be to be considered “in contact”? Is there any difference between a closed venue and an open one? And how long did this contact have to last to be relevant?
- In Dead of Night, Israel Approves Harsher Coronavirus Tracking Methods Than Gov't Stated
- The Coronavirus Fight in Israel Is Threatening Individual Rights
- To Stop the Coronavirus, Shin Bet Can Now Track Cellphones Without Court Order
Moreover, the legal advisors said, the wording of the regulation seems to indicate that the Shin Bet can receive location data of people who had come in contact with confirmed patients from before that contact occurred, yet there is no reason to note whom these people met before they encountered the patient. The purpose of finding people who had been in contact with patients is solely to notify them and give them instructions.
The advisors therefore proposed that the regulation be divided into two parts. The first part would deal with tracking verified carriers or people who have been sent for testing but had not yet received their results. The second part would deal with people who had contact with the patient, for whom the rules on tracking would be different.
They also advised that the purpose of the Health Ministry’s request to the Shin Bet be explicitly stated, as follows: (a) informing the public and giving instructions for treatment and (b) locating people who had contact with the patients.
Regarding the collection, storage and transfer of information, the legal advisors said the regulation should include detailed, explicit rules rather than deferring to the discretion of the Shin Bet or government ministries. This is especially necessary because the public generally is not informed about internal rules, they said, and in this case, informing the public is crucial.
The regulation failed to specify whether information will be collected only from cell phone geolocation data or by other means as well. They requested clarification on this point.
They also argued that the regulation should authorize a specific Shin Bet official to exchange information with the Health Ministry – for instance, the head of a specific Shin Bet department chosen by the agency’s director for this purpose.
To ensure that the new regulation is proportional, they proposed adding the following sentence: “Information transferred pursuant to this decision will be as limited as possible, in order to preserve the dignity and privacy of the patient or of anyone who came in contact with him.”
It was also advised that the Shin Bet transfer information immediately to the Health Ministry, and erase it immediately thereafter, rather than retaining the information until the authorization expires, as the regulation currently states. The following wording was proposed: “The agency will make use of the technological information and its results only for the stated purpose, will deliver it immediately to the Health Ministry and will erase it immediately after transferring it to the Health Ministry.”
As another means of making the regulation more proportional, it was proposed that Shin Bet tracking only be used as a last resort. For instance, “The request [to the Shin Bet] will be made only after the Health Ministry director general or the head of public health services has examined other possibilities for obtaining the information and been convinced that it can not be obtained in any other way.”
They added that a phrase referring to a “general request” for Shin Bet assistance by the ministry’s director general was unclear.
It was also proposed that the regulation require the people be informed whenever the ministry gives information about them to the Shin Bet, suggesting a clause saying, “The patient will be informed about a request to the agency.”
Further, the advisors wanted it stated explicitly that the ministry, rather than the Shin Bet, would contact the patients. They suggested that when contacting someone who had come in contact with a patient no identifying details about the patient be given. For example, “The Health Ministry’s director general or the head of public health services will inform anyone located under this provision that they were in contact with the patient, without giving identifying information about the patient, and will instruct them on what actions to take.”
They also proposed stating explicitly that the ministry must store the information in a way that protects its privacy. For instance, “The Health Ministry will make use of the technological information and its results only for the purpose stated in this decision and will store the information in a way that will ensure the information’s secrecy and the privacy of the patients or those who came in contact with them.”
Advisors questioned why the regulation requires Health Ministry workers using the data to have security clearance, given that this is not security information, but rather private personal information.
The advisors noted a contradiction between a clause stating that the Shin Bet’s authority to collect location data can not be used for enforcement purposes or to monitor people in quarantine and another clause stating that the Health Ministry will transfer information it receives from the agency to the police for enforcement purposes. They asked the committee to consider whether data gathered by the Shin Bet about Israeli citizens should really be used for law enforcement.
They also proposed a weekly reporting requirement to both the attorney general and the Foreign Affairs and Defense Committee’s subcommittee on the secret services. The report would detail the number of patients whose location data was collected, how many people were identified as having contact with patients and whether the Shin Bet has erased the data.
Finally, the advisors said, if it becomes necessary to keep the regulation in force for longer, the extension should require approval by either the cabinet or a ministerial committee, as well as the subcommittee on the secret services.