It is still too soon to know what the Knesset’s response will be to the disclosures about the Israel Police’s use of information-gathering technologies such as NSO’s Pegasus system.
There is a lot of noise:
Some are calling for changes to the law to clarify when it is permissible to intercept communications and when to extract information from phones and computers.
But another set of proposals relates to mechanisms for oversight of the police. For example, some Knesset members are demanding tougher regulations on admissible evidence, ruling out the possible use of evidence collected by illegal means, which will reduce the police’s incentive to obtain such evidence.
Some are calling for more transparent reporting of surveillance to the Knesset, and some for restrictions on the attorney-general’s powers to allow the use of surveillance technologies.
But what about the public? Public transparency is a cornerstone of all oversight capabilities, as is the possibility of appealing to the Supreme Court when the police use such technologies without a legal basis for doing so.
In fact, the question at stake is even starker: What can civilians do to gain redress from the police, if it emerges that they were under improper surveillance, or that a rogue police officer unduly accessed information about them that was held on police computers? Civilians should have the tools to sue for such infringements on their privacy.
There is a simple comparison to be made: When commercial companies do not properly protect information about their customers, resulting in cyber-breaches (as in the cases of the Shirbit insurance company and the Atraf dating website), then the Privacy Protection Authority and the National Cyber Directorate are called on to act. But some say, rightly, that customers should be able to launch class-action suits against such companies or to sue them individually, in response to breaches of privacy for which they are responsible. Such private enforcement would be more effective than a thousand regulations, as the fear of being sued for millions will drive companies to act more cautiously and invest in better data protection.
When it comes to policing, the current situation is one in which even if a police officer accesses police information systems without clearance, and is subsequently disciplined for the offense, the police are still not obligated to notify the person whose information was exposed by the officer in question. This is unacceptable. Similarly, there is absolutely no chance that the Black Flag protesters or the mayors’ family members whose phones were accessed using the Pegasus system will be notified individually about this infringement on their privacy.
TWO URGENT legal amendments are required for such a mechanism of private enforcement to be established.
The first relates to the sweeping exemption from responsibility granted to the police under the Privacy Protection Law. This exemption should be revoked and replaced with a more restrictive arrangement.
The second amendment involves adopting a rule requiring the police to notify those under surveillance about the information collected about them. That is, such notification should be given when the surveillance is concluded, or as soon afterward as is possible, without jeopardizing the investigation or risking human life.
Legislation to this effect exists in Germany, requiring that after surveillance against an individual intelligence target is completed, the individual in question is notified that surveillance took place. Similarly, in Britain, if the investigatory powers commissioner discovers that during authorized surveillance activities a grievous error occurred resulting in severe harm to a particular individual, then that individual must be notified by the commissioner.
There may not always be financial compensation involved, and certainly such compensation would not be paid by an individual in the law enforcement system, but publicizing the event – and, certainly, suing individual officers in cases in which it is clear that the law was broken, and it is clear who broke it – would constitute a better oversight mechanism than those available to the Knesset.
It should be emphasized that this does not imply creating a situation in which every police surveillance activity becomes a potential lawsuit, but, rather, ensuring that it will be possible for citizens to sue in the case of any illegal police surveillance.
In 1957, Menahem Begin (then a member of Knesset) complained that secret service agents who had searched his apartment had left behind dust on his bed. Begin was trying to score points against the Shin Bet (Israel Security Agency), which at that time was deployed for political purposes.
Certainly, to find dust on one’s bed, or to receive a message from the police that the contents of one’s phone have been extracted as part of a criminal investigation, is an unpleasant experience. However, instituting the right to be informed and revoking the sweeping exemption from responsibility currently enjoyed by the police would be the best possible start toward ensuring that we do not see a repeat of the NSO affair or of similar examples.
Dr. Tehilla Shwartz Altshuler is a senior fellow and director of the Democracy in the Information Age program at the Israel Democracy Institute.
Adv. Amir Cahane is a researcher at the Israel Democracy Institute and author of the study “Oversight of Online Surveillance in Israel.”