The Devil is in the Details
Israel has inadvertently created a national surveillance agency, with access to a staggering array of personal data on every citizen. Thanks to data-sharing between government agencies, the Central Bureau of Statistics, better known for publishing economic and population updates, has a vast database of personally identifiable data – much to the dismay of data-protection experts. Why does it need it, what is it doing to safeguard Israelis and is it even legal? A Shomrim investigation.
Illustrations by: Moran Barak
June 10, 2020
f you were to ask the average Israeli which agency holds the most and the most detailed data on citizens of this country, chances are that they would name the Shin Bet, Israel’s vaunted domestic security agency, or the police. The National Insurance Institute might also get a mention. But the correct answer, rather surprisingly, comes from a very different and far less glamorous organization. What most Israelis don’t realize is that the Central Bureau of Statistics knows almost everything there is to know about them.
Founded in 1949, a few months after the establishment of the State of Israel, the CBS is tasked with carrying out research and publishing statistical data on all aspects of Israeli life, including population, society, the economy, industry, education, and national infrastructure. It operates under the direct auspices of the Prime Minister’s Office.
Most Israelis know, more or less, what the CBS does: It has the legal authority to conduct wide־ranging survey that may obligate participants to share personal details. Few people, however, are aware that the CBS also obtains information from various other bodies in Israel.
This may already sound problematic to champions of data protection, but it’s only the tip of the iceberg. Unbeknownst to many, the CBS also insists that the data it obtains from other agencies can be linked directly to the name and ID number of the person submitting it.
This relatively anonymous body, which is better known for issuing daily press releases and annual population reports, actually has in its system more information about citizens than any other agency. It knows our date of birth and when our loved ones passed away; it knows our religion, the names of our spouses and ex־spouses; it knows how many children we have and which schools they attend; it knows what car we own and how many miles we drive a year; it even knows how big our home is and whether it has an en suite bathroom.
But that’s not all. The CBS also gets data from the tax authorities, the National Insurance Institute and local authorities. It knows how much you earn and whether it’s been a good year for business; which healthcare provider you’ve signed up to, why you were given a tax break and how many times you received unemployment benefit.
One CBS official even told us that they had looked into ways of obtaining data on the sexual orientation of every Israeli, but dropped the idea of adding the question to its mandatory surveys when it was pointed out that such a question could put some participants, in certain sectors of Israeli society, in danger.
The bottom line is that, without anyone really noticing, the CBS has become a de facto surveillance company, gathering extensive data about almost every aspect of our personal lives.
For decades, the CBS has been requesting – and receiving, without question – fully identifiable data from various government authorities. For most of this time, the CBS was only able to make partial use of the information, due to the manner in which it was stored. This ranged anywhere from old־fashioned ring binders to unwieldy computer tapes in the early 1980s. The digital age has brought with it an increasing capacity to transfer vast quantities of data at the click of a button, and cross־reference with data stored elsewhere.
This has opened up a whole host of potential problems. It could be possible, for example, to build a remarkably complete profile of a specific person. An unscrupulous official could use the data to conduct unauthorized prying into someone’s affairs, perhaps in order to extort or shame them. There is also the possibility of data being misused by a government body that has obtained it legally from the CBS. Especially worrying is the risk of data leaking to – or being hacked by – criminals or hostile entities. If past experience teaches us anything, it is that the CBS does not have a glowing track record of thwarting these risks.
Without doubt, the CBS is an important organization. The valuable research it conducts informs the government and the Knesset’s decision־making processes and is widely used in the private sector, too. The big, unanswered question, however, is how the CBS justifies collecting personally identifiable data information that is, by all accounts, irrelevant to the preparation of statistical reports. One expert we asked suggested that it’s to improve and verify information. For example, he said, checking whether a claimant is entitled to a tax break in accordance with his or her disability status, as determined by the National Insurance Institute.
If this is indeed the case, it proves that there is a serious breach of data privacy at the CBS, since it clearly has the capacity to cross־reference a specific individual's data using the countless databases in its possession. The CBS itself, however, did not provide any clear explanation for this practice. Two requests for comment yielded only this laconic, obtuse and elusive statement: "A statistical system that deals with administrative data and statistical registers is based on the ability to aggregate the administrative data obtained from various sources of information."
Over the past few months, however, the CBS has been forced to confront contemporary notions of the right to privacy. Without coordinating, two local authorities recently objected to a request to transfer personally identifiable information on their residents to the CBS, arguing that that there is no statistical need for such data.
In March, the CBS sent a concise letter to local authorities and municipalities, demanding that they hand over residents’ municipal property tax data. Moreover, the letters asked that the municipalities specify which of their residents were granted a discount for municipal property tax, which assets were eligible for the discount and why. These tax breaks are often granted due to personal circumstances, such as disability, low income or being a single parent. This is undoubtedly sensitive information, which most of us would object to sharing. The CBS specifically stated in its letter that the data must include personal names, ID numbers and identifiable features of the assets in question.
Usually, such requests are answered with blind obedience by local authorities. This time, however, two of them – without prior coordination – refused to hand over the information. In its response to the request, Gan Raveh Regional Council accused the CBS of "violating its own role" by attempting to collect data "that is not of statistical significance." Moreover, the council argued, the CBS had failed to provide "any explanation as to the legal authority of such a request, any justification for the request or any supporting legal opinion from the relevant body." In this case, the relevant body would be the Justice Ministry’s Privacy Protection Authority.
The council also questioned whether the Privacy Protection Authority had even been made aware of the request, yet alone whether it concluded that handing over personally identifiable data was not a violation of residents’ privacy rights.
The CBS issued a swift response, claiming it is legally entitled to such statistical information. Again, however, it failed to explain why it requires information that personally identifies residents and links them to specific assets. The bureau’s legal department, which was offended by the implication that it was overstepping its authority, replied that, "the person legally authorized to use discretion in determining what kind of data the CBS needs to conduct its statistical analyses is the Government Statistician. That is not the job of whichever body was asked to provide the data." In other words: Leave the statistics to us.
The letter, signed by attorney Sharon Nagari, goes on to claim that, "the Government Statistician’s authority to demand data from other state institutions legally overrides any conflicts arising from other laws." She also rejected the idea that the CBS requires the approval of the Privacy Protection Authority. The letter ended on a note of clerical disdain: "The wording of the letter you sent us is impertinent and disrespectful toward a government authority."
The CBS and the two local authorities continue to exchange correspondence over this request for identifiable data. One can safely assume that most local authorities who received the same demand did not challenge it and simply handed over the information without question.
The less the better
According to Prof. Michael Birnhack, a privacy expert and law professor at Tel Aviv University, the legal basis for the entire operation of the Central Bureau of Statistics is the Statistics Ordinance, which was passed by the British during the final year of the Mandate in pre־state Israel. Although it has been amended several times by the Knesset, most recently in 2010, it is still subject to interpretation according to Israel’s basic laws, which act as the country’s de facto constitution.
"The Statistics Ordinance must be interpreted according to the Basic Law that explicitly protects one’s right to privacy," Birnhack explains. "According to this law, the right to privacy can only be infringed when the purpose is clear and infringement is not excessive. Moreover, the Privacy Protection Law explicitly details the procedures by which public bodies can exchange data: both must have authorization. While the CBS has the authority to request information, it’s essential that body being asked to transfer data is legally authorized to do so."
Birnhack believes that the best course of action is to limit transfer of personal information that may include sensitive information as much as possible. "The de־identification and anonymization of data should be carried out by the body transferring the information – in this case, the local authorities. After all, the data is already in their possession. Moreover, extra safeguards must be put in place, since any IT expert worth his salt could easily cross־reference public databanks to identify a particular individual."
Some argue that the average citizen need not be concerned that the CBS possesses such huge quantities of data, since it is used to provide information that is vital to the country’s decision־makers. Birnhack agrees – up to a point.
"Statistics serve a valuable purpose," he says. "Decision־makers and researchers alike need this data. Having said that, the amount of personal data transferred from body to body must be kept at a minimum. Any time data is transferred, it will necessarily be viewed by at least one person and will be stored on at least one more computer. When information flows, it can leak – sometimes the result of negligence, sometimes maliciously. I’m not casting aspersions on anyone at the CBS, but there have been cases in the past when data was leaked from government agencies. The best way to protect private data is to reduce its transmission from database to database."
Birnhack concedes that CBS’s motivation for demanding identifiable data is its desire to for greater cross־referencing. This, he says, is "very worrying."
"Even if every government agency possesses the necessary information to fulfill its function individually, there would still be one agency which stores all of this information in one place," he says. "That database becomes a hyper־sensitive repository, ripe for hacking or for misuse. Someone could say to themselves: We already have all this information. Why not use it?"
Birnhack's analysis is supported by another official who is personally familiar with the work of the CBS, who says that the problem arises from the very low quality of information that the various ministries transfer to the CBS, which then requires constant refinement. Even menial tasks, such as deleting the deceased from the Population Registry, are mired by countless mistakes. According to the official, who asked to remain anonymous, the CBS cross־references data in order to update its own information. For example, if the address of an individual appears in the Population Registry in Tel Aviv but they pay municipal tax in Eilat, the CBS amends the registry accordingly.
The sheer quantity of personal data involved – and the ability to cross־reference it – raises serious questions about data security and, more importantly, whether the CBS is up to the task. Among the many scholarly articles on the subject of de־identifying data is a particularly scathing one, published in the Tel Aviv University’s Journal of Law, Society and Culture, by two Israeli experts – Prof. Tal Zarsky of the University of Haifa and Dr. Sharon Bar־Ziv of Sapir College.
"Despite having broad know־how and a wealth of accumulated experience," they write, "the CBS’s handling of de־identifying data has also seen failures. For example, researchers at Tel Aviv University were able to use publicly available information published by the CBS to identify individuals. This was especially easy when it came to locating groups with very few members. There may well be a disparity between the CBS's professional rhetoric and the way it functions in practice."
The study referred to in the article was conducted some eight years ago, as part of a data־security workshop at Tel Aviv University’s School of Computer Science. The students who conducted the study used data from the 2011 national census, conducted by the CBS, which subsequently uploaded the ostensibly anonymized data to its website.
Using a simple algorithm developed by the students, researchers reproduced the answers of 1,005 out of the 7,064 respondents. Moreover, they located one respondent and asked her to verify that they had verbatim records of the answers she had given the CBS during the census. Remember: Participating in the census is a legal obligation and the CBS guarantees that the personal data will be kept confidential and citizens’ privacy protected.
‘A pillar of our data infrastructure’
Shomrim contacted the Central Bureau of Statistics for its response to the concerns raised in this article. Addressing general concerns, the bureau responded that it, "obtains data from government ministries in accordance with the legal authority granted to it. This data is requested and stored only when necessary – and information that is not required for the CBS’s work is not requested nor stored. The CBS’s legally defined role is to provide official statistics. To perform this role in a satisfactory manner, it must collect data from different authorities. The use of the data already collected by various state bodies also saves public funds and resources."
"A statistical system that relies on administrative data and statistical registers must be able to unequivocally aggregate the data obtained from various sources. For this reason, Israel’s legislature has granted the CBS authorization to do so. It is impossible to construct a vertical or horizontal statistical database for any entity – be it an individual, a household, or a business – without the ability to cross־reference databases."
In response to the more specific case of its request for personally identifiable data from local councils and its handling of objections, the CBS said that, "among our many roles, we gather statistics and publish data on demographics, economics and society, which includes data on real estate. For this purpose and in accordance with section 15 of the Statistics Ordinance, the CBS has received personally identifiable municipal tax information from local authorities for decades. This data is necessary to update the Dwelling and Building Register, which contains details of every structure in the country. This registry represents a pillar of the state's information infrastructure, and is used, among other things, for calculating the Consumer Price Index, family size, the size of the workforce, population, housing demand and prices. It is extensively used for analytical purposes by decision־makers in Israel, including ministries, local authorities and more."
The CBS insisted that councils have no legal reason not to agree to the demand for data, since the Statistics Ordinance – that pre־state law passed by the British – obligates them to do so. "Likewise," the statement continued, "the CBS is entitled to collect personally identifiable information from various sources, including tax authorities, and does so when necessary. On this note, it is important to point out that this information is collected for the purpose of statistical operations, and is not published in a manner which makes the information identifiable. The data is kept strictly confidential, in accordance with the strict regulations issued by the Statistics Ordinance, and in line with rigorous standards of data security, the breach of which is a criminal offense."
The Privacy Protection Authority, which, like the CBS, operates under the auspices of the Prime Minister’s Office, was asked about the demand for data from local councils. It claimed that the councils were sent legal opinions on the matter by Justice Ministry over two years ago. These opinions "asserted that the CBS does indeed have the professional authorization to determine what information it needs in order to perform its role and gather statistics. Needless to say, the CBS complies with the standards of proportionality set out in the Basic Law on Human Dignity and Liberty."