Imagine a situation in which you submitted a freedom of information request to the government, one to which you expected an answer. But instead of an informative response, you discovered that those who are meant to protect us from terrorists, pedophiles and critics of the police are simply negligent.
That’s exactly what happened as part of my attempt to learn more about a mysterious email address used by the state for issuing orders pertaining to cyber and big tech.
The rejection letter sent by the Cyber Bureau of the Justice Ministry, to whom the mysterious address belongs to, revealed that it conducts itself in the field of security and data protection almost in the same way your local gas station deals with the key to the restrooms they manage.
The story began three weeks ago, when I submitted a simple freedom of information request seeking the contents of the electronic mailbox content_review@justice.gov.il for the month of January 2021.
What does this mailbox contain? I wish I knew. That is why I filed an FOIA request.
However, what I do know is that this email is the address the cyber bureau uses for “voluntary enforcement” program. In other words, this is the address it uses to contact Facebook, TikTok, Instagram, Twitter and other social media giants.
Given that this address is specific even by name, one might have expected that all it did was consolidate in a centralized location for takedown requests sent by the bureau to external parties like social media giants.
Inside Israel’s war room combating COVID vaccine fake news
TikTok hires Israeli lobbyist after Israeli-Palestinian violence goes viral
Social media giants deleted 159 anti-vaxxer posts at Israeli cyber unit’s request
Why, therefore, is such a request so crucial? People have the right to know how their government enforces speech. In other words, if the Israeli Ministry of Justice and attorney general had done what they’re authorized to do under law, and file charges against those it has suspected are breaking the law, rather than merely contacting internet service providers, then, the public would have had an open, public database of indictments that would enable us to oversee the state’s work.
But what does the prosecution actually do? That’s what I tried to discover. The refusal I received from them, though, shows that there’s more than meets the eye.
Prime Minister Naftali Bennett gestures as he speaks at the Cyber Week conference at Tel Aviv University. July 2021 AMIR COHEN/ REUTERS
The first reason given for rejecting my request to receive a copy of this mailbox’s content was truly wonderful: This address is used for internal consultations.
What does that mean? Instead of the state attorneys using their personal address to send emails to colleagues, they use a pseudonymous address which they can access with a username and password known to the students and attorneys working in the bureau.
Consequently, they can all use it, just the way people who visit the rest stop can ask for the key to the restroom. In fact, it may be even worse than that, because the rest stop at least can ask people to leave their drivers’ license and that only one person can take the key at a time.
What’s even worse is that this email is actually a database. Or at least, it is according to the response I received from the bureau. It contains personal information about the people whose social media content the ministry wants removed from platforms.
Yet despite this, and despite all the privacy protection regulations mandating access controls for databases, including the ability to document who accessed them and when, the bureau has only a single username and password for all its students and attorneys. So all of them can access it, just like all patrons can ask for the bathroom key?
But is that the end of the problem? Quite the contrary.
What else did I discover? The Israeli government conducts negotiations with parties external to the Justice Ministry: that is, Facebook, Twitter, TikTok and Instagram, through this account.
We’re a country with laws. But apparently, some people can obey the law, while others, how should I put this, conduct negotiations regarding the law. These negotiations are conducted with the public address, and not from the employees own addresses apparently.
It’s worth noting that my original request explicitly said that “if there are any details that could harm national security, they can be blacked out, but send the full email, including the blacked-out sections.”
There’s no doubt that security is very important. But if this address contains, as the state claims, “policies in various stages of formulation” and “internal discussions” whose disclosure would truly undermine “various Israeli security interests,” then maybe, just maybe, it would be better if these policies and internal discussions were held outside a mailbox that has access to unspecified amounts of users?
Let’s say that tomorrow, a student finishes his clerkship and leaves the bureau. Do they then change the password, or is it like with bathroom keys, where everyone knows the keys are “hidden” in the main office’s drawer, and even if you leave your former employee, you can still come by periodically and take the key?
What’s even worse is that if everyone can access the account, that means there’s no two-factor identification for accessing the email, which means it is woefully exposed.
In other words, access to a sensitive account whose contents, if leaked, would damage Israeli security interests according to the bureau , isn’t protected by two-factor identification. After all, it’s illogical to think that every time a student wants to access the email, he has to pick up a phone to the head of the department and ask them if they “just got a six-digit code by SMS; could you read it to me?”
But the biggest issue is still the heart of my FOIA request: If the same mailbox from which requests for content removal are sent also contains internal discussions, then how hard would it be to open a separate account for the internal discussions?
And why are these discussions internal? After all, Israel complained to Facebook, Twitter, Instagram, Tiktok and OnlyFans and asked them to remove content. Why shouldn’t we the citizens know why you the state asked that it be removed?
So instead of telling me, “We’re rejecting your request because truthfully, we don’t want to embarrass ourselves and have everyone discover that instead of summoning people for questioning over content we thought was illegal, we went instead to TikTok like kids telling on a classmate and asked them to block his account, because we also have no faith in our own legal system, where TikTok, in contrast, scares us,” you chose to employ the tactic of cowards.
I just hope we don’t discover someday that a piece of paper on which some student wrote down the passwords has fallen from a truck.
English
Arabic
Chinese (Simplified)
Dutch
French
German
Italian
Portuguese
Russian
Spanish