Recent searches into the email accounts of passengers arriving in Israel raises the question of how far the state can go in its airport security checks. It is one thing to search files located on a person’s computer , but quite another to go through a person’s cyberspace history.
By Jonathan Klinger
News that the Israel Security Agency (Shin Bet) searches the email accounts of those who travel to Israel (first reported on by Mondoweiss) is quite disturbing. According to the report, several activists who crossed the border in to Israel were requested to open up their computers, connect to the internet and log in to their electronic mail account (stored on remote servers), type their passwords and let a security official perform some searches in their account.
Indeed, Israel is probably not the only country that requests people to open up their computers upon entry. Currently, the United States is discussing the authority and the need, as well as the question of whether you can be coerced into providing your password. This caused the Electronic Frontier Foundation to issue a complete handbook to those who cross the border with electronic devices. However, even in the most extreme case, the searches reported were not as severe as these.
In order to understand the differences, I want to give the state of Israel the benefit of the doubt. I want to assume that the Aviation Act (Security in Civil Flights) grants the state the authority to search a person’s body and property when he travels to Israel, and that the Supreme Court ruling in the Avraham Ben-Haim ruling – which prohibited the police from performing consensual searches without probable cause (RCA 10141/09 אברהם Ben-Haim v. Staet) – does not apply here (even though it most probably does).
Meaning, for the purpose of this article, and solely for it, I grant the state massive constitutional leeway, and still, my conclusion is that such a search cannot be legal for mere technicalities.
I want to distinguish, in theory, between two types of searches. The first is a search inside the computer. In this case, the person who crosses the border allows the state to look inside his computer, in the files stored on the hard drive, in the same way his suitcase is searched. Here, we can assume that he has no expectation for privacy over his possessions. He is familiar with the intrusiveness of airports, and that for the sake for security, and customs, every bag could be inspected. Therefore, There is no real difference between computer searches and suitcase searches.
The experienced passenger travels when his computer and cellphone are wiped clean. In such case, nothing is stored, and therefore even if his computer is searched, it is clean, and there is no invasion of his privacy.
The other case, which is the problematic case occurring here, is an active search. In this case, when crossing the border, the state requests not to search his property or body, but to see what is stored far away, in the cloud and outside his control. A person’s email account, which is not stored on his computer, does not exist in his computer and does not pass the border with him. Here, more than anything, the traveler has a reasonable expectation for privacy; in the same way he had when he left other possessions at home.
The question of authority arises. While the authority to inspect a person’s property is understandable, this case is more like the state approaching a person travelling to Israel and requesting his consent to go to his house and open up his safe.
Now, the second question, regarding forensics, arises. As we know, there is a detailed praxis on how to deal with computer evidence: first we copy everything, and only afterwards we search (for example, OR 1153/02 State v. Abergil). The reason is simple: the search itself “touches” the files, alters them, creates signatures and messes up the chain of evidence. Therefore, even searching email accounts should be made in the same way: first copy all the inbox, then sort it out.
All of this does not occur here: the chain of evidence is dubious when the user is logged in to the computer. In another case, such a “hot search” nearly led to the acquittal of a pedophile, only because the police did not first copy, but searched on the person’s computer (CC 6961-09-08 State v. Gurevitz).
Meaning, the Shin Bet’s search of passenger computers is problematic regarding the essence of the search itself, as it does not warrant a search of a person’s entire property, whether material or virtual. When a policeman stops a person in the street, he cannot force him to go to an ATM and ask for his PIN number to see his recent activities. In the same manner, this search seems to be lacking authority.
Jonathan J. Klinger is an Israeli cyberlaw attorney and is a legal advisor for +972 Magazine. This post was originally published in Hebrew.