Israel

Overview

Israel’s privacy landscape is defined by a fundamental structural contradiction. The Protection of Privacy Law (1981), recently strengthened by Amendment 13 (effective August 14, 2025) with administrative fines up to 5% of annual turnover, provides a civilian data protection framework that earned the country an EU adequacy decision. Simultaneously, the General Security Service Law (2002) authorizes the Shin Bet to collect bulk telecommunications metadata on every person who uses a phone in Israel through a system known as “The Tool” (HaMachshir), with no public judicial oversight. Amendment 13 explicitly exempts defense and security agencies from the Privacy Protection Authority’s oversight, routing their accountability to internal inspectors instead.^[1]

Israel is the home country of the global commercial surveillance industry. NSO Group (Pegasus), Paragon Solutions (Graphite), Cellebrite, Cognyte, Candiru, and Toka — vendors whose products appear across more than a dozen pages of this directory — are all Israeli companies whose exports are classified as weapons and regulated by the Ministry of Defense. The surveillance tools documented on the Spain page (Catalangate), the Italy page (Paragon targeting journalists), the India page (300+ Pegasus targets), the Brazil page (Cognyte/ABIN scandal), and the Thailand page (35+ pro-democracy activists) all originate from Israeli companies operating under Israeli export licenses.^[2]

Israel’s Unit 8200 — the IDF’s signals intelligence unit and one of the largest military units in the country — provides roughly 80% of all intelligence collected for Israeli agencies. The NSA shares raw, unminimized signals intelligence with Israel’s SIGINT National Unit (ISNU) under a March 2009 MOU that explicitly acknowledges US person data will be included. Israel is not a Five Eyes member but maintains closer SIGINT cooperation with the NSA than many formal allies.^[3]

Data Protection Authority: PPA

The Privacy Protection Authority (PPA) operates within the Ministry of Justice as Israel’s data protection regulator. The PPA head also serves as the Registrar of Databases, maintaining a public registry of databases containing personal data. Gilad Semama was appointed head in November 2022, ending a three-year vacancy in the position.^[4]

Enforcement Record

Prior to Amendment 13, the PPA’s enforcement powers were limited. Maximum penalties: 5% of annual turnover for larger organizations under Amendment 13 (effective August 14, 2025), with per-data-subject fines (e.g., NIS 8 per data subject in a database of 1,000,000 = NIS 8 million / ~$2.2M). Exemplary damages of up to NIS 10,000 per database-related violation; statutory damages of up to NIS 100,000 per person without proof of harm. Civil privacy claims extended to a 7-year limitation period.^[1][36]

The NIS 15,000 (~$4,000) fines against two of the world’s largest professional services firms illustrate the PPA’s pre-Amendment 13 enforcement limitations. The transition to percentage-of-turnover penalties in August 2025 represents a substantial escalation in regulatory capacity, though defense and security agencies remain exempt from PPA oversight.^[1]

Key Legislation

Protection of Privacy Law, 5741-1981

Israel’s primary data protection statute, enacted in 1981 and amended 13 times. The law regulates collection, storage, use, and transfer of personal data and establishes a database registration requirement. The Amendment 13 reform, approved by the Knesset on August 5, 2024 and effective August 14, 2025, introduced: administrative fines up to 5% of annual turnover, mandatory appointment of Privacy Protection Officers, a defined category of “information of special sensitivity” (ISS) covering family life, sexual orientation, health/genetic data, origin, criminal record, political views, and biometric identifiers, and robust data security requirements including encryption, access control, and regular audits.^[1]

Basic Law: Human Dignity and Liberty, 5752-1992

Section 7(a) provides constitutional-level protection: “All persons have the right to privacy and to intimacy.” As a Basic Law, this has quasi-constitutional status in Israel’s legal framework, though the Supreme Court’s ability to enforce it against security legislation has been contested during the judicial overhaul crisis.^[6]

Privacy Protection Regulations (Data Security), 5777-2017

Entered into force May 2018. Imposes detailed security requirements across four database classifications (individual-owned, basic, medium, high-level). Mandates encryption at rest and in transit, access controls, regular security audits, vulnerability assessments, and data breach notification to the PPA for severe breaches. Requires appointment of a Data Security Officer for public agencies, financial institutions, and companies maintaining five or more databases.^[7]

Secret Monitoring Law (Wiretap Law), 5739-1979

Prohibits secret monitoring of conversations without lawful authority. Requires a warrant from the president of a district court for wiretapping (up to 3 months, renewable). Amended in 1995 following police abuse findings by the State Comptroller; expanded to cover mobile phones, computer communications, and email. Exemptions exist for state security, military censorship, and IDF/police communications systems.^[8]

General Security Service Law (ISA Law), 2002

The enabling legislation for the Shin Bet (Israel Security Agency). Section 11 authorizes the Prime Minister to require licensed telecommunications providers to transfer communications metadata to the ISA — the legal basis for “The Tool.” A December 2023 draft amendment proposed expanding these powers to include malware deployment, database acquisition, and remote computer searching without the owner’s knowledge.^[9]

Criminal Procedure Law (Enforcement Authority — Telecommunications Data), 2007

Allows investigative authorities to obtain court orders requiring telecoms to provide metadata (location, subscriber, traffic data). In certain circumstances, metadata may be obtained without a court order for a limited 24-hour period.^[6]

Surveillance and Intelligence

Intelligence Agencies

Mossad (Institute for Intelligence and Special Operations), established 1951, conducts foreign intelligence, covert action, and counterterrorism. Reports directly to the Prime Minister. Shin Bet (Israel Security Agency / ISA / Shabak) handles domestic security, counterterrorism, and counterintelligence under the ISA Law 2002. Aman (Military Intelligence Directorate) is the central military intelligence body of the IDF, with subordinate units including Unit 8200 (SIGINT), Unit 504 (HUMINT), and Unit 81 (secret technology). The Israel National Cyber Directorate (INCD), formed December 2017, defends civilian cyberspace. Oversight is provided by the Knesset’s Subcommittee for Intelligence and Secret Services, under the Foreign Affairs and Defense Committee.^[10]

Unit 8200

Unit 8200 is the IDF’s signals intelligence unit and one of the largest military units in the country, comprising several thousand personnel. The unit provides roughly 80% of all intelligence collected for Israeli agencies. It operates from a large SIGINT base in the Negev desert — one of the world’s largest listening stations — and maintains capabilities including monitoring phone calls, emails, and communications across the Middle East, Europe, Asia, and Africa; tracking ships; covert listening posts in embassies; and tapping undersea cables. The Royal United Services Institute (RUSI) described Unit 8200 as “probably the foremost technical intelligence agency in the world and stands on a par with the NSA in everything except scale.”^[3]

“The Tool” (HaMachshir) — Shin Bet Bulk Metadata Collection

Since approximately 2002, the Shin Bet has operated a bulk metadata collection system known as “The Tool” (HaMachshir). Under Section 11 of the ISA Law, the Prime Minister authorizes licensed telecommunications providers to transfer metadata to the Shin Bet. The system covers every person who uses telecom services in Israel. Data collected includes device location, cell/antenna zone, voice call records, text message records, and internet browsing metadata (metadata, not content). No public judicial oversight or court orders are required for data collection.^[11]

In March 2020, the government authorized repurposing The Tool for COVID-19 contact tracing via emergency regulations. The Shin Bet received names and details of diagnosed individuals and identified phones within 2-meter proximity for 15+ minutes. On April 26, 2020, the Supreme Court ruled the tracking “severely violates the constitutional right to privacy” but allowed temporary continuation pending legislation. On March 1, 2021, the Supreme Court ended indiscriminate use, limiting it to confirmed carriers who refuse epidemiological questioning. The court cited concerns that surveillance could become permanent and noted that human contact tracers were more effective.^[12]

Post-October 7 Surveillance Expansion

On December 6, 2023, the Knesset passed a temporary order authorizing the IDF and Shin Bet to “penetrate computer material” for operating stationary cameras — including deletion, alteration, disruption, or interference with camera data. The law applies to any area including private spaces, with no retroactive notice required to camera owners. On December 11, 2023, the Ministry of Justice published a draft bill to amend the ISA Law proposing: authorization for ISA to employ malware, database acquisition powers (Section 8A), remote computer searching without the owner’s knowledge, and emergency procedures allowing the ISA director to authorize measures when the Prime Minister is unavailable.^[9]

In 2025, the Knesset approved a one-year extension of the camera hacking law by a 10-0 vote, removing the condition that it apply only during “significant military activities” — making the power applicable regardless of wartime status.^[13]

Oversight

Intelligence oversight rests with the Knesset’s Subcommittee for Intelligence and Secret Services, which meets in closed session. The July 2023 judicial overhaul — which curbed the Supreme Court’s “reasonableness” review power (struck down by the Court 8-7 in January 2024) — and the November 2024 cabinet decision to limit ministry legal advisers’ terms to 7 years, forcing out seven senior advisers, have weakened the institutional checks that might constrain surveillance expansion. Amendment 13’s explicit exemption of security agencies from PPA oversight formalizes the separation between civilian privacy protection and intelligence operations.^[14]

Palantir Technologies Strategic Partnership

On January 12, 2024, Israel’s Defense Ministry and the Israel Defense Forces announced a strategic partnership with Palantir Technologies for AI-powered battlefield management and intelligence fusion. The agreement covers deployment of Palantir’s Gotham, Foundry, GAIA, and AIP platforms for “war-related missions” across IDF operations, announced ten weeks after October 7 and valued at multiple hundreds of millions of dollars.^[43]

Because Palantir is a US company subject to the CLOUD Act, all IDF operational data flowing through Palantir platforms is potentially accessible to US law enforcement and intelligence agencies via administrative subpoena, without requiring Israeli government consent or notification. The partnership places Palantir at the centre of Israeli military targeting and logistics operations during an active conflict — raising questions about data sovereignty, civilian protection obligations, and the role of US technology companies in foreign military operations.

Commercial Surveillance Industry

Israel is the origin country for the majority of commercial surveillance tools documented across this directory. All Israeli cyber weapons exports are classified as weapons and require approval from the Defense Export Controls Agency (DECA) within the Ministry of Defense. In December 2024, DECA tightened cyber export end-user declarations, specifying that exports are approved solely for investigation and prevention of terrorism and crime. In November 2025, the Ministry of Defense repealed long-standing encryption export controls on civilian and military encryption technology.^[15]

NSO Group (Pegasus)

Founded 2010 by Niv Karmi, Shalev Hulio, and Omri Lavie; first Pegasus version finalized 2011. Pegasus is a zero-click remote smartphone surveillance tool capable of accessing encrypted communications, audio/video, photos, location, camera, and microphone. Used in 40+ countries; confirmed deployments include Mexico, Morocco, Saudi Arabia, UAE, India, Hungary, Spain, Thailand, and Poland. Added to the US Commerce Department Entity List on November 3, 2021 for “malicious cyber activities.” In December 2024, a court found NSO liable for hacking 1,400+ WhatsApp users; a May 2025 jury awarded $167.25 million in punitive damages, later reduced by the judge to ~$4 million as excessive, plus a permanent injunction barring NSO from hacking WhatsApp. In October 2025, a US investor consortium acquired a controlling interest, with former Trump ambassador David Friedman named Executive Chairman in November 2025.^[16]

Paragon Solutions (Graphite)

Founded 2019 by former Unit 8200 commander Ehud Schneorson and former Prime Minister Ehud Barak, among others. Graphite spyware accesses instant messaging (WhatsApp, Signal, Facebook Messenger) and stored data without target action. Acquired by US-based AE Industrial Partners in December 2024 for up to $900 million. Citizen Lab identified customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore (March 2025). In Italy, Graphite targeted journalist Francesco Cancellato and activist Luca Casarini. The US DEA has used Graphite since 2022; ICE signed a $2M contract frozen in October 2024 and reinstated August 2025.^[17]

Cellebrite

Founded 1999 in Israel. Developed the Universal Forensic Extraction Device (UFED) in 2007 for mobile forensics. Listed on NASDAQ (ticker CLBT) since 2021, with $475.7 million full-year 2025 revenue. Contracts with US ICE ($48.6M), CBP, FBI, Australian agencies (AUD $17M), Danish police, Norwegian police, and law enforcement worldwide.^[18]

Cognyte (formerly Verint Systems)

Spun off from Verint on February 1, 2021. Registered in Herzliya, Israel. Makes “network intelligence” tools that collect data from 4G/5G towers, telecom metadata, and messaging platforms. Serves 1,000+ clients across 100+ countries. Built Switzerland’s wiretap/surveillance infrastructure (2014). Past deployments to Azerbaijan, Indonesia, South Sudan, Uzbekistan, Kazakhstan. In Brazil, nine state security departments purchased Cognyte totaling R$65.7 million, and the ABIN scandal exposed 60,000+ illegal surveillance searches. NSA contracts exceed $20 million.^[19]

Other Vendors

Candiru, founded 2014, exploits zero-day vulnerabilities; its “DevilsTongue” spyware (named by Microsoft) infected 100+ targets including politicians, journalists, academics, and embassy workers. Added to the US Entity List alongside NSO Group in November 2021.^[20] QuaDream specialized in iOS exploits using its REIGN framework; identified clients included Bulgaria, Czech Republic, Hungary, Singapore, and UAE. QuaDream shut down in April 2023 following Citizen Lab/Microsoft exposure and Israel blocking a Morocco deal.^[41] Toka, founded 2018 by former PM Ehud Barak and former IDF cyber chief Yaron Rosen, sells technology to hack security cameras, watch live feeds, and alter past recordings. Toka raised $37.5 million from investors including a16z and works solely with state clients.^[42]

Occupation Surveillance Systems

In May 2023, Amnesty International published Automated Apartheid, documenting Israeli facial recognition and surveillance systems deployed in the occupied West Bank and East Jerusalem. Building on earlier reporting by the Washington Post (November 2021), the report documented four interconnected systems:^[21][34]

• Blue Wolf: Smartphone app for IDF soldiers that captures Palestinian faces and matches against a database, flashing different colors to signal detain, arrest, or release. Data collection was gamified: commanders provided prizes to battalions registering the highest number of Palestinians.
• Wolf Pack: The underlying database containing residence, family members, wanted status, and all available information on Palestinians from the occupied territories. Blue Wolf pulls data from Wolf Pack.
• Red Wolf: Experimental facial recognition system at military checkpoints in Hebron that automates movement restrictions on Palestinians. Scans faces and assigns color-coded status (green/yellow/red) determining passage. Surveillance cameras mounted every 300 feet in Hebron.
• White Wolf: System used by Jewish settlers to scan Palestinian ID cards and check against Israeli military, intelligence, and settlement security databases.

AnyVision (rebranded as Oosto) provided the “Google Ayosh” facial recognition system deployed at 27 checkpoints controlling Palestinian access from the West Bank to East Jerusalem and Israel. Microsoft’s M12 venture fund invested then divested in 2020 over West Bank surveillance concerns. In January 2025, Oosto was acquired by Metropolis Technologies for $125 million — having raised $352–380 million total.^[22]

Pegasus has been deployed against Palestinian civil society. In November 2021, six Palestinian human rights organizations were confirmed targeted: Addameer, Al Haq, Defense for Children International-Palestine, Union of Agricultural Work Committees, Bisan Center, and Union of Palestinian Women’s Committees. Findings were independently verified by Citizen Lab and Amnesty International’s Security Lab.^[23]

AI-Assisted Targeting

In April 2024, +972 Magazine and Local Call revealed two AI targeting systems used by the IDF. Lavender is an AI database that identified 37,000 suspected militants; targets were approved in approximately 20 seconds with minimal human review. Gospel (Habsora) reviews surveillance data to recommend building, equipment, and person targets for bombing. A companion system, “Where’s Daddy,” tracks Lavender-flagged individuals and marks them for bombing when they return home to their families.^[24]

Microsoft Azure Cloud was used by Unit 8200 for a surveillance system collecting millions of civilian phone calls from Gaza and the West Bank; Microsoft later terminated Unit 8200’s access to certain Azure services. Amazon Web Services reportedly supplied the Military Intelligence Directorate with a dedicated server farm for Gaza surveillance data.^[25]

National Biometric Database

The Biometric Database Law (2009) mandates collection of fingerprints and facial contours from all Israeli residents, integrated onto digital identity cards and passports and stored in a government biometric database. After an extended voluntary pilot phase, the Knesset passed legislation in 2017 transitioning to mandatory full-scale operation. Fingerprints of children under 16 are exempted from database storage. Police access is prohibited pending Knesset regulations; the head of the National Cyber Bureau is required to evaluate the necessity of fingerprint sampling every 18 months.^[26]

The program has been dogged by security and civil liberties concerns. The Population and Immigration Authority created a secret parallel biometric database alongside the official one, then sought to legalize it with fewer protections. The National Biometric Database Authority was found to have potentially illegally stored data in a private company’s data center. Prominent scientists and security experts have warned of the risks of centralizing biometric data for Israel’s entire population.^[26]

Internet Infrastructure and Cable Surveillance

Internet Exchange Points

The Israel Internet Exchange (IIX), operated by the Israel Internet Association (ISOC-IL) since 1997, is a Layer-3 switching platform located in the Med-1 data center — one of Israel’s largest underground hosting facilities. The IIX uses a one-to-many peering model to ensure intra-Israel traffic stays domestic.^[27]

Submarine Cable Infrastructure

Israel connects to international networks through multiple submarine cable systems. MedNautilus (Telecom Italia Sparkle) connects through the Central and Eastern Mediterranean at 3.84 Tb/s across 6 fiber pairs, handling most of Israel’s non-Bezeq web traffic. Tamares-North (Tamares Telecom) links Israel to Cyprus. The Bezeq International Optical System carries additional capacity. EMOS-1 (deployed November 1990) was the first Israeli-built undersea cable, connecting to Turkey, Greece, and Italy.^[28]

Google’s Blue/Raman cable system creates a new Europe-Asia route bypassing Egypt. The Blue segment connects Italy, France, Greece, and Israel (landing off the Tel Aviv coast); the Raman segment continues from the Israel-Jordan border near Eilat to Jordan, Saudi Arabia, Djibouti, Oman, and India, with 16 fiber pairs each.^[29]

Intelligence Nexus

Unit 8200’s documented capabilities include tapping undersea cables and monitoring communications across the Middle East and beyond from its Negev desert facility. Israel’s position as a landing point for the Blue/Raman system — which routes Europe-Asia traffic through Israeli territory rather than through the traditional Suez Canal corridor — creates a new chokepoint for signals intelligence collection on traffic between two continents.^[3]

Data Retention

Israel does not maintain a statutory mandatory data retention period for commercial ISPs and telecoms comparable to the EU’s former directive. The Protection of Privacy Law mandates annual review of database information to ensure necessity; information should not be retained once its processing purpose ceases.^[6]

However, Shin Bet’s “The Tool” effectively operates as a state-run retention system: Section 11 of the ISA Law requires licensed telecommunications providers to transfer all non-content communications metadata to the Shin Bet on an ongoing basis. This creates a parallel data retention architecture that operates entirely outside the civilian privacy framework, covering every telecom user in the country with no statutory retention limit tied to a specific period or purpose.^[11]

The Criminal Procedure Law (2007) allows law enforcement to obtain telecom metadata via court order, with a 24-hour emergency exception permitting access without a court order in certain circumstances.^[6]

International Data Sharing Agreements

NSA-ISNU SIGINT Memorandum of Understanding

The March 2009 MOU between the NSA and Israel’s SIGINT National Unit (ISNU) authorizes the NSA to share raw, unminimized signals intelligence with Israel. The intelligence is not filtered by NSA analysts to remove US persons’ communications before sharing. The MOU explicitly states it is “not intended to create any legally enforceable rights.” Data shared includes “unevaluated and unminimized transcripts, gists, facsimiles, telex, voice, and Digital Network Intelligence metadata and content.” The NSA “regularly reviews a sample of files transferred to ISNU to validate the absence of US persons’ identities” — a spot-check with no enforcement mechanism. Published by The Guardian on September 11, 2013 from documents provided by Edward Snowden.^[30]

US-Israel Mutual Legal Assistance Treaty

The US-Israel MLAT on Mutual Legal Assistance in Criminal Matters was signed at Tel Aviv on January 26, 1998, ratified by the Senate on October 21, 1998, and entered into force on May 25, 1999. It provides for mutual assistance in criminal investigations including taking testimony, executing searches, transferring persons in custody, and locating persons.^[31]

EU Adequacy Decision

Israel received an EU adequacy decision in January 2011 under the Data Protection Directive (95/46/EC), based on Opinion 6/2009 of the Article 29 Working Party. On January 15, 2024, the European Commission reaffirmed Israel’s adequacy under GDPR Article 45 review. However, civil society organizations including EDRi and Access Now sent open letters in April 2024 and June 2025 urging reassessment, citing: AI-driven targeting systems (Lavender/Gospel), broad security agency exemptions in Amendment 13, restrictions on PPA independence, territorial scope issues regarding the occupied territories, and mass surveillance. European Parliament questions E-001254/2024 and E-000176/2025 raised concerns about data use in Gaza. As of February 2026, the Commission has not responded.^[32]

Other Intelligence Cooperation

Israel participates in the Counter-Terrorism Group (CTG), sharing information with 17 European countries and the USA through the “Kilowatt” encrypted telegram system. Israel maintains a classified defense framework with at least six Arab states for information sharing, joint exercises, and operational coordination. In January 2026, the US and Israel launched a Strategic Partnership on Artificial Intelligence, Research, and Critical Technologies. Israel is formally a “Third Party Partner” of the Five Eyes — not a member, but with closer SIGINT cooperation than many formal allies.^[33]

The Privacy Backdoor Effect

Israel’s privacy framework creates a particularly stark version of the contradiction seen throughout this directory:

• Amendment 13 strengthens civilian privacy protections while explicitly exempting the very agencies that conduct mass surveillance
• EU adequacy enables free flow of European personal data into a jurisdiction where the Shin Bet collects bulk metadata on all telecom users
• NSA-ISNU MOU shares raw intelligence on American citizens with an entity that faces no legally enforceable restrictions on its use
• DECA export controls license commercial surveillance tools to governments that use them against journalists, activists, and political opponents
• Unit 8200 alumni founded multiple commercial surveillance companies (Paragon’s co-founder was a Unit 8200 commander), creating a pipeline from military intelligence to the private surveillance market

Recent Developments

Amendment 13 Takes Effect (August 2025)

The most significant amendment to the Protection of Privacy Law since its 1981 enactment entered force on August 14, 2025, introducing 5% turnover fines, mandatory Privacy Protection Officers, and “information of special sensitivity” protections — while exempting defense and security agencies from PPA oversight.^[1]

NSO Group Ownership Change and WhatsApp Verdict (2025)

A US investor consortium acquired controlling interest in NSO Group (October 2025); former Trump ambassador David Friedman named Executive Chairman (November 2025). WhatsApp verdict: $167.25M jury award reduced by judge to ~$4 million; permanent injunction bars NSO from hacking WhatsApp.^[16]

Camera Hacking Law Made Permanent (2025)

The Knesset extended IDF/Shin Bet authority to penetrate civilian camera systems, removing the condition limiting it to “significant military activities” — making the power applicable regardless of wartime status.^[13]

DECA Export Control Changes (2024–2025)

December 2024: tightened cyber export end-user declarations. November 2025: repealed encryption export controls on civilian and military encryption technology.^[15]

Paragon Graphite Deployments Identified (2025)

Citizen Lab identified Paragon customers in six countries (March 2025). Italy confirmed targeting of journalists and activists. US ICE reinstated Paragon contract (August 2025).^[17]

EU Adequacy Under Pressure (2024–2025)

Civil society open letters (April 2024, June 2025) and European Parliament questions urging reassessment of Israel’s adequacy status. Commission has not responded.^[32]

Judicial Overhaul and Oversight Erosion

Supreme Court struck down the “reasonableness” law 8-7 (January 2024). Cabinet forced out seven senior ministry legal advisers (November 2024). Independent oversight of intelligence operations weakened.^[14]

Sources