A letter, and a silence
On May 18, 2026, five civil society organizations — Access Now, Amnesty International, the Electronic Frontier Foundation (EFF), Palestinian digital rights group 7amleh, and Fight for the Future — sent Microsoft a joint letter with a simple ask: publish the findings of the internal review the company promised into how its Azure cloud and AI services were used by the Israeli military. Microsoft, the letter says, "completed" that review but "has neither released its findings as publicly promised" nor clarified which services remain suspended or what safeguards, if any, now apply (Access Now). EFF frames Microsoft's partial disclosure as a floor other cloud providers haven't even reached, pointedly asking why Google and Amazon — both of which hold their own Israeli Ministry of Defense contracts — haven't matched even that much (EFF).
The underlying facts are no longer seriously disputed. A joint investigation by The Guardian, +972 Magazine and Local Call, published August 7, 2025, reported that Unit 8200 — Israel's signals-intelligence corps — had used Azure infrastructure in the Netherlands and Ireland to store roughly 8,000 terabytes of intercepted Palestinian phone calls, under an internal mantra of "a million calls an hour," with sources describing the data as feeding targeting decisions in Gaza. Microsoft's own review, launched within days, examined contracts, billing records and internal correspondence rather than the classified system itself, but found enough to confirm Israeli Ministry of Defense Azure storage consumption in the Netherlands and AI-service use consistent with the reporting. On September 25, 2025, Microsoft President Brad Smith announced the company had suspended and revoked cloud storage and AI-service access for the Ministry of Defense and Unit 8200, stating Microsoft does not provide "technology to facilitate mass surveillance of civilians" (Calcalist/CTech).
The regulator built for exactly this — with an exemption for exactly this
What makes this moment more than a rerun of last year's scandal is that it lands eight months after Israel's most significant privacy law reform in four decades took effect. Amendment 13 to the Protection of Privacy Law, 5741-1981 — passed by the Knesset on August 5, 2024 and in force since August 14, 2025 — brought Israel's regime substantially closer to the EU's GDPR: mandatory data protection officers, a new administrative-fine regime, cease-and-desist and database-suspension orders, criminal investigation powers, and a statute of limitations on civil privacy claims extended from two years to the general seven (WIPO Lex; IAPP). On paper, the Privacy Protection Authority (PPA) is now one of the more muscular data regulators outside the EU.
But Amendment 13 explicitly excludes Israel's security and defense bodies — the IDF, Israel Police, the Israel Security Agency (Shin Bet) and the Mossad — from the PPA's supervisory and investigative powers, substituting internal privacy inspectors appointed within those bodies themselves (Pearl Cohen). That is precisely the category of institution at the center of the Azure story. The regulator Israel just spent a decade rebuilding to police exactly this kind of large-scale, AI-assisted data processing has no jurisdiction over the one instance drawing global scrutiny.
Steelmanning the carve-out
This isn't a drafting oversight, and it isn't unique to Israel. Nearly every mature privacy regime — the EU's GDPR under Article 2(2) and the national-security carve-outs in Treaty on European Union Article 4(2), the US framework separating FISA oversight from FTC consumer-privacy enforcement — draws a similar line. Subjecting classified intelligence and targeting operations to the same disclosure obligations, database registration and DPO-mediated transparency that apply to a retail loyalty program would be unworkable and, in a live conflict, dangerous: operational security has a real claim here, not a manufactured one. Legislators writing Amendment 13 were not trying to shield military surveillance from all accountability; they were recognizing that ordinary civil-regulator tools don't fit military intelligence, full stop.
Why the gap still matters
The problem is what happens when that legitimate carve-out meets a foreign commercial vendor. An internal privacy inspector embedded in Unit 8200 has no visibility into, and no authority over, what Microsoft engineers built, what contractual terms governed the arrangement, or what Microsoft's own human-rights review actually found — because that inspector's mandate stops at the boundary of the security agency, not at the boundary of the data. When the tooling is homegrown, the security exemption is coherent: the agency's own inspector, cleared and internal, is the appropriate check. When the tooling is a publicly traded American cloud provider's commercial product, the exemption leaves nobody with both the access and the mandate to look — except the vendor itself, voluntarily, under public pressure.
That is the structural reason five NGOs are petitioning Redmond rather than Jerusalem: Israeli domestic law was never built to reach this, and wasn't retrofitted to when the opportunity came. Microsoft's September 2025 suspension and its partial disclosure since are real, voluntary steps — more than Google or Amazon have offered on their own Nimbus-adjacent contracts. But voluntary vendor disclosure is a poor substitute for structured oversight, precisely because it can be reversed, narrowed, or simply stop the moment public attention moves on.
The proportionate ask
The demand worth backing is the narrow one: publish the review's scope, methodology and findings, and specify what access restrictions remain in place. That is transparency, not divestment, and it doesn't require Microsoft — or Google or Amazon — to exit allied governments' legitimate cybersecurity and defense-modernization contracts, which remain a normal and valuable line of business. The broader ask in the letter, that Microsoft suspend all business with Israeli military and government bodies, goes further than the evidence currently supports and risks treating an accountability gap as grounds for blanket decoupling. Israel's regulators, for their part, would do well to consider a narrowly scoped oversight mechanism for foreign-vendor contracts held by exempted security bodies — not to reopen classified operations to a civil regulator, but to ensure someone with actual authority is watching the seam Amendment 13 left open.