08 February 2022

When Your Own Spyware Hits Home

Israel’s Domestic NSO Scandal

A newspaper report from January 18, 2022, revealed that the Israeli police has been using a spy software to spy on its own citizens. This affair illustrates how existing Israeli privacy law is inadequate for dealing with the types of privacy violations enabled by new technologies. But the ease with which these technologies are used also tells a lot about the militarization of Israeli society.

Spying on Civilians

On January 18, 2022, Calcalist, a leading Israeli newspaper, dropped a bomb. Israeli police, reported Tomer Ganon, has been using the spyware “Pegasus” created by the notorious Israeli Offensive Cyber company NSO to spy on Israeli citizens, including on political activists involved in the “Black Flag” and Balfour demonstrations that took place against former Prime Minister Netanyahu last year.

NSO made it to the headlines in November 2021, when the U.S. Department of Commerce added it to its blacklist of companies prohibited from receiving American technology, after it was exposed that its sophisticated cellphone hacking spyware was used by autocratic regimes against human rights activists, journalists, and political opponents on numerous occasions. Reports argued that the decision was a blow not only to the company itself, but also to the state of Israel, which, it was claimed, bartered the sale of NSO spyware as part of its newly formed diplomatic relationships with Gulf states. While there were voices within Israel that criticized Israel for its involvement and lack of supervision of NSO, the affair remained a side note. For most Israelis, whatever human rights abuses the spyware enabled, the danger was far from home, far from their heart.

However, the recent publications suggest that this was not the case. The news reports initially revealed that the Israeli police hacked the phones of political activists, of politicians in local authorities and their family members, as well as of other citizens in a wide array of circumstances. As the days passed, the extent of the hacking scheme unfolded. On February 2, 2022, it was published that NSO software was installed on the phone of a Shlomo Pilber, a state witness in former PM Netanyahu’s criminal trial. On February 7, 2022, a newspaper wrote that the spyware was used to hack the phones of numerous chiefs of governmental ministries, including the former chief of the Ministry of Finance, the former chief of the Ministry of Justice, and the former Chief of the Ministry of Transportation. The spyware was also installed on the phone of the head of a trade union and a renowned businessman.

According to the reports, the information retrieved was transferred to various government agencies, including the police, the tax authorities, and the Israeli securities authority. The police allegedly used Pegasus spyware for building “profiles” of the people who were defined as targets based on the information retrieved, which include anything from phone conversations to social media interactions and browsing histories. In short, all cellphone content. The news reports argue that in one case the spyware was even used to garner information on a target’s allegedly concealed sexual orientation, which according to a note in his profile file could be used “as a leverage” in investigations. The exact scope and details of the use of the spyware are still unfolding.

Ambiguous Answers

The state’s response is similarly unclear. Initially, the police stated that the report was “untrue”, that it acted “according to the authority granted to it by law and when necessary according to court orders and within the rules and regulations set by the responsible bodies”, and that its “activity in this sector” was under the supervision of the Attorney General. The Attorney General, on the other hand, published a rather reserved response: while he stated that it appears that the police “acted within its powers”, he also declared that he has ordered the police to examine the possibility of “disabling” some of the features and abilities of the technologies used by the police, and that “there is room to examine” the procedures for using surveillance measures, including the documentation of the process, so that it would be possible to track what exactly was done in each case. In response to a reporter’s question, the courts’ authority stated that no warrants regarding the use of NSO were asked for. While the police claims that it acted “by law”, the reports suggest that at least in some instances NSO technology must have been used prior to the grant of any court order. After almost two weeks of denying any wrongdoing, the police admitted on February 1, 2022 that there may have been “misuses” of the spyware. The statement is brief and undetailed, and additional facts are likely to surface.

A Dubious Legal Framework and Uninformed Judges

As more details are revealed, one conclusion that can already be drawn is that existing Israeli privacy law is inadequate for dealing with the types of privacy violations enabled by new technologies. The laws governing surveillance in Israel include the Secret Monitoring Act, 5739-1979, which was enacted in 1979 and amended in 1995. It defines monitoring as “listening to the conversation of another person by means of an instrument”. The Criminal Procedure Act (Powers of Enforcement – Communications Data), 5768-2007 allows investigative authorities to receive communications data in some situations and the Computers Law, 5755-1995 regulates various aspects of entering into computers. None of these laws recognizes, addresses, or is designed to regulate surveillance of the type and extent Pegasus and similar modern spyware allow.

If the information published in Calcalist is accurate, it seems that at least in some instances, the use of the spyware and the collection of information was conducted without warrants at all. However, it appears that even if warrants were requested at some point, they were requested late in the process and on the basis of information retrieved through the spyware, presented to the courts as based on “intelligence” – a vague term that does not specify how exactly that information was obtained. Concerningly, it seems that warrants were granted without judges knowing or understanding the scope of abilities of the software used on the basis of those warrants. This raises serious questions about the professional competence of the judiciary in dealing with new technologies. The outdated surveillance legislation in Israel is ambiguous, but even under a very creative interpretation, it is difficult to argue that the warrants currently issued encompass the type of surveillance that Pegasus and similar spy software enable. If the judges who issued the warrants were not aware of how exactly these warrants are used and perhaps did not inquire about them, adequate training of judges on the topic is needed. The Attorney General’s instruction to examine the possibility of “disabling” some of the software’s features suggests that there is indeed a gap between what warrants allow, and how the spyware is used.

The Price of Militarization for Democracy

While part of the problem is the lack of sufficient guarantees of privacy and outdated surveillance regulation, this is hardly the whole story. The journalistic report describes systematic procedures, which involve numerous individuals at several stages. This is not just a bunch of scattered individual cases. The fact that none of those involved waved a red flag over a practice of spying on civilians raises questions about the culture and values underlying Israel’s law enforcement authorities.

As critics have rightly pointed out, most Israelis were not startled when reports on the use of NSO software against Palestinians in the Occupied Territories surfaced. This can be attributed either to indifference to violations of the privacy of Palestinians or to the belief that matters of national security may justify such violations. However, to the extent that such indifference was also accompanied by a belief that the use of such measures will be confined to matters of national security, the recent revelations have refuted this assumption. As the use of tracking technology for contact tracing during the COVID-19 pandemic has demonstrated, when technological measures are available to the state, the temptation to use them exists and the situation will eventually arise in which their use appears justified.

The ease with which these technologies are used is due in part to the militarization of Israeli society. Israel’s high-tech industry is closely linked to its defense industry, which, as the NSO scandal demonstrates, plays a role in Israeli diplomacy and foreign relations. Military experience accords candidates an advantage in politics and is perceived as valuable managerial experience in both the public and private sectors. Law enforcement is no different: from intelligent officers recruited to the police as investigators, through the former Chief of Police, who spent most of his career in the General Security Service, to the retiring Attorney General, who was a former Military Advocate General, the law enforcement authorities in Israel are staffed by former military and GSS personnel.

Each of these individuals has the adequate credentials to perform their role. However, from an organizational culture perspective, there is reason to be concerned about whether a civilian ethos based on the rule of law can develop under the close-knit relationship between the military and civilians. Signet, the police cyber division, appears to be an extreme example: according to the reports, it operated as a separate unit within the police and was staffed by former intelligence officers who formed a closed clique. After having delivered “results” (a term that the reports don’t specify) the division grew larger and more dominant within the police.

Conclusion

While the NSO affair may be an exceptional case, it should be treated as a cautionary example of the price of the current civil-military relationship in Israel. Democracy requires a law enforcement system that operates under the rule of law, does not perceive the cause as justifying all means, and respects human rights. As long as the organizational culture perceives rights as a nuisance and the law as a recommendation, fixing concrete legislation in various areas – in this case, privacy law – may provide temporary relief, but not a cure.


Leave A Comment

WRITE A COMMENT

1. We welcome your comments but you do so as our guest. Please note that we will exercise our property rights to make sure that Verfassungsblog remains a safe and attractive place for everyone. Your comment will not appear immediately but will be moderated by us. Just as with posts, we make a choice. That means not all submitted comments will be published.

2. We expect comments to be matter-of-fact, on-topic and free of sarcasm, innuendo and ad personam arguments.

3. Racist, sexist and otherwise discriminatory comments will not be published.

4. Comments under pseudonym are allowed but a valid email address is obligatory. The use of more than one pseudonym is not allowed.




Explore posts related to this:
Cybersecurity, NSO, Pegasus, privacy, surveillance


Other posts about this region:
Israel und besetzte Gebiete