Details and screenshots of a prototype version of the Pegasus spyware designed for Israeli police back in 2014 reveal the tools and far-reaching capabilities of a system that was slated to be deployed in everyday police work.
The spyware's suite of tools, which were supposed to be presented to the security cabinet headed by then-Prime Minister Benjamin Netanyahu, included various capabilities sought by police – ranging from listening to any phone call on an infected phone, reading text messages, to remotely opening the microphone and the camera without the phone owner's knowledge.
The spyware's presentation to the cabinet was prepared by the newly appointed head of signals intelligence at the time, Police Brig. Gen. Yoav Hassan, a former member of the Israel Defense Forces' elite 8200 cyber intelligence unit.
Under his leadership and with assistance from Mossad agents — including the head of Mossad at the time, Tamir Pardo – the unit developed into a quasi-independent and compartmentalized group. As defined by a senior police official, “Extra-territorial.”
The division was separated from the wider intelligence unit and reported to the head of the investigations department at the time, Police Maj. Gen. Mani YItzhaki. “This is a police force within the police force, and no one knows what happens there,” said a top official in the organization, “without supervision, without oversight, and with very invasive tools in their hands that need to be under strict regulation. In reality, that didn't happen.”
In response to an investigative story in the Israeli economic daily Calcalist that shook the country at the beginning of the year, an investigative committee led by Deputy Attorney General Amit Merari, which sought to examine police use of attack spyware, particularly Pegasus, published a report on Monday that looked into what transpired there.
In spite of the former police commissioner Roni Alsheich's claim that "The Israel Police doesn't have Pegasus, to dispel all doubt," the Merari team discovered that even though there had been no eavesdropping without court orders, a spyware had indeed been used, though the police referred to it by a different name: Seifan.
The Merari team concluded that the spyware was operationally deployed as early as 2016, when Alsheich was still the commissioner, using technology that went beyond its legal authority. The phone data collected exceeded what was legally permitted by court orders and the group is still holding the information in the databases of its cyber department.
According to information obtained by Haaretz, the slated cabinet presentation highlighted the potential police applications of the spyware, which included covertly monitoring "protected messages" as well as voice and text chats on advanced cell phones. Police investigators gained access to all of these features after a suspect's phone was "infected."
The police intended to further present the reach of the spyware in a hacked device which included location, contact list, messages, emails, instant messaging, outgoing and incoming calls, calendar, remote recordings, remote camera use, microphone use and other information.
It remains unknown if these tools, as well as the physical appearance and capabilities of the police-implemented system, were ever ultimately presented to the cabinet ministers. A source familiar with the details claims that the proposal was submitted to senior security officials in 2015 as well.
Screenshots from the initial prototype of the system the police intended to use were included in the presentation and show the NSO logo and the product name Pegasus itself. Additionally, they show some of the distinctive traits that, according to reports from Israel and other countries, are present in the spyware.
The screenshots demonstrate the wide range of tools that the police intended to use as soon as a device was infected. One of the images depicts a WhatsApp correspondence of a certain “John Doe,” with a woman who is identifiable by her name.
The woman was a sales manager at NSO, thus in addition to showing system capability, also showed the connection to the company. This is not the only instance. There are also details of other talks between said John Doe and five additional NSO employees.
Another capability of Seifan mentioned in the presentation is the interception of incoming and outgoing phone calls. Besides this ability, which seems to be relatively routine in the world of intelligence surveillance, there is another one known in the professional parlance as "volume listening" and is considered much more intrusive.
In simple terms it means real time wiretapping to a device's surrounding through the remote activation of the device's microphone. This type of wiretapping requires an order from a district court president or their deputy.
While the phone's owner can sometime assume that their calls are intercepted by the police and behave accordingly, they do not necessarily act this way while not actively using their phone or in a private place.
The list of capabilities the police intended to outline goes beyond wiretapping and includes remote operation of the camera on the "infected" device, an action that is very likely illegal as the law does not explicitly permit the planting of concealed cameras, and certainly does not permit the remote control of a camera by hacking a suspect's mobile device.
The capabilities detailed by the police are not limited only to the abilities of the “infected” device itself. With the spyware, the police can gain full access to all the files stored on the phone, including those that are end-to-end encrypted.
This encryption technology prevents access to a device's content through cellular antennae or other infrastructures. Even if a file is intercepted, it cannot be decoded. However, on a device that has been infected with the spyware, all the files become visible.
Sources familiar with the Pegasus system that is now being used by other groups say that the version described in the presentation that was planned about eight years ago was apparently an earlier version of the current software or a demo version.
Its interface, according to numerous accounts, is very similar to that of Pegasus at the time. Documents in Haaretz's hands attest that throughout the relevant time, the police signals intelligence division and NSO personnel tested the product in conjunction with a number of "operational requirements."
Overall, the product presented then incorporates many features that are reportedly part of the Pegasus system, as well as some that are absent from the versions that have recently been sold to other governments in recent years. The Defense Ministry's limitations on security exports may be the cause of this.
According to a cyber-technology expert, Israel is the only nation in the world to which oversight does not apply. Or, to put it another way, "On a principle level, NSO is free to sell services and technology to Israel, with no restrictions whatsoever on the technology it can sell it." The prototype described here may be the most permissive and open-ended version that NSO could have provided at the time, and it is the version that the police intended to use on Israeli citizens.
In recent months, especially in the wake of the Calcalist report, the police have been attempting to distance themselves from Pegasus, the most notoriously controversial software in the world for its use in surveillance of civilians – and the police software.
The police assert that they have "atrophied," that is to say, blocked, some of the software's features. However, not only were they not blocked in the prototype that was to be presented to cabinet ministers put into operational use a year later – the Merari report concluded that in reality many technical features of the spyware were never blocked for use by the police. Who gave the order? This is still up for debate.
The Israel Police have responded: “Immediately upon being informed of the investigative committee headed by Deputy Attorney General Amit Merari, everything was put at the disposal of the team with complete cooperation and transparency. The report describes the police's activities and the capabilities of the system they used based on independent inspection the team conducted using experts and in relation to the company, rather than the police's explanations. From the report it emerges clearly that contrary to the false reports, the police use of the technological capabilities was solely for the purpose of preventing and solving serious crimes, and subject to court warrants, and that no intentional actions were taken in contravention of the law.
“The grave damage caused by reports of this sort have harmed and are still harming severely the ability of the police to act against grave crimes, prevent violations of the law, thwart them and bring the transgressors to court. To this end and to minimize insofar as possible the damage in these tools, the court has ordered immunity of the methods and the means. The gaps that emerge in the report will be addressed fully by a team the Police Commissioner has ordered to be established, headed by the deputy head of Investigation and Intelligence Branch for the purpose of implementing the recommendations of the report. Moreover, the team is acting to carry out the required adjustments for the restoration of the use of the technological capabilities for combatting crime and terror, in parallel to the required equipping with additional technological tools for the benefit to the security of Israeli citizens.”