In U.S. Snooping Affair, Israeli Firms at Risk

Controversy over government surveillance that erupted last week over the NSA's PRISM surveillance program may lead to tougher standards for telecommunications gear like that developed, manufactured in Israel.

On Friday, The Guardian and The Washington Post published documents showing that the U.S. government has been systematically collecting data from companies like Google, Facebook, Apple, Microsoft and AOL on people's telephone and Internet usage.

The data, gathered by the U.S. National Security Agency's PRISM surveillance program, came from email accounts, Internet chats, browsing and search histories. The aim was to amass a database through which the NSA could learn whether terror suspects had been in contact with people in the United States.

In contrast to similar cases revealed in the past, the program involved thorough and continuous collection of data, even when no particular person or communications had aroused the authorities' suspicions.

The controversy has just gotten underway, with both Democratic and Republican lawmakers, not to mention civil liberties groups, taking umbrage over the massive snooping operation. For now, the focus has been on the U.S. government itself.

But behind the scenes are a host of Israeli companies that have almost certainly taken part in the program as suppliers of technology. They may yet find themselves in the maelstrom, warns Nimrod Kozlovski, head of Tel Aviv University's program for cyber studies.

"The exposure of PRISM underscores the feeling that communications networks and Internet companies have become the main tool for governments to gather information," he says. "It is critical for the United States at all times to put a wall of separation between the government and commercial enterprises in order to quiet concerns that it has secret relationships with these companies."

The concern is not just that the local government is spying on its citizens but that the manufacturers themselves have the ability to spy from afar.

Telecommunications systems almost always feature components that can be operated remotely so that software can be updated and routine maintenance chores can be conducted.

Demands for regulation

But these same systems can be used to penetrate the user country's communications network as well. With the United States at the center of the world's Internet traffic that problem is magnified.

"In the wake of affairs like this latest one, demands are growing around the world for more regulation of communications equipment and data storage services," he says, in particular for safeguards against snooping and the unauthorized entry onto private databases.

"Tougher standards like these increase the cost of importing and complicate software and hardware development," warns Kozlovski.

Already Australia, Singapore and India have toughened standards for importing communications equipment. China's Huawei has been the focus of those concerns because of its close ties to the Beijing government, but Israeli companies are particularly vulnerable to such suspicions because they have such close ties to the country's security establishment.

"Graduates of the IDF's technology units and those who have worked in other security bodies have created business opportunities for themselves based in no small part on their previous employment," said Udi Shani, a former Defense Ministry director general, at the Herzliya Conference last March.

Most countries have laws regulating government interception of telecom company data, usually making it subject to a proper warrant - or exempting it from such a warrant in exceptional circumstances, such as prevention of a terror attack or sorts of emergencies.

In the United States, the law requires telecom companies to provide data access to federal agencies. From 1997 to 2005 the FBI used the Carnivore program to monitor electronic communications, but it switched to the American-Israeli NarusInsight software in 2005.

In Israel the transfer of data to security services is regulated by a secret appendix to telecom company licenses. While requests to companies for police surveillance and access to data require a court order, the Shin Bet security service operates under an exceptional legal exemption allowing it direct access to network data.

Transferring data through PRISM, which was authorized by legislation passed in the wake of 9/11, allows U.S. authorities to methodically tap into data to prevent terrorism. Warrants issued under this legislation also require the companies to keep the warrants under wraps. Over the past seven years the courts have issued orders to this effect to telecom providers and software application companies that were renewed every three months.

Kozlovski says the problem is twofold. Firstly, the number of government orders the companies have been issued requiring them to disclose information on Internet surfers, to eavesdrop, or for search and seizure warrants for information held by them, is enormous.

"But the main thing is how data is being transferred," he says. "There's a huge difference between looking for specific information based on a particular suspicion and the constant scanning of communications to monitor the activity of a broad population.

"Such scanning is much more vulnerable to misuse and abuse that is not in accordance with a legal warrant," he notes. "Through its filtered issuance of legal warrants, the judiciary strikes a balance between human rights and the need for legal enforcement or preventing terrorism."

Nice business

Many companies have been cited over the last decade for having provided help to non-democratic governments snooping on their citizens. Cisco, the U.S. networking giant, gave China technology that enabled Beijing to monitor its citizens' Internet use. HP and NetApp installed communications-monitoring gear for the Syrian government.

Documents that surfaced on the Wikileaks site in 2011 also pointed to Israeli companies as active in this dubious business, alongside the U.S. companies HP and Netteza. Five companies were named - Ra'anana-based Nice Systems; Israel Aerospace's Elta; Cellbrite of Petah Tikva, Ability of Tel Aviv; and TraceSpan, a U.S. company that operates an Israeli research and development center.

According to the Wikileaks documents, Nice, which is traded on the Tel Aviv Stock Exchange and Nasdaq, has technology that is used to monitor some 1.5 billion people. In a brochure published by the company itself, it describes how its system can analyze conversations, and gather and analyze data from public sites. With these tools it can build an intelligence file from millions of communications.

According to an April 2012 article by James Bamford in the U.S. technology magazine Wired, two other Israeli companies - Verint and Narus - collected information from the U.S. communications network for the NSA.

Verint, which was a unit of Comverse Technology until earlier this year, when it swallowed up its parent, is responsible for tapping the communication lines of the American telephone giant Verizon, according to a former Verizon employee cited in Wired. Neither Verint nor Verizon commented on the matter.

Natus, which was acquired by the American aeronautics company Boeing three years ago, supplied the software and hardware used in AT&T wiretapping rooms, according to whistle-blower Mark Klein, who revealed the information in 2004.

Klein, a former technician at AT&T who filed a suit against the company for spying on its customers, revealed what he called a "secret room" in the company's San Francisco office, where the NSA collected data on American citizens' telephone calls and Internet surfing.

Both Verint and Narus have ties to the Israeli intelligence agency and the Israel Defense Forces intelligence-gathering unit 8200. Hanan Gefen, a former commander of the unit, told Forbes magazine in 2007 that Comverse's technology was directly influenced by the technology of 8200. Ori Cohen, one of the founders of Narus, told Fortune magazine in 2001 that his partners had done technology work for Israeli intelligence.

AP