If the reports are correct about the Israel Police's use of the NSO Group's Pegasus spyware to surveil Israeli citizens, including protesters and mayors, and in general to "fish" for potential suspects, it is the biggest scandal since it was revealed that authoritarian states across the world acquired the spyware and have used it for similar purposes.
It turns out that the restraint needed to refrain from abusing such technology is in short supply these days - and this is as true in democracies as it is in authoritarian states. The technology is out there. The real issue the NSO-Israel Police affair poses, therefore, is primarily one of oversight. The bigger underlying questions it poses are: who knows about its uses, who approves it and how.
In their response to Tomer Ganon's investigative report in Calcalist, the Israel Police said that everything had been approved by the attorney general. The relevant department in the attorney general's office authorizes, guides and sets the limits for various state agencies to use privacy infringing technologies (smart security cameras in cities, hospitals and public-transportation lanes, the "hawk eye" license plate recognition system and so on and so forth).
These internal guidelines are provided in the absence of any explicit statutory authorization to use such technologies by state entities. There is some rationale to this, since technology changes and advances rapidly, the Israeli Privacy Protection Law is outdated and in any case the law enforcement and security agencies are exempt from its provisions. However, this does not excuse the fact that there is no other form of real oversight or legal restrictions on tech that gives the government access to citizens' biggest secrets.
Naivete & hubris
Israel’s relevant legal framework, which includes the Wiretapping Law, the Communications Data Law, and the criminal procedure ordinance (which covers digital search warrants), simply cannot be expected to cover all potential use cases and scenarios. The collection of data from open sources (OSINT, or open-source intelligence) or hacking for the purpose of data collection (as with Pegasus) all fall beyond its scope.
As a result the ad hoc existing legal framework is open to different creative interpretations. For example, though it’s a good thing that the police do not decide on such uses themselves, but rather turn to an outside entity – the attorney general - it is clear the current system is failing. The golem has turned on its creators. The breadth and depth of the guidelines issued by the attorney general has turned them into a de facto constitutional court.
- The NSO file: A complete (updating) list of individuals targeted with Pegasus spyware
- ‘Married, but has Grindr’: How Israeli police spied on activists with NSO’s Pegasus
- Jews are alarmed, but Arabs can only dream of police using Pegasus against them
Moreover, in recent years there has been a protracted struggle for freedom of information due to the attorney general’s stubborn refusal to make these guidelines public. As a result, the department ends up approving the use of surveillance technologies that are not explicitly authorized by statutory law, and all with neither transparency nor public oversight. The Calcalist report demonstrates that the idea that staff in the attorney general's office can rein in, all by themselves, the police’s attempt to make excessive use of surveillance technologies is both naïve and full of hubris.
Naive because as we know, even if a statutory spyware warrant system for such activities was in place, the judges would approve an overwhelming majority of police warrant applications. It is also overly confident because the courts cannot provide us with a broad view on questions regarding the different applications uses, of what is ultimately done with the information they collect and where it then goes.
Last week the supreme court ruled on the admissibility of a warrantless cellphone search that was made on the cellphone of Jonatan Urich, an advisor to Benjamin Netanyahu. The decision, which now allows the police to present information acquired by an unlawful cellphone search as admissible evidence in a criminal trial, creates an additional incentive for the police to continue its sniffing and probing.
The upshot of all this is that the need for comprehensive oversight of digital data collection by law enforcement is now clearly acute. An independent agency – an oversight commission of online surveillance powers– must be established, with two purposes.
First, such a body will have access to data and to data systems, in order to review what the authorities are collecting and to guarantee that they do not collect, store, examine or analyze anything prohibited to them. Second, the commission shall serve as an additional barrier, a “double lock”, when it comes to how such requests for court orders for data collection can even be made. For example, the police will need to get authorization from them before it can apply to the courts for such surveillance orders.
An oversight commission of this sort will be fully informed on the big picture issues of privacy and could thus be charged with holding the authorization powers over all online surveillance warrant applications. It will also have ombudsman functions, serving as the body to which state employees and citizens who fear abuse of surveillance powers is taking place can go to to complain. The U.K. and the Netherlands already have such bodies. Such an oversight body will be manned with experts of varied backgrounds - law, intelligence and technology, and headed by a person with the legal competence of a senior judge.
For now, without such a mechanism in place, it is clear: The current system of gatekeepers has failed to stop or reign in the state thirst for data. This current scandal involving the police and NSO should serve as a dramatic wake up call for citizens and lawmakers alike: Data is like uranium. It has great power and value, but it is also radioactive and extremely dangerous when it falls into the wrong hands.
Tehilla Shwartz Altshuler is the head of the Israel Democracy Institute's media reform and democracy in the information age programs, and holds a doctorate in law from the Hebrew University of Jerusalem.
Amir Cahane is a researcher at the Israel Democracy Institute and the author of the ‘Oversight of Online Surveillance in Israel’.