If reports about the police and its alleged illegal and disproportionate use of the NSO Group’s Pegasus spyware are confirmed – something which still needs to be officially determined – this would be yet another case of an embarrassing failure in intelligence oversight.
Ever since the Israel Police-Pegasus news erupted, experts on privacy have been interviewing, expressing their exasperation while questioning the legality of using powerful tools such as Pegasus. Some argue that spyware is illegal no matter what, while others focus on the illegal warrantless use of the software.
The problem is that privacy isn’t the big issue in this story. Moreso, focusing on privacy may even deflect the public discourse away from the real problem: a serious failure of oversight, resulting in intelligence agents doing as they see fit.
a plethora of tools
The police arrest suspects, and can tell many stories in order to get a judge to extend a suspect’s detention. Detectives who follow suspects around the clock and intel agents who exploit criminals’ vulnerabilities in order to get them to divulge secrets and betray their friends have been around for decades. Secretly planted surveillance cameras in locations frequented by criminals, as well as microphones hidden in bedrooms, are measures the public is familiar with. If they see fit, the police are able to violate our privacy and intrude on our innermost private lives. Without going into details, let’s just say that Pegasus isn’t even the most powerful and invasive tool at their disposal.
Our focus should be different. We should be asking ourselves where the responsible adult was and why didn’t he prevent this story.
According to reports, someone employed a tool that was intended to be used sparingly and judiciously and used it on a whim, possibly in an attempt to suppress civil protests. So far, although distressing, there is nothing new in that. Rogue police officers or ones who exceeded their authority are a known phenomenon.
- Did NSO Go Rogue and Use Pegasus Spyware for Private Ops?
- Either Police Is Lying, or Pegasus Scandal Is Biggest Flop in Israeli News History
- Israel's Pegasus Scandal – and How to Protect Your Phone
So, what’s so awful about this affair, if proven to be true?
The problem is that no one looked at intelligence reports and asked about the provenance of the personal data collected about demonstrators. No one opened the computer on which Pegasus was installed and checked which numbers had been run on it lately. No one demanded a monthly report on usage made of this spyware, or any spyware for that matter.
Intelligence agents have again operated without appropriate oversight, which is what is so horrendous about this matter. We don’t yet know what really happened; for this to happen, a full investigation needs to take place. But if true, the affair is a repeated demonstration of a systemic failure - a lack of any supervision over intelligence operators.
Intelligence agents operate in grey areas and it comes with the territory. But this also puts them at risk. An agent handler busy with manipulating people has to learn to stop manipulations when reporting to their supervisor. Signal intelligence operators, constantly with their eyes and ears open, need to learn not to listen to conversations which are really personal. Analysts, constantly hungry for data, need to know when to set limits on data collection. This is a tricky task. There’s a very powerful sense of being drunk with power in the intelligence community, and this can lead to bad places.
To this is added the built-in secrecy in intelligence matters. No sunlight illuminates their operations. Material is either censored by the agent themselves, or some of it is deemed classified, so that it doesn’t appear in an investigation file, and what remains is often papered over so that the original source of the information remains concealed.
This amalgam of power and clandestineness creates an agency with a propensity of getting into trouble. This happened with the Shin Bet and the Bus 300 affair, and repeats itself every few years with intel coordinators in various agencies. Only recently, Military Police intelligence operators allegedly ignored the distress signals of a source, failing to report them to their supervisor, with only a serious incident revealing serious flaws in the entire unit. In the absence of a supervisor who is an intelligence agent, everyone does as they please.
In regards to Pegasus, my bet is that everyone involved was blinded by its capabilities. Everyone was in a rush to use their new toy and no one hurried to write down proper procedures for using it. They locked the computer in a special room and that was it. They brought in a few people from the army’s famed 8200 intel unit without making sure they knew that they weren’t dealing with terrorist, that there were strict limits when it comes to civilians, and that they could end up in jail if they didn’t get used to being restrained. But that’s just my guess. It needs to be investigated in order to establish exactly what transpired there.
There is no choice but to allow the police to employ powerful tools. Criminals are sophisticated and evil. Some are willing to do whatever it takes for the sake of money or in the name of a dangerous ideology, and they must be stopped. But in exchange, the police must be accountable. Worthy managers must be appointed, people who must be held accountable when there is flawed conduct. The emphasis should be not on the written procedures but on appointing talented and worthy people, required to faithfully do their job.
Instead of denying what happened to the media it would be better for senior police officials to announce that they were launching an investigation. They would thereby signal to the public that they may have erred, but that they are interested in making amends. If Tomer Gonen’s report is correct, and if this affair ends without deposing the relevant managers and without the rogue agents going to jail, this will be a colossal miss, and the next foul-up only a matter of time.
Pegasus is a type of weapon, with all that this implies. Just like there are many procedures for using side-weapons, there should be ones that ensure the correct use of this spyware. The oversight of state prosecutors or the Knesset is insufficient. Lawyers don’t know how to oversee this kind of professional work. They don’t know anything about it. They understand evidence and laws, not modes of operation. The task of oversight belongs to senior police officers. These sadely were apparently busy with other issues. If one wants to prevent the next incident, they must be held to account fully.
Gadi Perl is a research fellow at the Federman Cybersecurity Center and a Ph.D. candidate in law at the Hebrew University. He is a former head of a team of computer researchers at the Israel Competition Authority.