Spies are already in your phone. A highly controversial private firm may be next
search
ToI investigates

Spies are already in your phone. A highly controversial private firm may be next

Fighting the coronavirus contagion, the government has introduced extremely intrusive tracking. Now it wants to bring in the NSO Group, a company accused of human rights violations

Simona Weinglass is an investigative reporter at The Times of Israel.

Illustrative. (iStock)
Illustrative. (iStock)

With unemployment at 25 percent, and most Israelis confined to a hundred-meter radius of their homes amid the coronavirus pandemic, few have paid much attention to the government’s program to track coronavirus patients using cellphone data.

In a survey last week by the Israel Democracy Institute, 63% of Jewish Israelis and 38% of Arab Israelis said they trust the Shin Bet and other government bodies to use the cellphone data they collect responsibly, and only for purposes of preventing contagion.

But Tehilla Shwartz Altshuler, a senior fellow at the Israel Democracy Institute, and head of the institute’s program on Democracy in the Information Age, believes this trust is misplaced. She warns that amid the chaos and confusion of the coronavirus pandemic, Israel’s government has undertaken “an extreme and massive human rights breach, allowing a secret service which is the most non-transparent body you can imagine, to gain access to all the digital personal data of Israeli citizens.”

Not only has the Shin Bet been given unprecedented access to the data of all Israelis, including their location history and information about their phone calls, text messages and websites they visited, says Shwartz Altshuler, but Defense Minister Naftali Bennett recently announced a plan to analyze this cellphone data with the help of an extremely controversial private company, the NSO Group.

Tehilla Shwartz Altshuler

The NSO Group has been accused by Facebook in a recent lawsuit of using its WhatsApp messaging app to hack into the cellphones of nearly 1,400 journalists, diplomats, dissidents and human right activists around the world. The company is reportedly under investigation by the FBI and, as The Times of Israel has previously reported, its owners have ties to Israel’s outlawed, largely fraudulent binary options industry.

The NSO Group has denied any wrongdoing in the Facebook lawsuit and several other lawsuits filed against it by human rights activists. “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years,” the company claimed in an October 2019 statement.

In a response received shortly after publication, NSO group said this article “does not reflect reality and is replete with inaccuracies.” (The NSO Group’s response appears in full at the bottom of this piece.)

The Times of Israel asked a spokesman for Bennett whether the minister feels that the NSO Group has the integrity and moral stature to potentially be given access to the personal data of all Israeli citizens.

“No comment,” came the reply.

The Times of Israel interviewed Shwartz Altshuler to understand why she believes Israel’s new cellphone tracking methods are more invasive than those implemented in other democratic countries, and why she thinks that the powers awarded to the Shin Bet and potentially to the NSO Group as well should deeply concern all Israelis. We also spoke to a former US federal prosecutor and consulted with other experts.

How governments use cellphone data to contain the coronavirus

On March 14, Prime Minister Benjamin Netanyahu announced that Israel would utilize data from cellphones to track coronavirus carriers.

“Up until today I avoided using these measures in the civilian population but there is no choice,” Netanyahu said in a prime-time television news conference. He acknowledged that these measures infringe on citizens’ privacy, but said the imperative to thwart the spread of the pandemic took precedence, and noted that he had been given a green light by the Justice Ministry.

In this March 14, 2020, photo, Prime Minister Benjamin Netanyahu arrives for a speech from his Jerusalem office amid the coronavirus crisis. (Gali Tibbon/Pool via AP, File)

But what exactly did Netanyahu mean by cellphone data, and to what kind of privacy infringements was he alluding?

Shwartz Altshuler explained that Netanyahu was referring to a method called contact tracing, which, she said, is used in many countries, both democratic and non-democratic.

The idea behind contact tracing as it applies in the battle against the pandemic, she said, is to identify people in what she called the first, second and third circles of contagion.

“Let’s say you’ve been diagnosed with the coronavirus. I want to go back 14 days and know exactly where you’ve been and whom you’ve met along your path. Maybe you came back from America 14 days ago and you sat at home and didn’t meet anyone. Or maybe you just didn’t know you were sick and you went to work regularly, took the train and went to the supermarket. All the people who crossed your path are what we call the second circle. And all the people that they, in turn, encountered are the third circle.”

Shwartz Altshuler said that the best way to find out who a patient has been in contact with is to ask them, but that only works with people they know personally. If they went to the supermarket or rode the bus, the only way to know with whom they came into close contact is to analyze cellphone location data.

Medical team members at the Barzilay hospital, in the southern Israeli city of Ashkelon, wear protective gear as they handle a coronavirus test sample on March 29, 2020. (Flash90)

“Phone location data can help understand whom you met in the past 14 days,” she said. “All those people need to go into quarantine. They need to get a text message telling them to stay at home.”

Location tracking can be a legitimate practice, Shwartz Altshuler believes, as long the government body that obtains and analyzes the data is a civilian body and not a military or intelligence agency.

Shes said that while the Shin Bet certainly has the technical ability to do contact tracing, the fact that Israel tasked the organization with doing so is unprecedented and highly problematic.

“It’s a secret service,” she said. “It operates behind closed doors and anything it does is top secret. So we’ve now created a system where all the location data of all citizens in Israel is being analyzed by the Shin Bet on a daily basis.”

The location data now in the hands of the Shin Bet, Shwartz Altshuler said, shows where any given person was at any given moment in time, every website they visited, as well as a history of their phone calls and text messages and who they were speaking to or texting. It does not include the content of those calls or text messages, she said.

As to how exactly this data is being obtained, she said it is a little known fact that the Shin Bet has direct access to the cellular infrastructure in Israel. The agency doesn’t need to ask the cellphone companies for location data, since it can obtain it independently.

“The Shin Bet collects this information all the time, not just during the coronavirus crisis,” Shwartz Altshuler noted. “Journalist Ronen Bergman recently wrote an exposé about this [in Yedioth Ahronoth and The New York Times], but the Israel Democracy Institute wrote an article about this a year ago. We warned that there is not enough oversight.”

Shin Bet head Nadav Argaman. (Flash90)

During normal times, the Shin Bet keeps all this information in a vast database that it neither uses nor has automatic access to. “If they want to track a particular person, they need a court order.”

What’s changed since Netanyahu’s announcement of March 14, she said, is that now the Shin Bet has “massive access to this database without any court orders, not for any specific person but for anyone who could have been near a coronavirus patient.”

“I consider this to be an extreme and massive human rights breach,” she said.

Shwartz Altshuler acknowledged that there are some measures in place to prevent misuse or abuse of the data.

“The Shin Bet is not allowed to pass it along to any other government body and is supposed to erase or delete all the information once the coronavirus crisis is over. But as you can imagine, oversight is pretty light.”

Ankush Khardori, a former US federal prosecutor, told The Times of Israel that the type and amount of data the Shin Bet is reported to have collected could prove immensely dangerous in the wrong hands.

“If the reporting is accurate, this is an extraordinary set of data that could be used and misused in countless ways,” he said. “Setting aside whether it ever should have been collected in the first place, historical geolocation data — tracking the movements of a person through his or her cellphone — can be used to determine deeply personal details of someone’s life, such as if they are seeking mental health counseling, if they are seeking substance abuse treatment, or if a married person is having an affair. In the wrong hands, it would not be difficult to use this sort of information for extortion or blackmail.”

He added: “If it is overlaid with call data and web browsing data, you have even more access to sensitive information about people’s behavior and movements — information that may have seemed ephemeral to them at the time but that can take on unshakable significance through the permanence of the data. How many of us would want all of our mobile web browsing history — which may contain some of our most fleeting interests and thoughts — scoured by another person?”

Partnering with the NSO Group

On March 30, Defense Minister Bennett announced in a series of tweets that Israel had also developed a sophisticated artificial intelligence system, separate from the system currently in use by the Shin Bet, to track the spread of coronavirus.

“In my opinion it is the most advanced in the world,” he wrote, next to an emoji of a flexed muscle.

A March 30, 2020 tweet by Israeli Defense Minister Naftali Bennett touting a new coronavirus tracking tool the Defense Ministry has developed in partnership with NSO Group (Twitter)

The system, he said, will give every citizen in the country a score from 1 to 10 depending on how likely they are to be infected with coronavirus.

“Let’s say the day before yesterday you visited an ATM machine that had been visited an hour earlier by a coronavirus patient, your score could rise to, say, 9 or higher. The system identifies, in real time, buildings, neighborhoods and hotspots of contagion, which we will ‘attack’ by putting them under lockdown or carrying out massive numbers of tests.’”

Bennett also revealed that the system was a joint venture between the Defense Ministry, the IDF’s 8200 intelligence unit and a private high-tech company, whose name he did not specify.

Defense Minister Naftali Bennett inspects the Dan Hotel in Tel Aviv, which was converted into a quarantine facility for carriers of the coronavirus on March 16, 2020. (Naftali Bennett’s Twitter account)

But at a March 31 Knesset hearing of the Subcommittee for Secret Services, MKs revealed that the company in question was none other than the controversial NSO Group.

The company is best known for marketing Pegasus software, which can reportedly hack into the contents of any phone, as well as turn on the phone’s camera and microphone in order to spy on the owner. In October, Facebook, which owns the WhatsApp messaging app, filed suit in the US against NSO, accusing it of using WhatsApp to conduct cyber-espionage on nearly 1,400 journalists, diplomats, dissidents and human right activists worldwide. The NSO Group is reportedly also under investigation by the FBI.

In May 2019, representatives of Amnesty International Israel and a few dozen other Israeli human rights activists petitioned the Tel Aviv District Court to order the repeal of NSO Group’s export license because NSO Group allegedly used Pegasus against Amnesty International operatives in the United Arab Emirates.

The petition alleged that by allowing the NSO Group to export its software, Israel failed to uphold the 1948 Universal Declaration of Human Rights, which holds that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

“There aren’t many Israeli companies with a worse reputation than the NSO Group,” Tehilla Shwartz Altshuler said.

She said that for Bennett’s NSO Group software tool to work, it would require cellphone location data.

“We don’t know where he plans to get this location data from. If he wants to use the Shin Bet location data that I described before, that is not allowed according to the emergency regulations. It was specifically stated that the Shin Bet cannot transfer any information to any other body besides the Health Ministry. If, on the other hand, he wants to use regular location data from cellphone companies, he needs to have some kind of authority to ask for this data.”

According to Shwartz Altshuler, Bennett’s vaunted new tracking tool in itself is potentially helpful, as it can carry out contact tracing for first, second and third circles of contagion.

“It can do it in a very nice visual way. It can provide heat maps that allow decision makers to see where outbreaks are becoming worse and which parts of the country are relatively free of disease.”

But, Shwartz Altshuler warned, there are two major problems with the artificially intelligent system Bennett wants to use.

The first regarded the use of such a tool by state military and security establishments.

“The army is not subject to the Freedom of Information Act; it does not have the restrictions of an institution that deals with the personal data of civilians,” she noted. “We give far-reaching authorities to the army to fight enemies, not to fight civilians.”

An Israeli woman uses her phone in front of a building in Herzliya that housed the NSO Group intelligence firm, August 28, 2016. (Jack Guez/AFP/File)

She said that while Asian democracies like Taiwan and South Korea have used cellphone location data for contact tracing in the fight against the pandemic, they did not involve the military or defense establishments.

“They went directly to cellphone companies, used emergency regulations to ask for cellphone data, then passed this data directly to the ministry of public health. They didn’t involve the army or police and certainly not the secret services.”

But especially troubling, said Shwartz Altshuler, is that Bennett did not see a problem with involving the NSO Group in its initiative.

“The NSO Group has a very bad reputation. There aren’t so many Israeli companies that have been condemned by the UN special rapporteur on freedom of expression,” she said, referring to multiple statements by special rapporteur David Kaye singling out the company for opprobrium and alleged human rights violations.

The NSO Group has denied all wrongdoing.

On April 5, Bennett told Army Radio that the artificial intelligence tool needs approval from the prime minister before it can be rolled out.

“We are awaiting a government decision,” he said. “As soon as the prime minister decides, it will happen. We need this tool because it’s like the difference between using Waze and just reporting a traffic jam. This tool is the Waze of the coronavirus.”

Bennett assured listeners that only the government, and not NSO Group, would actually handle the data. He said that NSO Group’s role would be solely to provide the software which the government would control.

“We need this tool if we want to re-open the economy” Bennett exhorted. “We need to know if a brushfire of the virus has ignited in Dimona or in… Kiryat Shmona. Right now we are effectively blind.”

The Times of Israel spoke to a source within the Israeli cybersecurity industry who asked not to be named who said that NSO is currently selling its coronavirus software to countries around the world and that he fears it may sell elements of Pegasus software to these governments as part of a package deal.

Troubling connections

Three of the NSO Group’s founders — Omri Lavie, Shalev Hulio and Isaac Zack — invest their personal money through an investment firm known as the Founders’ Group that has invested in the largely fraudulent binary options industry.

NSO Group founders Omri Lavie, Shalev Hulio and Isaac Zack in a 2016 Founders’ Group brochure (Screenshot)

The Founders Group claims in its promotional material that it provided $1.85 million in seed funding for 23Traders, a binary options brand. In December 2016, a Canadian man named Fred Turbide died by suicide after losing his life’s savings to the firm.

Israeli lawyer Yoram Fay, who represents a British citizen who says he lost his life savings to 23traders.com, said he does not like the idea that major investors in the firm that allegedly cheated his client could be helping the government fight the coronavirus.

Screenshot from a promotional brochure for the Founders Group

“As an Israeli citizen, it makes me very uncomfortable that anyone connected to binary options would have access to my personal data. It’s one thing if the government has my data and they use it to provide services, and even if the government tracks me for purposes of preventing the spread of the coronavirus. But the government is not trying to rob people like binary options firms did.”

Khardori, the former US federal prosecutor, was likewise discomfited by the idea.

“If a government were to consider sharing information of this sort with a private company — a bad idea to begin with, but let’s assume they do it — I would hope that they would undertake the most rigorous possible vetting of that company and insist on the most robust safeguards available.”

Khardori added: “The fact that this data may be shared with a company with ties to or involvement with the binary options industry is even more troubling. Based on my experience as a prosecutor investigating participants in the industry — and without commenting with regard to knowledge that I may have about this particular company — I can say that fraud and misconduct were prevalent in the industry at alarming rates. So far as I could tell, almost the entire industry was engaged in fraud on some level.”

Despite the problematic track record of the NSO Group and its owners, Shwartz Altshuler believes that Bennett has not been deterred by potential fallout from the partnership, including any possible public relations repercussions, because the Israeli public remain largely oblivious to privacy concerns.

“He did this because he knows the Israeli public won’t care. The NSO story and the Shin Bet story are of high interest in the English-speaking community in Israel and in the international community. It’s unbelievable how little outrage there is in the Hebrew-speaking Israeli public about this.”

NSO Group responds

The Times of Israel reached out to NSO Group for comment, but did not hear back from it prior to publication. In a response received shortly after publication, NSO group said: “Unfortunately we did not receive your request for comment. We assume that if we had been given the chance to present our system, it would have prevented publication of this biased article which does not reflect reality and is replete with inaccuracies.

“NSO Group developed, at lightning speed, an analytical and strategic system that is meant to be used by decision makers to manage the spread of coronavirus as well as manage the markets and economy.

“The company developed the technology for the benefit of states and does not operate it so the data is not passed along to the company. The claims about invasion of privacy are not correct. The data that will be needed to operate the system by authorities and governments is statistical and aggregated, not personal data.”

Judah Ari Gross contributed to this report.

read more:
comments