The NSO Affair: What is allowed and what is not in online surveillance?

Amid reports the Israel Police used Pegasus spyware on citizens, allegedly without oversight, IDI experts weigh in on the legal standing of covert monitoring and wiretapping

Illustrative: A person using a cellphone. (Oatawa via iStock by Getty Images)
Illustrative: A person using a cellphone. (Oatawa via iStock by Getty Images)

Public outrage over recent accusations that Israel Police regularly used spyware to break into Israelis’ phones without judicial oversight has raised questions about just what authorities are entitled to do to prevent crime.

Does the law allow the use of spyware against any citizen? Who oversees the process? Is there any way of knowing if we are being followed? Israel Democracy Institute experts explain.

Does the law allow the use of spyware to combat crime?

The Wiretap Law was designed to regulate clandestine surveillance of conversations among people, whether over the telephone or in the form of communication between computers. It should be remembered that the Wiretap Law requires the issuance of a court order before surveillance is put in place, and only applies with regard to investigating and preventing criminal offenses, rather than minor offenses. It is not meant to apply to cases described in Tomer Ganon’s article in Calcalist, such as surveillance of demonstrators. It also bans, for example, transcribing conversations between lawyers and their clients, or listening to conversations involving Knesset members.

What is lacking in the current legislation?

On the face of it, the Wiretap Law can be interpreted as allowing the use of software such as Pegasus, but the law refers only to wiretapping or to the use of a long-distance microphone for surveillance, and does not refer to extracting all the contents of a particular device. This is precisely what is missing: The Wiretap Law does not provide a legal basis for extracting the entire contents of someone’s phone. Yet the idea of only using Pegasus for listening in to conversations is ridiculous. There are many cheaper and more widely available technologies for this purpose. Thus, it is clear that Pegasus was used to extract all the information that was available. It is important to note that in other countries, such as Germany and Britain, there is specific legislation that covers the use of cyber-tools for law enforcement purposes, separately from “regular” wiretapping — and this is what Israel currently lacks.

What is the difference from a legal perspective between this kind of software and “regular” wiretaps?

Presumably, the Israel Police has access to cellular and landline phone companies allowing it to conduct “traditional” wiretaps of phone conversations. Spyware provides direct access to the phone device itself, and extracts all the content stored within it: emails, photos and videos, social media activity, notes and lists, location data, and WhatsApp chats, and call records. It may also enable activation of the phone’s microphone, and thus allow surveillance of conversations conducted in physical proximity to the device.

Thus, this question is the equivalent of asking: What is the difference between buying bread in a supermarket, and being able to buy absolutely everything in the supermarket, including not only all the products, but also the shelves, the checkouts, and the employees.

A branch office of NSO Group near the southern town of Sapir, August 24, 2021. (AP Photo/Sebastian Scheiner, File)

Who oversees and approves the use of tools of this kind?

According to the law, the police force is required to submit an application to a district court for a wiretap order or to a magistrate court for a warrant to acquire metadata pursuant to the Communications Data Law. But in practice, current oversight is ineffective. Requests for such orders do not provide detail on how wiretaps will be carried out, including the possible use of controversial offensive cyber-tools, while judges rubberstamp almost all requests submitted. Thus, the system suffers from the digital ignorance of judges who do not understand the technology being deployed, and the indifference of the legal system regarding the need to ensure effective oversight of the police.

The wider public layers of oversight are also ineffective: The police force claims that almost all its actions referenced in the recent disclosures were approved by the attorney general, while the latter claims that he was unaware of such actions. There is no doubt that the Justice Ministry, via the attorney general, should have been involved in approving in principle the use of these tools, but even when such approvals and guidelines are provided, this takes place behind closed doors while freedom-of-information requests are refused, and it is also unclear to what extent the ministry in fact oversees such use.

According to the Wiretap Law, the police must provide an annual report on its use of wiretaps to the Knesset Constitution Committee. These annual reports contain no mention of use of spyware such as Pegasus.

Is it permissible for these tools to be used against any citizen and in any case, or are they reserved for particular offenses?

Wiretapping is allowed only as part of investigations into or attempts to prevent criminal offenses — those carrying a sentence of at least three years’ imprisonment. As stated, the use of offensive cyber-tools to extract all the information from a phone is not at all grounded in law, and it clearly needs to be limited only to rare cases and to a very limited set of offenses. The Calcalist investigation indicates that the opposite has been the case, and that these tools have been used for political purposes and not just for serious offenses.

May these tools be used when there is no suspicion of criminal activity, such as in the case of organizers of the Black Flag protests?

“Regular” wiretaps are forbidden when there is no suspicion of criminal activity. Thus, it is clear that using far more invasive methods, such as NSO’s tools, is outlawed. If use is made without a court order, this constitutes an illegal act by the police, and one which also infringes on the constitutional right to privacy. If use is made on the basis of a court order that the police obtained by not telling the truth — such as not stating what information would be collected and for what purpose—this is also illegal, and extremely troubling.

Is there any way of knowing that you are being tracked?

Previous cases from around the world have demonstrated that certain laboratories are able to identify signs that the Pegasus system has been used in a phone. In Israel, there are laboratories that can identify the presence of simpler spyware.

Birds-eye view of the Israel Police National Headquarters. March 1 2013. (Nati Shohat/Flash90)

Have the police ever been accused of using similar tools against citizens in the past?

NSO itself has denied on several occasions that Pegasus can be used against Israeli citizens, and thus the recent  revelations have certainly made waves. The interesting question is: if the police did indeed sign a contract with NSO back in 2014, how was this not made public until now? Clearly, this development is not mentioned in the annual reports that the police are required to submit to the Knesset Constitution Committee, which is indicative of a total collapse of gatekeeping mechanisms — the attorney general, the courts, and the Knesset.

The authors are researchers at the Israel Democracy Institute. The article was originally published by the IDI, and is reprinted with permission.

Times of Israel staff contributed to this report.

Most Popular
read more: