Eight key questions at the heart of the NSO spy software confusion

A month after reports first broke that the Israeli Police were allegedly using the Israeli surveillance company NSO Group’s spyware to break into the phones of Israeli civilians, many questions still remain about what the police did or didn’t do, what technology they used, who did or did not approve the full scope of their actions, and what — if any — legal consequences may ensue.

Additionally, the persistent gulf between what the story-breaking news site Calcalist claims and what public sector-led investigations have found has raised questions about the veracity of the reports.

The Times of Israel interviewed experts and collated the latest available information to shed light when possible, and expose confusion when not, on eight of the largest questions looming at the heart of the spyware controversy.

1. Did the Israel Police use the NSO Group’s powerful Pegasus spyware to access civilians’ phones?

The police likely acquired an NSO product more primitive than Pegasus. Pegasus is an extremely powerful tool that delivers a zero-click exploit — requiring no user interaction — allowing the spyware’s operator to remotely gain access to all of a phone’s data and functionality.

We know police used an NSO tool because a Justice Ministry investigation into police actions accessed NSO’s data to draw its conclusions. But police rhetoric, media reports, and experts suggest that the tool police used is less powerful than Pegasus, and is likely another NSO product called Saifan.

Deputy Attorney General Amit Marari, who is leading one of several public investigations into police use of spy software, included NSO databases in her probe.

Former police chief Roni Alsheich denies illicit use of spyware by police during his term, in a video statement on February 9, 2022. (Channel 12 screenshot)

“[Marari’s] team is checking information contained in NSO’s internal database, which the company has made accessible to [Marari’s] team,” stated a letter the State Attorney’s Office sent to the Jerusalem District Court on February 13.

Marari’s report, whose initial conclusions were delivered on Wednesday, refuted some of the specific claims in the most recent Calcalist reporting, including that Pegasus was used against three senior civil servants.

According to Tehilla Shwartz Altshuler, head of the Democracy in the Information Age Project at the Israel Democracy Institute, her own research suggests that the police did not use Pegasus, but rather another, less sophisticated NSO product.

“I believe [former police commissioner] Roni Alsheich, who says the Israel Police doesn’t have Pegasus,” said Shwartz Altshuler. “But, Alsheich is only telling half of the truth, because the Israeli police does or did acquire another NSO product which nobody knows [and is] called Saifan.”

Hebrew media also reported Alsheich describing the tool as Saifan, which they claimed was partially neutered to fit constraints on police activity, such as the need to block a wiretap from obtaining information that existed before the wiretap went into effect.

While Shwartz Altshuler does not know the specifics of Saifan  — or any other non-Pegasus NSO tool — she said “comparing this system to Pegasus, it’s like comparing a very old car to a Tesla.”

Therefore, Shwartz Altshuler said, “using NSO” or “using Pegasus” is misleading. She suggested threading the needle. “Using ‘an NSO tool’ is the right framing,” she said.

2. Under current Israeli law, is it illegal for the police to use spy software?

Spying software is not explicitly covered by current statutes, but in past cases that pitted technology against privacy in the absence of clear law, the police have obtained interim opinions from the attorney general that enabled them to use the new technology.

According to Shwartz Altshuler, who is an expert on the intersection of technology and privacy, there seems to be national agreement that laws on wiretaps and police searches need to be updated.

Smartphones, for the purpose of wiretaps and searches, are considered computers.  The laws on tapping or searching computers were updated in 1995 and later given minor fixes in 2005 — two years before the first iPhone hit the shelves.

Among the scenarios not imagined by the existing legal framework is the central value proposition of spyware: getting into someone’s device remotely and secretly and taking existing materials that are on this device.

Tehilla Shwartz Altshuler, head of the Media Reform Program and Democracy in the Information Age at the Israel Democracy Institute (Courtesy IDI)

“This is a question that does not have an answer within the Israeli legal framework,” said Shwartz Altshuler. Wiretap laws allow law enforcement to clandestinely listen to conversations — including messages — between computers, but only from the time of the warrant. The laws on searches allow retrospective searches, but require police to declare their intention to the search subject and to physically obtain the device.

When the NSO affair broke a month ago, lawmakers quickly called for amending these laws to match new technological realities, as they do not address  smartphones, eavesdropping or search software, including NSO’s products.

Shwartz Altshuler says that although it isn’t known whether former attorney general Avichai Mandelblit gave the police a legal opinion on using NSO tools, past brushes between police technology and privacy resulted in the attorney general providing an interim opinion to close the gap between legal gray areas and reality.

“The [former] attorney general up to this point has said ‘I did not approve the use of Pegasus.’ But as I said, it’s probable that the police haven’t used Pegasus,” said Shwartz Altshuler. “They used, I would say, a less invasive technology. And here we don’t know if the attorney general has given any kind of legal framework for such uses.

“What we do know is that in other cases it works as follows: The police purchased or started using a new technology. [The police then] went to the attorney general to ask for general guidelines of how to use this. The attorney general’s people knew that the police were not authorized by law to use such technologies, but they also knew that legislative processes take a huge time in Israel. So they said, ‘Okay, we’re going to give you this kind of an interim guideline. You’re going to use them until the Messiah comes or we pass legislation, see what happens first.’ And how do I know this for sure? Because this is exactly what happened with the use of another very invasive surveillance system, which is called Hawk Eye.”

Hawk Eye is a system that the police have used to track vehicles and passengers throughout the country by using fast cameras to identify and recognize license plates. The information – which is collected en masse, rather than targeted against a specific crime and suspect – is stored in a databank.

“It is exactly like Pegasus; it’s a mass collection system that you can use in order to do fishing,” said Shwartz Altshuler, alluding to the power of and privacy challenges posed by the Hawk Eye.

Hawk Eye has come under scrutiny for overreaching the police’s current legal authority, but before it reached public discussion, Hawk Eye was on the table of the attorney general.

“What happened with Hawk Eye is that the police were not sure that using it was legal. So, they went to the attorney general and the attorney general gave them an interim guideline for the use of Hawk Eye. And it went on like after six years, until [Israeli privacy watchdogs filed a petition] to the Supreme Court,” said Shwartz Altshuler.

Israel’s new minister of public security, Omer Barlev, arrives for a group photo of the newly sworn-in government at the President’s Residence in Jerusalem, on June 14, 2021. (Yonatan Sindel/Flash90)

Following a petition brought by Privacy Israel and the Association for Civil Rights in Israel, the High Court of Justice – the Supreme Court’s forum for petitions against the state – ultimately required the police to curb its usage.

“The Court issued a warrant to the police to stop the use of [the Hawk Eye] system immediately,” said Shwartz Altshuler. “They said to them, ‘You don’t have any authorization to start using a mass collection system.’”

Proposed legislation – which went far beyond traffic monitoring and paved the way for deploying facial recognition cameras in public spaces – was proposed for public comment in July 2021, but has still not been advanced by the Public Security Ministry.

Despite a High Court decision that the police could not use Hawk Eye until enabling legislation was passed, as of January 2022, the police were still using Hawk Eye, according to court documents.

Before leaving office, outgoing attorney general Mandelblit reportedly ordered the police to suspend their use of NSO software.

3. How does the court approve police wiretap and search orders?

Wiretap and search orders fall under different laws, the 1979 Wiretap Law and the 1969 Criminal Procedure (Arrest and Search) Ordinance, respectively.

Wiretaps are handled by a district court’s president or her deputy, while a search warrant can be obtained by a lower-level magistrate’s court.

Wiretaps also must be presented by a police officer at the rank of commander or higher, a relatively senior level. Search orders don’t carry that requirement.

Avigdor Feldman, a lawyer and criminal and human rights law expert who has handled several cases involving wiretap and search, describes both requests as a rather straightforward process.

“The police come, present intelligence, sometimes the judges actually ask questions, and the court usually approves,” he said. “There’s no protocol for this,” in the sense that there is no set script to follow in questioning.

In line with Feldman’s account, Shwartz Altshuler said her research found that the courts approve wiretap and search orders with a “rubberstamp.”

“All one-sided requests to the court are being approved in very high percentages, it’s above 90%,” she said. One-sided requests are made by one party without input from the party being affected, including gag, wiretap, search, and arrest warrant requests.

According to Shwartz Altshuler, when narrowed to wiretap and search, approval rates soar over 95% in the last decade. “Which means that generally, the courts are not an effective oversight body over the police,” she said.

One constraint on the court’s ability to oversee these types of requests is as innocuous as it is insidious: digital ignorance.

“I think most judges don’t know how to ask the right questions,” said Shwartz Altshuler. “[Many] judges think of wiretapping in the old-fashioned way.”

Getting to the heart of the matter would include asking what technology is being used; how invasive it is; how you want to get into the device; and what you want to pull from the device.

4. If evidence gathered via spy software were inappropriately obtained, could it be used in trial?

The legal concept in question, “fruit of the poisonous tree,” describes the question at issue: If evidence – fruit – were to be obtained from an illegal source – the poisonous tree – is the fruit itself contaminated, i.e., inadmissible in court?

Many countries say yes, but the answer is less clear – and possibly recently only more obfuscated – in Israel.

In mid-January, the Supreme Court issued a decision in a case involving former prime minister Benjamin Netanyahu’s advisor Yonatan Urich that said that evidence obtained against Urich via a warrantless cellphone search could be used by a court, provided the court weighed the evidence as illegally obtained. In other words, information from cellphones obtained inappropriately can still be used at trial, per a judge’s discretion.

“This decision gives police a huge incentive to break the law and obtain evidence illegally,” said Shwartz Altshuler.

While the fallout from the Urich decision remains to be seen, prior to it, the controlling opinion has been the Issacharov Doctrine. Issacharov guided judges in finding inappropriately obtained evidence as often tainted. In the eponymous 2006 decision, the Supreme Court ruled that courts have the discretion to disqualify improperly obtained evidence, if admitting it would infringe upon a defendant’s right to a fair trial, or on rights established by the Basic Law on Human Dignity and Freedom.

Then-Likud spokesman Yonatan Urich poses for a picture outside the Prime Minister Office in Jerusalem on April 16, 2019. (Yonatan Sindel/Flash90)

In May 2021, Justice Minister Gideon Sa’ar proposed legislation to instantiate the court’s authority to exercise Issacharov-like discretion in law. The proposal is currently being discussed in the Knesset’s constitutional committee.

This question has major reverberations back to the trial of Netanyahu, who is facing three graft charges. Calcalist claimed that police were using spy software in their investigation against Netanyahu, including against key witness Shlomo Filber.

Marari’s report is said to have found that of the seven Netanyahu-related names published by Calcalist, only Filber’s phone was hacked in a way that exceeded the warrant given to police, and that evidence from the break-in was not passed to investigators.

5. How many times did the police use an NSO tool against civilians?

It’s unclear how many times the police used an NSO tool against citizen targets. A Channel 12 report from February 12 claimed that “Pegasus” was activated 90 times during Alsheich’s 2015-2018 tenure, and in 150 instances under Alsheich’s successor, Motti Cohen, who filled the office in 2018-2020.

But, concrete numbers about the full scope of police spy software or NSO tool usage are still unavailable.

And, significant gaps remain between media claims, police statements, and government corroboration.

Despite the plethora of parallel public institution checks underway, each check is focused on a slightly different slice of the issue.

On February 13, prosecutors in Netanyahu’s graft trial shared results of a police-led check into 1,500 phone numbers tied to investigations and found that all tapped phones had at least an associated court order. This verification looked at both conventional wiretap and advanced methods, but only focused on whether targets were spied upon without a level of court involvement. It did not comment on what methods were used against targets and whether or not investigators exceeded the bounds of their court-approved authority.

Prosecutors told the court on Wednesday that, of the Calcalist names associated with the trial, only Filber, a state witness and former director-general of the Communications Ministry, was successfully hacked. Filber had a wiretap order against him, as did Netanyahu co-defendant Iris Elovitch, whose phone was targeted but not successfully compromised.

Marari, the deputy attorney general who leads the probe established by outgoing attorney general Mandelblit, reportedly found that one of Calcalist’s most sensational claims – that three senior civil servants’ phones were hacked – was not proved out.

Two of the senior servants – former ministry directors general Keren Terner Eyal and Shai Babad – submitted their phones to a private company last week that they claim found evidence of tampering.

State Comptroller Matanyahu Englman and Public Security Minister Omer Barlev have also announced investigations, but without findings to date.

6. Why is privacy so important?

The right to privacy is what undergirds the ability to exercise core democratic values, and an attack on privacy can spiral into an attack on civil liberties and democratic rights.

According to Noa Sattath, executive director of the Association for Civil Rights in Israel, hallmarks of open societies – the ability to protest, to speak freely, to have a free and open press – all require the right to privacy.

“The right to privacy is such a foundational right,” Sattath said. “If we don’t have that right, then our ability to use our speech and protest are limited… If journalists and activists can be tracked, then the threat to democracy in Israel is intense.

“And that’s what was happening here: There was an attempt to curtail those rights by abusing our right to privacy.”

Noa Sattath, executive director of the Association for Civil Rights in Israel (Courtesy ACRI)

The use of spy software challenges citizens’ right to privacy, constitutionally enshrined in the 1992 Basic Law: Human Dignity and Liberty.

Sattath believes the connection between privacy and democratic values is so direct, and the attack on privacy posed by unrestrained police usage of spy software so clear, that she said: “I cannot think of a democratic right that is not infringed by this software.”

In addition to speech and protest, privacy is core to the right to assembly and due process. “Because of the wide access that Pegasus has to all of our information and the different systems that we use, it allows for profiling and harassment, it interferes with due process, it has wide implications some of which we cannot even imagine at this time.”

7. If the worst of the allegations against the police and NSO are true, what does this mean for Israeli democracy?

Amir Cahane, a surveillance law expert at the Israel Democracy Institute, says that an abuse of police power in a privacy scandal does not in itself indicate democratic erosion.

“Generally speaking, I’m not sure if these specific revelations say anything about Israeli democracy as a whole,” Cahane said. “On their face, they tell the story of legislation that is long overdue, statutory amendments that are long overdue. They tell the story of overzealous investigating authorities that have exceeded their mandate to the point that is probably unlawful, and maybe tell the story of lack of oversight.

“This is not an indication that democracy is at stake here. It doesn’t sound like a police state. These things have been brought to light and we’ll see how they unfold in a political arena.”

Rather, Cahane says, the true test of Israel’s democratic values will be how the state responds to the scandal.

“The resilience of Israel’s democracy can be measured by its reactions to these revelations – whether these revelations will eventually lead to some sort of legal reform that will result in better oversight and better safeguards for such fundamental civil liberties.”

Amir Cahane, Researcher at the Center for Democratic Values and Institutions at the Israel Democracy Institute (Courtesy IDI)

8. Who is the Calcalist source?

Calcalist touts its need to protect its source and has neither identified names nor provided corroborating evidence. We do not know the source of these allegations.

The reporter behind the charges doubled down Saturday both on their veracity and on his determination to protect his sources.