NSO in Israel: Would You Let the Police Handle Uranium?
NSO-Israel Police affair proves we need to rethink the way we oversee surveillance technologies. The solution: Israel needs a privacy czar
If the reports are correct about the Israel Police's use of the NSO Group's Pegasus spyware to surveil Israeli citizens, including protesters and mayors, and in general, "fishing" for potential suspects, this is the biggest scandal since it was revealed that authoritarian states across the world acquired the spyware and have used it for similar purposes.
It turns out that the restraint required in order to refrain from the abuse of such technology is in short supply these days - and this is as true in democracies as it is in authoritarian states. The technology is out there. The real issue the NSO-Israel Police affair poses, therefore, is primarily one of oversight. The bigger underlying questions it poses are: who knows about its uses, who approves them, and how.
In their response to Tomer Ganon's investigative report in Calcalist, the Israel Police reported that everything had been approved by the Attorney General. The relevant department in his office authorizes, guides and sets the limits for various state agencies to use privacy infringing technologies (smart security cameras in cities, hospitals and public-transportation lanes, the "hawk eye" license plate recognition system, and so on ).
These internal guidelines are provided in the absence of any explicit statutory authorization for use of such technologies by state entities. There is some rationale to this, since technology changes and advances rapidly; the Israeli Privacy Protection Law is outdated; and in any case, the law enforcement and security agencies are exempt from its provisions. However, this does not excuse the fact that there is no other form of real oversight or legal restrictions on tech that gives the government access to citizens' biggest secrets.
Israel’s relevant legal framework, which includes the Wiretapping Law, the Communications Data Law, and the criminal procedure ordinance (which covers digital search warrants), simply cannot be expected to cover all cases and scenarios of potential use. The collection of data from open sources (OSINT, or open-source intelligence) or hacking for the purpose of data collection (as with Pegasus) all fall beyond its scope.
As a result, the ad hoc existing legal framework is open to different and creative interpretations. For example, though it’s a good thing that the police do not decide on such uses themselves, but rather turn to an outside entity – the Attorney General - it is clear the current system is failing. The golem has turned on its creators. The breadth and depth of the guidelines issued by the Attorney General have turned them into a de facto constitutional court.
Moreover, in recent years there has been a protracted struggle for freedom of information due to the Attorney General’s stubborn refusal to make these guidelines public. As a result, the department ends up approving the use of surveillance technologies that are not explicitly authorized by statutory law, with neither transparency nor public oversight. The Calcalist report demonstrates that the idea that the Attorney General's staff can rein in, all by themselves, the police’s attempt to make excessive use of surveillance technologies, is both naïve and full of hubris.
Naïve- because as we know, even if a statutory spyware warrant system for such activities was in place, the judges would approve an overwhelming majority of police warrant applications. Overly confident- because the courts cannot provide us with a broad view on questions regarding the different applications' uses, of what is ultimately done with the information they collect and where it then goes.
Last week the Supreme Court ruled on the admissibility of a warrantless cellphone search that was made on the cellphone of Jonathan Urich, an advisor to Benjamin Netanyahu. The decision, which now allows the police to present information acquired by an unlawful cellphone search as admissible evidence in a criminal trial, creates an additional incentive for the police to continue its sniffing and probing.
The upshot of all this is that the need for comprehensive oversight of digital data collection by law enforcement is now clearly acute. An independent agency – a commission to oversee online surveillance powers– must be established, with two purposes.
First, such a body will have access to data and to data systems, in order to review what the authorities are collecting and to guarantee that they do not collect, store, examine or analyze, anything prohibited to them. Second, the commission shall serve as an additional barrier, a “double lock”, when it comes to how such requests for court orders for data collection can even be made. For example, the police will need to get authorization from them before it can apply to the courts for such surveillance orders.
An oversight commission of this sort will be fully informed on the big picture issues of privacy and could thus be charged with holding the authorization powers over all online surveillance warrant applications. It will also function as an ombudsman, serving as the body to which state employees and citizens who fear that abuse of surveillance powers is taking place can go to complain. The U.K. and the Netherlands already have such bodies. Such an oversight body would be manned with experts of varied backgrounds - law, intelligence and technology, and headed by a person with the legal competence of a senior judge.
For now, without such a mechanism in place, it is clear: The current system of gatekeepers has failed to stop or reign in the state thirst for data. This current scandal involving the police and NSO should serve as a dramatic wake up call for citizens and lawmakers alike: Data is like uranium. It has great power and value, but it is also radioactive and extremely dangerous when it falls into the wrong hands.
The article was published in Haaretz.