Pages

1 September 2022

Stay Calm and Proceed With Caution: The Merari Report on Israeli Police’s Pegasus Scandal

Yuval Shany

On Aug. 1, the Israeli Ministry of Justice published a report written by an official inquiry team appointed to investigate serious allegations of misuse of online surveillance powers leveled against the Israeli National Police (INP) by a series of sensational exposé articles published in Calcalist, a leading Israeli economic newspaper. The ministry’s report repudiated most of the allegations but also identified significant deficiencies in the online surveillance laws and practices resorted to by the INP.

The original story, written in January by Calcalist journalist Tomer Ganon (and reported on in an earlier Lawfare analysis), claimed that the INP—which is a nationwide law enforcement agency dealing with all sorts of criminal activity—has for years carried out warrantless online surveillance operations using a version of NSO Group’s Pegasus spyware. Among the targets, whose cell phones were allegedly hacked, were criminal suspects and witnesses—but also public figures against whom no charges were ever made, including the directors general of the Ministry of Justice and the Ministry of Finance, as well as organizers of demonstrations against Benjamin Netanyahu’s administration.

Whereas the story was vehemently denied by police spokespersons and senior officials initially, it soon became apparent to Israel’s attorney general that there have indeed been instances in which the police used spyware in excess of judicial warrants. As a result, on Jan. 31, the attorney general appointed an official inquiry team to examine the allegations in the Calcalist story, and he ordered the police to suspend its use of spyware while the inquiry is pending.

The inquiry team, composed of Deputy Attorney General for Criminal Matters Amit Merari and two former Israel Security Agency (ISA) officials—Eyal Dagan, the former ISA chief of investigations, and Tsafrir Kats, the former head of the ISA technology section—published an interim report on Feb. 21 and a final report on Aug. 1. The interim report asserted that there is no indication that the police used Pegasus spyware to target anyone without a judicial warrant, including everyone mentioned in the Calcalist report. The final report did identify, however, a series of structural problems relating to the use of spyware by the INP in connection with the exercise of its powers of online surveillance, and made a number of recommendations for changes in law, procedure, and practice.

Israel’s Legal Framework for Online Surveillance

At the heart of the Aug. 1 Merari report is the question whether the use of Pegasus spyware is compatible with Israel’s legal framework governing police wiretapping and search powers. At a more general level, it explores how laws that were developed to regulate police power in the physical world should be adjusted to regulate the use of new digital technology.

Israel has two principal statutes that authorize police wiretapping and search operations, including in computerized systems. First, the 1979 Wiretapping Law authorizes the police to obtain surveillance orders from a senior district court judge in order to covertly access interpersonal communications with the aim of combating crime. In urgent cases, the chief of police may also authorize warrantless covert surveillance, but such authority is subject to review by the attorney general. In 1995, the Wiretapping Law was amended to include, under the scope of communications potentially subject to wiretapping powers, communications between computers. The Merari report explains that the Wiretapping Law only permits surveillance of communications in transit, and that permissible monitoring activity pursuant to it must take place in real time or near real time—namely, it permits interception through surveillance undertaken in close temporal proximity to the time of the communication in question and does not permit the tracing back of the historical record of communications of individuals under surveillance.

Second, the 1969 Arrest and Search Ordinance authorizes the police to seek a search order from a district court judge or a justice of the peace. A 1995 amendment has also expanded the definition of the object of search under this law to computer data. However, as the Merari report explains, unlike the power to conduct surveillance under the Wiretapping Law (which is covert), the power to conduct search under the Arrest and Search Ordinance is an overt power, which involves the physical seizing of the search object (including a cell phone or computer). Moreover, in relation to digital communications, the focus of search powers under the Arrest and Search Ordinance is stored communications, not communications in transit.

The police may also seek to obtain from the courts associated powers necessary for exercising search and surveillance powers under the two mentioned laws. These include the power to access places in order to install wiretapping devices (Section 10A of the Wiretapping Law). There is no clear precedent on whether this associated power includes the authority to remotely access a computer system using a spyware program. A 2014 draft bill that was intended to authorize the police to seek judicial warrants for remote search in computers—which could have clarified the legal situation pertaining to the use of spyware by the police—was never passed.

The Merari Report

The 98-page final report issued by the Merari inquiry team reaffirmed the findings of the interim report, in which the team debunked key parts of the Calcalist story. The final report confirmed that the INP uses a version of Pegasus spyware called Saifan (Hebrew for “gladiolus”) as well as a few other spyware programs, though they are used less frequently than Saifan. Still, the report maintained that, after working with software firms to examine different spyware audit logs—to which the police have no access—there was no indication that the programs were used in order to conduct warrantless online surveillance. To the contrary, all recorded uses of spyware were directed against individual targets for whom judicial wiretapping warrants had been issued. There have been, however, four instances identified in the report where Pegasus was used on cell phones of persons targeted by wiretapping warrants in excess of the terms of the warrants (for example, in connection with a warrant issued for telephone surveillance and not computer surveillance, and in respect to periods of time beyond those covered by the warrant).

The team’s more serious concerns pertained to the mismatch between the legal powers of the police under Israeli law and the technological capabilities of Saifan. Whereas authorized wiretapping can only apply prospectively to communications falling within the period designated in the warrant (and that period cannot exceed under law three months), the Saifan system can collect communication data generated before the date of its introduction to the target’s cellular phone. According to the report, the police occasionally used this capacity for retrieval of old communications in order to access communication data generated between the date on which the warrant was issued and the date on which “infection” by the spyware occurred. The Saifan technology can also collect personal information that does not qualify as communication data under the Wiretapping Law, such as lists of contacts, phone calendar data, phone notes, and a list of downloaded apps. The report finds that until 2020, when a technological upgrade was installed that allowed for more focused searches, such information was often collected by the police, but not processed further. The one exception in this regard was the list of apps reviewed by the INP Cyber Unit to ensure that no anti-spyware apps were installed on a target’s cell phone.

Although the inquiry team accepted that the police did not intend to exploit the gap between its legal powers and the technological capabilities of Saifan, and that it operated on the assumption that standing orders and procedures relating to nonuse of the collateral information collected would prevent such exploitation, the team recommended that the INP’s continued use of Saifan be subject to a technological manipulation that would block its capacity to collect legally impermissible data. It also recommended that, instead of a human-run review of a list of apps on targets’ cell phones, a computer-based review should be utilized in order to identify any impediments to spyware installation. Furthermore, it suggested a more detailed format for spyware usage reports, so as to facilitate closer review of their compatibility with legal requirements.

Other specific recommendations found in the report dealt with improving the relevant INP standing orders and procedures; strengthening review of surveillance operations by police legal advisers and the attorney general; developing new procedures for the removal of stored communication data and for limiting unnecessary exposure to data by technology experts involved in the collection operation; as well as improving the judicial warrant application forms—including specification of the kinds of communication data sought and the methods used to obtain it—and judicial training relating to new surveillance technology.

At a more general level, the inquiry team expressed concern about the INP’s introduction of Saifan and other spyware programs without having consulted with the the police department’s legal advisers and the office of the attorney general: “There are issues which require explicit knowledge and involvement of the Police legal advisors that were not brought to their attention. … [T]he manner of use of the system and the potential of the system’s capabilities to deviate from legally authorized powers were not brought to the attention of the office of the attorney general” (translated by the author from the original Hebrew). It recommended that any future introduction of new technology by the police that has the potential to exceed legal restrictions be made conditional to authorization by the attorney general. Furthermore, it recommended legislative reforms that would specifically regulate spyware and ensure that it is subject to proper safeguards and review procedures.

Is the Response Sufficient?

The Merari team was set up by the attorney general during a time of a severe crisis in which public trust in the police had sunk to a new low. From the government’s point of view, the main significance of the team’s work is that it was able to produce two reports rather quickly that credibly refuted the most damaging parts of the Calcalist story concerning the alleged existence of a widespread practice of warrantless use of spyware for online surveillance. It is noteworthy that Calcalist retracted some of the more sensationalist parts of its story after the interim report was published.

Still, the Merari team confirmed some important parts of the Calcalist story: most significantly, that the INP uses NSO spyware against Israelis without a clear legal basis. Indeed, prominent experts in Israeli privacy law have maintained that given the dramatic impact of such technology on the right to privacy, the police cannot justify the utilization of spyware on the basis of existing legislation developed with much less intrusive technology in mind.

The Merari team did, however, downplay the problem of the Israeli police’s lack of specific legal basis. A legal annex to the report claimed that (a) the difference between spyware and other surveillance technology has to be reviewed on a case-by-case basis, since different spyware programs have different features and privacy implications and (b) Section 10A of the Wiretapping Law, providing the associated power for “entry into in a place” in order to install wiretapping devices, can be reasonably construed in a purposeful manner so as to authorize intrusion into a computer system from a distance using spyware. While specific legislation regulating this power remains preferable, the team was of the view that the police cannot be left, at present, without this critical tool, especially given the dominance of encrypted digital communications in the organization and execution of criminal activity. This is, by far, the most controversial part of the report, and the matter will likely need to be settled in litigation before the Supreme Court of Israel. It would not be surprising, based on the court’s recent jurisprudence on phone searches, if it sides with the Merari team and not with the report’s critics.

After refuting the dramatic allegations found in the Calcalist story that the INP routinely operates outside the framework of the rule of law, the Merari team zoomed in on other important yet less sensational issues, such as occasional use of spyware in excess of the specific authority granted, structural gaps between law and surveillance technology, limited legal controls, and the like. Its policy recommendations are hardly revolutionary in this regard: Technological fixes, clearer procedures, and stronger legal controls are a few suggestions. The team did not express a view on the ideas presented by some of the witnesses who testified during the investigation, some of whom demanded the establishment of a new signals intelligence commission comparable to the British Investigatory Power Commission (which replaces ordinary judicial review of online surveillance with independent expert review) and a general duty to be retroactively informed about online surveillance operations.

The report’s most far-reaching recommendation is the call for new digital surveillance legislation—but the effect of such a call is offset by the legal conclusion that existing law authorizes the (cautious) use of spyware. Furthermore, since a 2014 draft bill included a controversial power to conduct remote search of stored communications, it is not clear whether new legislation would increase protection for individual privacy rights or erode them further.

No comments:

Post a Comment