Use of Pegasus Spyware Against Israeli Civilians
On January 18, 2022, an investigation carried out by Calcalist (an Israeli business news source) revealed that the Israel Police are using NSO's Pegasus spyware to hack into Israeli citizens’ phones, including those of activists. In response, ACRI claimed that the use of Pegasus spyware and hacking demonstrators’ and dissidents’ cell phones, as in the darkest dictatorships, is illegal and necessitates an immediate in-depth investigation. ACRI Attorneys Anne Sucio, Avner Pinchuk, and Gil Gan-Mor, promptly appealed to the Attorney General, demanding that police use of the spyware cease immediately. They stressed that the police lack the legal authority to use the spyware, and that its use for interrogation purposes constitutes a grave violation of the fundamental rights to privacy, due process, dignity, and freedom of protest.
The appeal notes: "Hacking into a mobile phone through the use of Pegasus spyware enables access to personal and sensitive information from the past, present, and future: including geopositioning data, location, and network traffic, content data, and wiretapping, including an ongoing search of the mobile phone – all of which are restricted by explicit and unique legislation and require a judicial warrant." In terms of the scope and quality of the violation of privacy, with Pegasus, the whole exceeds the sum of its parts, and is a mere step away from ongoing tracking through implanting a chip into the body being tracked. Thus, hacking and remotely taking over a phone without explicit Knesset authorization, all the more so, waves an illegal red flag."
The police and NSO officials’ responses to the Calcalist Investigation revealed that phone hacking is carried out after a wiretapping warrant is issued. As a result, on January 19, 2021, we appealed to the State Attorney along with the nonprofit Privacy Israel, requesting that a comprehensive examination be conducted into legal counsel and police representatives’ conduct in requesting wiretapping warrants; the question of authority to request a remote hacking warrant through the authority to request a wiretapping warrant; and the nature of the information provided to the court at the time of the request.
In the letter, ACRI Attorney Gil Gan-Mor and Privacy Israel Attorney Naama Matarasso, addressed the huge difference between wiretapping and remotely hacking a phone, which can lead the police to all aspects of a suspect's life, far beyond what is permitted through a wiretapping warrant and what is required to investigate a suspect. This invades realms within the bounds of the right to privacy while severely and extensively violating third parties as well. We warned that in light of police officers’ strong desire to crack a case, and when the necessary evidence is just a click away, there is growing concern that technological means will be used improperly, especially when the means exist to retroactively whitewash the search. We thus claimed that even according to the most lenient interpretation, we are of the position that the court does not retain the authority to warrant wiretapping through use of this technology. A warrant that involves wiretapping through use of remote hacking spyware, is a warrant that requires explicit legal authorization following a public hearing, including unique protections to prevent misuse and information leakage.
The Attorney General’s response noted that the police operate in the cyber field within the framework of its legal bounds and solely on the basis of judicial warrants.
It is worth noting that in response to the Calcalist Investigation in the media, police representatives claimed that Pegasus was used by virtue of the Wiretapping Law, yet the Attorney General’s response (which was subsequently amended) noted that use of the tool was authorized by virtue of the Criminal Procedure (Enforcement Authorities – Telecommunications Data) Law 5768-2007. We are of the opinion that this law does not grant the police authority to use Pegasus spyware, as it enables receipt of telecommunication data (location and network traffic data) without permitting receipt of content data, such that in accordance with the law, receipt of telecommunications data is permitted whereas phone hacking via spyware is not.
Ahead of a discussion by the Knesset Public Security Committee on the matter, we appealed to the committee to establish an independent commission of inquiry, to examine the activities of the police SIGINT (Signals Intelligence) unit and all use of spyware, including (but not limited to) the cases and practices noted in the investigation.
On February 10, 2022, we appealed to the Attorney General yet again, demanding that use of Pegasus spyware cease immediately. We claimed that the police lack the authority to use spyware, such that its use is illegal and unacceptable. Whether this is a matter of individual cases or a method; whether all, or only some, devices were hacked by virtue of a court wiretapping warrant; and even if spyware was solely used for wiretapping – there is currently no legal basis that permits hacking phones by means of spyware, such that it is prohibited and should not be permitted under any circumstance.
On August 1, 2022, a report was published by the investigative team established following the affair – the Investigative Team on Wiretapping Telecommunications Devices (the Marari Report). In response to the publication, ACRI noted:
“This is a severely grave report that indicates significant failures in police conduct and, as a result, a grave violation of suspects’ privacy and rights”. The team determined that the police extracted information from phones that had been hacked via spyware, in violation of the law and judicial orders.
There is an inverse relationship between the conclusions of the report and its recommendations, which permit the ongoing use of spyware on the basis of the existing legislation.
The police lack the authority to hack mobile phones with spyware for wiretapping purposes, and ACRI calls on the Attorney General to continue to prohibit the police from using this system. Should the Attorney General permit the police to continue using spyware without explicit legislation, ACRI will consider appealing to the High Court of Justice.”
Following the publication of the report, along with Tel Aviv University’s Privacy Clinic, we appealed to the Attorney General and claimed that the police should be prohibited from using spyware such as Swordfish, which is a diminished version of Pegasus. Among other things, we explained why it is not possible to use spyware on the basis of the existing wiretapping law and wrote that use of spyware leads to grave violations of privacy and requires explicit legal authorization. We claimed that the requirement for explicit legal authorization must be substantive and not technical, and its aim is for decisions on new technological measures to be made by elected officials following public debate and not by the police in the dark.
2. Use of Pegasus Spyware Against Palestinian Human Rights Activists
Approximately two months prior, on November 8, 2021, we had already appealed to the Attorney General following publications according to which Pegasus Spyware was installed on the phones of Palestinian activists working for human rights organizations in the occupied territories. We called on the Attorney General to investigate whether the Israel Security Agency (ISA) or another government agency is behind the hack, and to order immediate cessation of the use of the spyware.
ACRI Attorneys Gil Gan-Mor and Roni Pelli wrote that should the ISA or another government agency be behind the phone hacking, it would entail crossing a red line, and an illegal and unacceptable move. Pegasus spyware severely infringes upon basic rights, including freedom of association and freedom of expression. It does not pass the proportionality test, as it enables the most extensive collection of information and an extreme invasion of privacy, not only of the person being tracked but also of many others who are in contact with them. The intensity of Pegasus' invasiveness even makes wiretapping pale in comparison. Tracking human rights activists is particularly grave. The appeal further notes that the authority of security agencies operating in the occupied territories is restricted by international law and human rights conventions.
Attys Gil Gan-Mor and Roni Pelli noted: "Over the course of the past year, there has been growing evidence of the use of Pegasus spyware against human rights activists, dissidents, and journalists, and the suspicion that Israel has joined countries that persecute human rights activists through dubious means of espionage should concern anyone who values individual rights." It is hard not to suspect that the fact that Palestinian human rights organizations are working in the international sphere to expose Israel's human rights violations and oppose the ongoing Israeli occupation, is what leads to the extreme measures being taken against these organizations, and should authorization indeed be granted for use of Pegasus spyware, it would require intensive housekeeping. It appears that ulterior motives entirely disrupted the ruling in this case. We expect Attorney General Mandelblit to draw a bright red line. "