Over the last few months, the Knesset’s Constitution, Law and Justice Committee (“Constitution Committee”) has been convening sessions to discuss the regulation of spyware. It is a response to the on-going fall-out over the Israeli police’s use of the spyware Pegasus (“Saifan” in its local iteration) to surveil Israeli citizens, including political activists. After journalist Tomer Ganon broke the news last year, the Attorney General ordered the police to suspend the use of the technology while an inquiry team, headed by Deputy Attorney General for Criminal Affairs Amit Merari, looked into the allegations. The resulting “Merari Report” highlighted a multitude of troubling developments in the interface between law and technology.
In this post, we offer an overview of current Knesset discussions; the contested legal grounds on which the Israeli police and Ministry of Justice rely for spyware authorization; and an analysis of governmental procurement of surveillance technology, with particular emphasis on the weaponization of trade secrets to strategically conceal governmental operations. Current public engagement has chiefly focused on the uncertain legal basis for the police’s enhanced surveillance capacities as a result of using spyware. However, this is not the only concern with the use of technologies as advanced and powerful as Saifan by public bodies. In particular, we argue that the current combination of outdated laws with nontransparent operations makes public accountability and oversight with regards to how such technology is used intensely and unduly difficult.
Background and Current Committee Discussions
The Merari Report was released in two parts. While the first part refuted Ganon’s allegations “that the Israeli police infected cellphones […] with its Saifan system without a judicial order,” the second part detailed “a series of structural problems relating to the use of spyware by the [police] in connection with the exercise of its powers of online surveillance.”
Many of these were related to the expansive functions of the Saifan technology itself. Its ability to collect not only communication data as defined by relevant legislation, but also any other information that may be found on the infected cellphone (such as contact lists, notes, apps, as well as third party information and meta-data) was of particular concern. Additionally, in an early iteration of the system procured by the police, data collection was not limited to dates set by the judicial warrant. A further concern was Saifan’s adoption into use without consulting either the police’s legal advisors, or the Ministry of Justice. Nonetheless, the report concluded that with the drafting of proper internal procedures and regulations based on the report’s recommendations, the police has legal authority under the 1979 Wiretapping Law to continue using the spyware in their investigations.
Because the Law only grants authority to conduct wiretapping of a conversation (including inter-computer communication), the report framed spyware as a form of wiretapping as long as the communication collected meets the legal restriction of collection of data communication in transit and not in rest (Merari Report, p. 21). In order to further establish authority to use spyware and justify collection of inter-computer encrypted communication, the report leaned heavily on the authority granted by the law to “enter a place for the purpose of installing necessary means for wiretapping.” Based on this auxiliary authority clause, the report concluded that phone hacking for the purpose of spyware installation is the equivalent of entering a “place” (Merari Report, pp. 84-86), an interpretation widely criticized by scholars and civil society jurists. However, even though the report grounded legal authority for the use of spyware in the Wiretapping Law, it also called the Law outdated and incompatible with the pace of technological developments, and urged the legislator to adopt new legislation (Merari Report, pp. 69-70).
Since the report’s publication, the Knesset’s Constitution Committee has convened four times to discuss the report’s findings and further regulation. These meetings focused primarily on facts, such as how many phones were infected with spyware, who within the police and the Ministry of Justice was aware of the acquisition and use of spyware, and what information was brought before the judges approving wiretapping with spyware. In response to the report’s attempt to fit current practices within preexisting laws, MK Simcha Rothman, chair of the committee, criticized the Ministry of Justice and the police for what he described as taking authority that wasn’t granted by the legislature. Recently, following a case of evidence withdrawal due to spyware collection of information beyond the legal scope of the Wiretapping Law, the Constitution Committee called upon the Israeli government to form a governmental commission of inquiry or investigative panel into the use of spyware by the Israel Police.
Despite the importance and validity of the questions raised, no robust discussion took place regarding the basic question of authority. As a result, the Committee did not refute the Merari Report’s conclusion that Israeli law grants authority to install and operate spyware during police investigations. Nor did the Committee engage with the growing problem of governmental actors procuring technology from private corporations, and the increasing use of the trade secrets doctrine to shield the use of powerful surveillance technology from public scrutiny and criticism. Yet, these are central to any attempt at reforming Israel’s legislative framework governing the use of surveillance technology.
Contested Legal Grounds
As previously pointed out on Verfassungsblog, and also recognized in the report, the legal framework governing surveillance under Israeli law is outdated, and therefore unsuited for handling spyware regulation.
In particular, contrary to the report’s conclusion, spyware is not “more of the same”; it cannot be termed simply as a variation of wiretapping. The spyware’s abilities are vast and evasive, and the temptations of using the wide range of data it can collect is huge. Due to these pertinent characteristics, several privacy experts in Israel have contested the justifications provided for the continued use of Saifan by the police without explicit legal authority, arguing that the framework provided by current law cannot bear the expansive interpretation of out-of-date laws provided in the Merari Report.
Moreover, as the Association for Civil Rights in Israel and the TAU Privacy Clinic (which one of us heads) argue in an appeal to the Attorney General, the Merari Report’s interpretation of “place” in the Wiretapping Law “goes too far, is mistaken, and fails to convince… It is wrong to authorize the use of a harmful system via a creative and expansive interpretation of the [auxiliary] authority” (translated by SZ). To insist on firm and explicit authorization in the law is in line with several standing precedents set down by the Supreme Court (e.g. Lam v. Dal; Tel Aviv-Jaffa District Commander v. Israel Internet Association). Even if the law is amended, some argue that Saifan’s technological capabilities require more robust oversight, especially in the interface between public and private surveillance.
Government Procurement of Surveillance Technology
Many of the problems that arise in relation to Saifan are tied to its procurement by the police from a private corporation. It reflects a broader trend, with “government [becoming] increasingly intertwined with the private sector through its regulatory and supervisory requirements, direct partnership with or funding of private entities, and the direct provision of public infrastructure by wholly private entities.” Thus, the “government and the private sector… increasingly […] regard the other as a direct partner in achieving their largely divergent goals” of secrecy and commerce on the one hand and (at least ideally) transparency and accountability on the other. This development has led to conflicts and distortions in relevant legal doctrines.
One such distortion stems from the fact that it is the company developing the surveillance product that often determines its functionalities (especially if that company dominates the market on a particular product). For products like Saifan – where the police had so little input into the development of the product that the version they used could not at first comply with relevant legal requirements – the technology and its capabilities end up determining the policy adopted by the police in conducting surveillance. Later iterations, which are more limited in function due to alterations requested in order to comply with the law, are still anchored in the original product’s scope because the police seeks to maintain as many of the product’s original functionalities as possible.
This phenomenon, i.e. the adjustment of the police’s capacity and authority to match the functions of a particular technology, arguably also affects the legal reasoning used to justify the use of such surveillance products, prospectively and retrospectively. Regarding Saifan, Michael Birnhack argues that, “the [Merari] report interprets the law in accordance with the police’s necessity, but, as the High Court of Justice has very clearly ruled in other privacy cases: authorization is not derived from necessity” (translated by SZ). Saifan is not singular – the Israeli security establishment has already shown its readiness to first implement surveillance technology and only then, when pressed, find justification for it. Policy led by capabilities, rather than by a clearly articulated, publicly debated and balanced framework, runs the risk of unchecked and expansive surveillance by government authorities.
The Expansion and Weaponization of Trade Secrets
Issues arising from procurement of proprietary surveillance technology are compounded by the assertion of trade secrecy, which aids in the obfuscation of technological capabilities and of the possible role the original developer continues to play in policing operations. In April, the Constitution Committee approved the creation of a restricted sub-committee which will be able to hear secret material relating to the ongoing use of Saifan. In previous sessions, the police and the Ministry of Justice claimed that some information cannot be shared in the public sessions for fear of misappropriating trade secrets and revealing operational techniques and procedures.
Trade secrets have been progressively expanding in recent decades, in definition and in scope. Key terms including “secrecy” and “commercial use” have significantly broadened and now apply to almost any form of information related to a business. Additionally, under certain circumstances trade secrets may be kept secret in perpetuity. Due to these characteristics, “the value of transparency is undermined by the commercial trade secrecy doctrine.”
Moreover, claims of trade secrecy are steadily rising “not for the purposes of protecting property against competitors, but in the service of other values, namely concealment from the public for reasons other than harm suffered in marketplace competition.” These reasons include, among others, the delegation of government functions to private entities. It is unclear from the Merari Report how much involvement NSO still has with the day-to-day operations of Saifan, but at the very least a database of surveillance logs is maintained by the company. Under these circumstances, the police does not maintain full independence in overseeing these operations, and the claim of trade secrecy creates only more ambiguity about surveillance capabilities, perhaps strategically so.
These trends are reflected precisely in the police and Ministry of Justice’s claims before the Knesset Committee charged with their oversight. The addition of trade secrets as a claim against transparency (on top of the preexisting opaqueness commonly found in national security contexts), sees the government advance a claim grounded in private rights of action and intellectual property. The logic of these claims are completely apposite to the transparency required of government agencies, especially in a policing context, as they legitimize enhanced concealment while reducing the burden of justification.
Already on shaky legal grounds, the additional cooptation of private claims in service of governmental opacity marks the Saifan saga as a dangerous turn in the Israeli police’s expanding operations targeted at Israeli civilians. This, in addition to the militarization of surveillance and method-creep from the Occupied Territories into Israel, highlights the need for serious revisions to the current legal framework governing surveillance, as well as its methods and justifications. Although the Israel Democracy Institute has offered some preliminary principles for regulating spyware, the road to comprehensive, modern legislation on the matter remains long. Only time and serious deliberations will reveal whether the ultimate outcome will align with all relevant constitutional requisites.