A Path Forward for Israel Following the NSO Scandal
How can Israel rebuild national and international trust in its cyber industry, and are the steps it’s currently taking enough?
Published by The Lawfare Institute
in Cooperation With
NSO Group was once an Israeli success story and a prime example of the unique Israeli cyber ecosystem that fueled the myth of the “Start-Up Nation.” In recent years, however, it seems that the tables have turned, and NSO has become a symbol of misusing technological tools at the expense of individual human rights considerations. It began with reports about the way in which NSO’s leading product, Pegasus, was misused against human rights activists and journalists. Soon after, hundreds of additional cases from around the world were revealed (including many high-profile figures, such as 10 prime ministers, three presidents, and a king).
Eventually, the NSO spyware controversy reached Israel as well. An exposé by Tomer Ganon, a prominent Israeli journalist, revealed that the Israeli National Police (INP) used spyware purchased from NSO against Israeli citizens. This led the attorney general to establish an inquiry team to investigate Ganon’s allegations. The inquiry team, led by Deputy Attorney General for Criminal Matters Amit Merari, published its report—known as the Merari report—in August 2022. In April 2023, the Israeli parliament took the report into account and launched a series of discussions on the NSO scandal in its Constitution, Law, and Justice Committee. The Constitution Committee also established a subcommittee to dig deeper into the NSO scandal, behind closed doors.
This recent development in the Israeli parliament merits a closer look, to discuss its significance and its possible impact, or lack thereof, in the Israeli cyber industry and the perception of Israel internationally. In particular, it is necessary to explore and discuss whether the parliamentary subcommittee is sufficient to cope with the risks and challenges posed by the offensive cyber industry in Israel.
The NSO Scandal in Israel
NSO Group is a cyber-offense intelligence company, founded in 2010, that is best known for its Pegasus spyware—which allows its operator to tap into and surveil smartphones remotely, with advanced zero-click technology. At the time, the Israeli public assumed that this tool only formed part of the military export industry in Israel, an industry that is important both for Israel’s economy and for the establishment and maintenance of the deterrence and technological supremacy of Israel (a main goal in its National Cyber Security Strategy). However, we now know that this was not the case.
In January 2022, Ganon published a set of exposé articles in Calcalist, a leading financial newspaper in Israel, asserting that the INP deployed NSO Group’s products against Israeli nationals, at times without a judicial warrant. He also exposed the INP for using a sophisticated tool called Saifan, a tailor-made version of Pegasus, to surveil political activists, mayors, heads of local authorities, officials in government ministries, and journalists. This was, and still is, a frightening revelation.
These discoveries did not go unnoticed. As mentioned, on Jan. 31, 2022, the attorney general appointed an official inquiry team to investigate these assertions, led by Merari and made up of government officials from several ministries and fields. The interim report contradicted the major allegations, stating that there was no indication that surveillance technology was employed without a judicial warrant, and added that some of the hacking attempts failed.
The final report came out on August 1, 2022, concluding that all the records of the usages of Saifan were authorized (excluding four cases where the INP overreached the terms of the warrant) but affirming that the INP had knowingly infringed on the law by using wider taps than permissible. The report also confirmed that private data was saved on NSO servers, alongside those of the police, which raises serious concerns regarding data protection and privacy rights.
The report has been criticized, however, for its forgiving approach and soft recommendations. First, the final report suggested some technical modifications to the software, after it was discovered that excessive information was gathered. Second, it recommended the inclusion of a computer-based review to locate impediments, expanding on spyware usage reports. Further, it advocated for new procedures for collection and transferring of data, more specification when applying for a warrant to authorize, and judicial training concerning new technologies. Finally, the report stressed the need to consult with the attorney general in any future introduction of new surveillance technologies.
The Processes in the Israeli Parliament
Now, the Israeli parliament has decided to take matters into its own hands. As mentioned earlier, the Constitution Committee decided to conduct a series of discussions on the conclusions of the Merari report. These discussions have raised public awareness of the scandal and given insight into what actually took place in the relations among NSO, the INP, and the office of the attorney general.
A few weeks ago, the Constitution Committee devoted a series of discussions to the final report of the Merari team. During these sessions, more information came to light as the legal adviser of the police revealed that the police attempted more than 1,000 uses of Saifan, notwithstanding the fact that they did not fully comprehend the full capabilities of the spyware before its deployment, and without any public discourse on the introduction of such an extreme surveillance tool. One would assume that the courts in Israel, entrusted with authorizing the deployment of spyware, would be cautious in authorizing its use. Another important discovery, however, was that out of those 1,000 uses of the spyware by the police, only six requests were denied by the courts. This is an alarming number, demonstrating that the courts seem to favor the needs of the police and raising concerns in terms of safeguarding the possible infringement of core human rights—such as the right to privacy and the right to due process.
Since the discovery of the scandal, it has become evident that more investigation and supervision regarding the deployment of spyware is necessary. Soon after the appointment of the Merari inquiry team, voices in the Israeli parliament emerged, calling to form another commission of inquiry, this time comprising independent reviewers not involved in the day-to-day use of Seifan. This is a critical distinction, since the Merari team was made up of government officials with institutional affiliation to the Israeli police and government at large, such as the attorney general’s office and the Israeli Security Agency.
Amid these calls, the parliament’s Constitution Committee established a subcommittee to supervise and promote the implementation of the report’s conclusions. While it was decided that the subcommittee would operate behind closed doors, in order to have more significant access to confidential information regarding the use of spyware by the INP, the outcomes—even if in broad strokes—should be made public if the parliament wants to help reestablish public trust in the police.
The need to restore public trust is also impacted by other considerations, such as the fact that the spyware was used against key witnesses in the criminal trial of the current Israeli prime minister, Benjamin Netanyahu, over accusations of corruption, abuses of power, and betrayal of the public’s trust. More broadly, one cannot ignore the polarization and protest against the proposed reform of the Israeli legal system. The reform is an initiative that derives from sentiments of bias of the legal system against the right-wing parties in Israel (a political block headed by Netanyahu). However, there have been mass civil demonstrations against the reform and, as we’ve seen in the Thai pro-democracy movement and the Hong Kong protests, movements of civil protest can be particularly vulnerable to the use of spyware .
Moving Forward
While the establishment of the subcommittee is a positive step forward, it is far from enough. The Israeli government could also consider improving transparency and oversight, strengthening institutional monitoring, and joining the international conversation.
Improving Transparency and Oversight
As already mentioned, the committee’s conclusions could be published, in a way that does not reveal confidential data, in order to improve transparency. Transparency is crucial in order to improve the effectiveness of the process, to reconstruct the public’s trust by clearing the cloud of uncertainty hovering around the scandal, and to debunk any conspiracies that can stem from a lack of complete understanding of the incident.
Restricting the work of the subcommittee with confidentiality requirements, without informing the public about lessons learned, inhibits the public’s right to be informed and interferes with the ability of nongovernmental organizations and the media to properly report and operate.
The need for public oversight was expressed by the UN Special Rapporteur on the right to privacy, in their 2018 Draft Legal Instrument on Government-led Surveillance and Privacy. The document details many safeguards such as public oversight, a preauthorization authority, and interinstitutional whistleblower mechanisms. Similarly, the UN High Commissioner for Human Rights emphasized the importance of public oversight on surveillance as a preventive measure against the misuse of cyber offensive technologies, notions addressed in the General Assembly resolution on the matter as well.
Strengthening Institutional Monitoring
More institutional monitoring is needed, especially in earlier stages of software development. Today, technologies with military application are reviewed in Israel only at the licensing for use, marketing, and sale stage, after the software has already gone through several stages of development. The fact that the evaluation of risks occurs so late in the process makes it harder to demand changes in the technology without economically crippling the project. As such, a preliminary and complementary stage of monitoring is required, at an earlier stage in the product’s development. The monitoring body should include various perspectives and disciplines, including ethics, technology, regulation, security, and law.
Joining the International Conversation
The NSO Group scandal is but one facet of the ongoing international conversation regarding the use and misuse of spyware by governments. The EU PEGA Committee, set up by the European Parliament to “investigate alleged infringement or maladministration in application of EU law in relation to the use of Pegasus and equivalent spyware surveillance software,” in its recently adopted report, stressed the need for common legal definitions, guidelines, and regulations. The European Parliament is set to vote on the committee’s recommendations in June. While Europe bolsters its privacy protection and calls for states and international institutions to strengthen their democratic rule of law, it is important that Israel takes similar account of its own shortcomings and seeks parallel solutions as befit its particular issues. This scandal has exposed that Israel, tech hub that it is, is also susceptible to misuse of its spyware. Israel can offer insights from its experience and play a positive role in the promotion of meaningful and effective international regulations for the use of spyware. This will allow Israel to be involved in any future norm-creating process, salvage an industry that is crucial for the Israeli economy, and strengthen Israel’s international status.
Conclusion
As the NSO scandal demonstrates, more oversight on the development and employment of spyware in Israel is needed, and while the establishment of the subcommittee is a good first step, it is not enough. The revelations published by Ganon offer an opportunity for Israel to advance stronger control and supervision regimes, express its commitment to the rule of law, and rebuild the international and public trust in Israel’s cyber industry.