top of page
  • Dr. Tal Mimran

Tachlith Institute’s Position: Israel Police Use of Information Obtained from Spyware

By Dr. Tal Mimran

11.06.2023















To

The Constitution, Law and Justice Committee

Headed by MK Simcha Rothman 


Dear Honorable Committee Members,

 

We would like to address recent revelations regarding the exceptional use of information obtained using the Saifan-Pegasus program. As we shall explain, the latest revelation should be viewed in a wider context, the Israel Police’s increasing use of technological means to exercise governmental powers. This trend demands a balance between the interests at hand – national security and technological innovation, versus the desire to protect against misuse of government power that violates individual rights. For this purpose, we propose the institutionalization of two supervision mechanisms: 1) supervision at the technology production stage; 2) Knesset supervision from time to time.   

 

1. Background


A number of recent events create the troublesome feeling that the Israel Police acts with almost no limitation when it introduces and operates the use of technology with far-reaching influence on our lives. Without a doubt, it is important for the Israel Police to enjoy access to advanced technology that allows it to protect the public. Yet still, the exercise of uncontrolled governmental power cannot be accepted, when in practice the Israel Police is turning the State of Israel’s citizens into the guinea pigs of surveillance technology.

 

A central cause for the awakening of public debate is a series of hearings held in the Constitution, Law and Justice Committee: first, a series of hearings regarding the Pegasus-Saifan affair, and most recently a hearing regarding the system to identify criminal suspects in Ben Gurion Airport.

 

With respect to Pegasus-Saifan, we learned that the Israel Police introduced spyware with exceptional capabilities into use, without the system, or the dangers emanating from its use, being properly understood. We also learned that oversight by the State Attorney’s Office, of the spyware’s introduction into use, as well as its operation, was flawed. This crisis occurred because in Israel there are no oversight procedures for technology with security applications, such as spyware, and where there is some sort of supervision it comes only at a later stage, when it is difficult to execute substantial changes to the technology. Accordingly, as we shall elucidate below, a mechanism should be instituted to supervise the development of technologies with security applications, which should be comprised of experts from several areas: ethics, economics, security, law etc.

 

With respect to the system for identifying suspects at Ben Gurion Airport, it was revealed that for years a system has been in operation at Ben Gurion Airport, regarding which there are many unknowns. The criteria under which it operates are unclear to us, as are its success rates, and the manner of supervising its operation. Additionally, it is unclear where the personal information the system analyses is extracted from, and particularly whether it is transferred from government databases only or also from private databases, and whether this is personal information, and if consent has been granted for its transfer. [1] Finally, the system perpetuates, and even increases, the reliance on profiling at Ben Gurion Airport, a system which has not been proven as effective yet violates human rights and may even miss the target for which it is implemented. [2] It is hard to accept a situation where an algorithm makes decisions based on data that is unknown, through a covert decision-making process, and without explaining why a person – at times completely normative – must be detained for search.   


2. The Latest Revelations:


At present, two additional revelations can be added to this worrisome trend. First, the State Attorney’s Office has confirmed, for the first time, that use was made for investigation purposes of materials extracted illegally, within the double murder case of the brothers Shafaa and Saleh Abu Hussein. This evidence was a security camera video, in which three suspects are seen meeting, several hours after the assassination, with the person who ostensibly commissioned it. [3] The video was obtained by infiltrating and extracting information from the cellular device of one of the suspects’ fathers. In light of this revelation, a decision was made to remove the evidence obtained through the spyware, in deviation from the court order. [4] These revelations conflict with allegations made in the Merari Report and the State Attorney’s Office’s reports before this Committee.

 

Secondly, recently Tomer Ganon revealed that the Israel Police purchased from the Israeli cybersecurity company Rayzone a program that enables identification of the location and route of cellular users. [5] It seems the purchase of this tool was not brought before the Attorney General for advance evaluation or approval. This was in violation of the recommendations of the Merari Report, which clarified that the police must make sure the Attorney General’s approval is received prior to the purchase of technological systems with new information collection capabilities, due to the risk of broad violation of fundamental rights. [6] In order to obtain this approval, the Israel Police must present all the system’s settings and terms of operation, along with an explanation of the source of authority the Police relies upon.


3.      The Proposed Response – Oversight Mechanisms:  


The recent revelations testify to the importance of increasing supervision over how new technologies are introduced into use by the Israel Police, aiming to exercise governmental powers against Israeli citizens. This importance becomes even clearer in light of the fact that there is an even greater temptation to use technologies in a climate that is sensitive from a political and security standpoint – as is true in Israel. [7] Accordingly, the existence of balancing mechanisms takes on a greater importance. Below are two possible mechanisms:


3.1  Supervision at the development stage


Article 36 of the Protocol Additional to the Geneva Conventions [8] establishes an obligation to perform an examination of legality of weapons under international law before using or acquiring them, whether from a state or a private company. [9] This obligation also applies during times of peace, and accordingly it is also anchored in human rights law, as well as during times of conflict. In light of the unique challenges of advanced cyber technologies for information collection, which are implemented both by armies as well as on the level of domestic policing, this mechanism assumes increased importance. [10]    

 

The requirement under Article 36 includes offensive cyber tools that can penetrate computer and cellular devices, IoT devices, and more. [11] Therefore, this would constitute both the creation of an incentive and an increase in adherence to international law norms, in a manner that would not deal a heavy economic blow to developers, since this would be done in the initial development stages and before funds have been invested in advanced development. [12] While Israel has not acceded to the Protocol Additional to the Geneva Conventions, it is worth mentioning that there are other states that are not party to the Protocol, yet uphold such an examination mechanism (the most relevant example is the United States). In addition, there is also an obligation under human rights law to estimate in advance the possible dangers of weapons or technology with military applications. Accordingly, Israel still has an obligation to this kind of supervision, even though it is not a party to the Protocol Additional to the Geneva Conventions. [13]


At present, technologies are not examined until a later stage, when it is hard to implement substantial changes in the technology, inter alia due to economic considerations of technology development and the economic benefits of granting licenses to technology as is. Accordingly, a supervision mechanism for technologies with military applications should be institutionalized in Israel, as a preliminary stage before the granting of a license for use, marketing or export. Such a committee should be comprised of diverse figures from several fields: ethics, economics, security, law and more. Such a mechanism would provide expression to Israel’s adherence to its obligations, such as the duty of due diligence, which stems from international human rights law. This position is also supported by the stance of the UN’s Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, in the last comprehensive report it wrote on surveillance technology. [14]      

 

3.2  Parliamentary supervision by the Knesset   


We believe there is room to expand supervision of the development of technologies with military uses, even if the original development is executed for export and sales. Indeed, aren’t recent events a testimony to the fact that other technologies which are produced for marketing and sales ended up in the Israeli market, particularly in the hands of the Israel Police?


We propose establishment of a special subcommittee, under the Constitution, Law and Justice Committee. Indeed, this Committee has recently established a subcommittee to examine the findings of the Task force for Examination of the Pegasus – Saifan Affair, the Merari Report and the implementation of its recommendations. The initiative to establish this committee is an important step, undoubtedly, and the Constitution, Law and Justice Committee’s desire to take a more active role in parliamentary supervision should be welcomed. Yet, this step is not sufficient in itself – especially since the committee is not permanent, along with the fact that its activity is confidential.

 

The spyware market suffers from underregulation, and more is needed than the present step to ensure long-term protection of the State of Israel’s economic and PR interests, alongside advancing optimal protection of human rights considerations. It is well known that in Israel, the offensive cyber industry constitutes a significant part of the basket of military products for export upon which Israel’s economy relies, inter alia. In addition, Israel’s image as a technological superpower is also important for advancing diplomatic relations with states as well as for preserving the balance of deterrence against enemies.

 

Today, the main regulator that supervises the offensive cyber market (and spyware in particular) is the Ministry of Defense, which is responsible for granting marketing and export licenses for these products. Yet, its ability to supervise is limited because it wears two hats (supervisor and potential customer) and because of phenomena such as the revolving door (senior officials within the regulator moving to industry, and vice versa). On the technological level, it is particularly difficult to oversee production, marketing, or use of spyware because it can be duplicated and operated simultaneously throughout the world – unlike regular weapons which are limited to one physical location. In addition, bitter tech company employees could try selling the product on the black market, and it is possible to copy code or develop derivative programs that could lead to malicious harm.

 

The subcommittee established is an important step on the immediate level, but it is impossible to stop at this point. Israeli Members of Knesset bear a very heavy workload – as they must divide their time between several committees and also participate in votes, parliamentary questions, proposals for expedited debates, and initiate private legislation. We acknowledge the challenge posed by adding a special subcommittee, and we even supported removing numerical restrictions from the “Norwegian Law” (amendment to the Basic Law: The Knesset), out of an understanding that increasing the number of Members of Knesset available for parliamentary work is a consideration of the highest degree. Yet, more permanent supervision is still important, of a kind which is not dependent on a revelation of some kind or another, and which is open to the public to the extent possible (due to the importance of transparency for reinforcing public trust).


4. Conclusion

Despite the recent worrisome revelations, until now the Israel Police’s approach seems to have been deflecting claims against misuse of power, and even attempting to undermine those who raise them. This is a troubling approach, which could testify to a problematic organizational culture which suffers from an absence of accountability and an unwillingness to take criticism or accept supervision. After years when the State of Israel experimented with technology at the expense of individual rights, sometimes with a shaky legal foundation, if at all, the time has come to wake up. The course must be reset and clarify – while technology is a an immense impetus of extreme importance, the exercise of power goes hand in hand with procedures for supervision, control, and public debate about the appropriate boundaries that serve to protect individual rights.    


Dr. Tal Mimran

Head of the “Social Pact for the Digital Age” at Tachlith Institute, researcher and lecturer on international law and cybersecurity.


Note – For references cited in this article, see the original Hebrew text.




Comentários


bottom of page