NSO Group’s Pegasus spyware, which exploited novel vulnerabilities in both Android and iOS devices to grant attackers full access, has been mired in controversy for over a year now. A new report from an Israeli business newspaper could, if factual, even further escalate the situation. The report claims that Israeli police used the Pegasus spyware on the country’s citizens, including opponents of then-president Benjamin Netanyahu and a number of other targets not under suspicion of a crime.
The Pegasus spyware controversy has thus far been about NSO Group’s failure to follow its own policies in vetting the foreign government agencies it sells these potent capabilities to. A domestic spying scandal would be a new level of malfeasance, and would solidify what were previously murky ties between the government and the spyware manufacturer.
Israeli police accused of tracking political dissidents with Pegasus spyware
The report comes from Calcalist, a Hebrew-language daily business newspaper widely circulated in Israel, and cites anonymous government and NSO Group sources. It follows on the heels of another report published by the paper claiming that the Israeli police are also hiring unaccountable private IT contractors to extrajudicially hack into and spy on domestic targets not being investigated for crimes, using methods unrelated to the Pegasus spyware.
The report on the Israeli police involvement with NSO Group claims that Pegasus spyware was deployed against government critics and opponents during the anti-government protests of 2020 that were spurred on by the Covid-19 situation. Protests against Israel’s severe lockdown measures have continued through 2021, sometimes meeting with accusations of violence and excessive force by the Israeli police. The report claims that some protest organizers had their phones infected by the Pegasus spyware by the Netanyahu government in 2020 to keep tabs on them, with the operation conducted without court order or judicial supervision. The Israeli police special operations cyber unit (SIGINT), whose actions are kept confidential by law, reportedly conducted the operation.
In addition to the domestic surveillance of anti-Netanyahu groups, the report claims that ultra-Orthodox activists protesting the annual Jerusalem pride parade had the Pegasus spyware installed on their phones after the murder of a teenage girl at the 2015 event.
Pegasus spyware also appears to have been used in this surreptitious way in a variety of investigations in which the subject had not been served with a search warrant and was not being properly overseen by a court. There is evidence that subjects thought to be connected to an investigation, but not a suspect in it, were phished as part of broad extrajudicial intelligence-gathering operations.
The report cites some specific examples of these warrantless searches and fishing expeditions: the investigation of a sitting mayor accused of bribery, a corruption investigation of a senior politician, at least two murder cases, and a “revenge porn” case that involved intimate photos being put online. In some cases, evidence obtained illegally via Pegasus spyware was later “whitewashed” by having a court issue a specific search warrant to physically obtain it.
Direct ties between Israel government and Pegasus spyware deepen
Israeli police apparently acquired the Pegasus spyware in late 2013, not long after the product became generally available to the world, and began using it for domestic surveillance in 2015. The government has long required NSO Group to receive its approval to sell to all foreign sources, but was not known to use it in a domestic capacity prior to this report. NSO Group has previously claimed that the software will not work on devices with certain regional codes, including those with Israeli numbers.
The report claims that domestic use of Pegasus spyware was kept quiet for years by confining it exclusively to SIGINT, which would sometimes pass evidence acquired with it on to other Israeli law enforcement arms without telling them where it came from. The Israel Competition Authority, the Tax Authority, and the Department of Internal Police Investigations may have all received evidence of this sort that was not acquired legally and may not have been aware that Pegasus spyware was used to obtain it without a court order.
This relationship also means that the private citizens working for NSO Group may have had highly privileged access to Israeli police computer systems, allowing them to view confidential and secret information in the course of their routine technical support duties.
Israeli police issued a statement in response to the report categorically denying that Pegasus spyware had ever been used in an illegal way, but refusing to comment on “the tools they use.” NSO Group also issued a statement refusing to address its specific clients and reiterating its stated policies about sales restrictions, which prior reports such as the Pegasus Project have thrown into question.
Israel law does allow Shin Bet, the domestic intelligence agency, to hack phones without court orders but only in cases of terrorist attacks that involve Palestinians, Israeli-Arabs or Israeli-Jews. These investigations must first receive approval from a senior Shin Bet official or an attorney general’s office before proceeding. Digital domestic spying is not supposed to occur outside of these narrow circumstances.