Exclusive

Israel police uses NSO’s Pegasus to spy on citizens

Mayors, leaders of political protests against former Prime Minister Benjamin Netanyahu, and former governmental employees, were among those tracked by police without a search or bugging warrant authorizing the surveillance

Tomer Ganon 07:0318.01.22
Israel police uses NSO’s Pegasus spyware to remotely hack phones of Israeli citizens, control them and extract information from them, Calcalist has revealed. Among those who had their phones broken into by police are mayors, leaders of political protests against former Prime Minister Benjamin Netanyahu, former governmental employees, and a person close to a senior politician. Calcalist learned that the hacking wasn’t done under court supervision, and police didn’t request a search or bugging warrant to conduct the surveillance. There is also no supervision on the data being collected, the way police use it, and how it distributes it to other investigative agencies, like the Israel Securities Authority and the Tax Authority.

 

Exclusive - Move over NSO: Israeli police is paying private hackers to spy on citizens

 

One of the problematic instances that has been uncovered is the tracking of activists in the protests against former Prime Minister Benjamin Netanyahu while he was still in office. The protests against Netanyahu gathered momentum during 2020 as the Covid-19 pandemic hit the country and the first lockdowns were imposed on Israelis. With the level of anxiety in the Netanyahu government continually rising, efforts were made to reduce the magnitude of the protests through the use of judicial and procedural tools, with police increasing the force and violence against protesters, the leaders in particular.

 

Former police chief Roni Alsheikh (left), NSO founder Shalev Hulio and former police chief Yohanan Danino. Former Photos: Elad Gershgoren and Alex Kolomoisky Former police chief Roni Alsheikh (left), NSO founder Shalev Hulio and former police chief Yohanan Danino. Former Photos: Elad Gershgoren and Alex Kolomoisky

 

But the heads of the political protests had no idea that Israel police had remotely planted NSO’s spyware in their phones, taking over their devices and having the ability to listen to all their calls and read all their messages. The order to conduct the surveillance on Israeli citizens that aren’t criminals or suspects with NSO’s spyware was given by high-ranking police officers without a court warrant or the supervision of a judge. Those who received the order and executed it were members of the police’s special operations cyber unit in SIGINT, whose entire activity is confidential.

 

The political protesters weren’t the only ones the police were tracking through NSO. The Israeli company’s spyware, which has earned a notorious reputation over recent years after being used by oppressive regimes to spy on dissidents, was used, for example, by the police’s SIGINT unit in order to search for evidence of bribery in the cellphone of serving mayor, during the stage in which the investigation was still confidential. The remote hacking delivered in this instance evidence of criminal offenses. This evidence was later whitewashed as intelligence and was followed by an open investigation. At this stage, the evidence already known to police was legally seized with a search warrant provided by a judge.

 

However, NSO’s spyware was also used by police for phishing purposes: attempts to phish for information in an intelligence target’s phone without knowing in advance that the target committed any crime. Pegasus was installed in a cellphone of a person close to a senior politician in order to try and find evidence relating to a corruption investigation.

 

In another instance, police used spyware in a classified stage of an investigation in order to break into the phone of employees in a governmental company, in this case using an explanation that they were suspected of fraud. In other cases, NSO’s spyware was installed in the phone of citizens to try to find and collect data and information that isn’t necessarily connected to an investigation or suspicions but simply for investigators to use this data later on as a means of pressure on people being interrogated.

 

All of these surveillances, as well as those to be detailed later in this article, were conducted against Israeli citizens, without a court order, while taking advantage of a legal loophole.

 

For instance, in one of the cases, NSO’s Pegasus was used by police to hack the phone of another serving mayor, uncovering messages that raised suspicions regarding his relationship with a certain contractor. However, this case didn’t result in an indictment against the mayor. The data, collected by the spyware, remains with the police and that mayor probably has no idea that his messages were ever seized.

 

In some cases, phones were hacked to save the police from doing professional investigative work and identifying proven suspicions. This results in the severe abuse of the privacy of citizens, some of which did no wrong and had no plans of conducting any illegal activity. For example, following the murder of Shira Banki at the Jerusalem pride parade in 2015, police investigators planted Pegasus in the phones of notable activists who objected to the parade and were marked in advance as people who may act violently.

 

Pegasus was also used to solve murders. It helped police, for example, to locate a suspect in the murder case of a businessman. Another case saw police hack into the phone of a person who claimed in talks with journalists that he knew who murdered his relative. The spyware was also used to break into a stolen phone which had on it intimate photos of its owner that were published online. In these cases, the spyware was used in order to solve a specific crime, but also in these instances it was done without any legal approval and with very few people in the police knowing about it.

 

Police first acquired Pegasus from NSO in December 2013 during the tenureship of Yohanan Danino as General Commissioner of Israel Police. The system became operational under his successor Roni Alsheikh, who was appointed as General Commissioner in December 2015 after serving as the deputy head of Shin Bet. Alsheikh was among those who pushed to increase the usage of the spyware, which cost police tens of millions of shekels down the years when calculating its purchase, maintenance, and ongoing usage. The person who negotiated with police on behalf of NSO was then CEO Eran Gorev, who was the representative of investment firm Francisco Partners, which owned NSO at the time.

 

The information acquired by SIGINT was transferred by police to other investigative agencies which don’t necessarily know how the information was seized. For example, the Israel Securities Authority’s intelligence units, the Israel Competition Authority, the Tax Authority, and the Department of Internal Police Investigations, regularly receive information from SIGINT on confidential investigations and even prior to any arrests being made. A police officer receives requests from the different agencies and then transfers them the information, the source of which was at times NSO’s spyware.

 

The acquisition and use of Pegasus also meant that employees of the private NSO were exposed to highly sensitive and secret information held in police computers as part of the technical support the company provides to its clients. The evidence uncovered by Calcalist also contradicts the denials of NSO CEO Shalev Hulio and company President Tami Mazel Shachar in July of last year. After it was revealed that President of France Emmanuel Macron was a potential Pegasus target, the two claimed in different interviews that the company had “chosen not to operate against Israeli and American numbers.”

 

Responses:

NSO: “As a rule, we don’t comment on existing or potential clients. We would like to clarify that the company doesn’t operate the systems held by its clients and isn’t involved in activating them. The company’s employees aren’t exposed to targets, aren’t exposed to information about them, and aren’t involved or exposed to our clients’ operational activity or any information relating to the investigations conducted by clients. The company sells its products under license and supervision to be used by national security and law enforcement agencies to prevent crime and terror in a legal manner and according to court orders and the local law of each country.”

 

A source at NSO told Calcalist: “Without addressing any particular client, the company’s employees don’t have an ability in any shape or form to be exposed to information collected by the client.”

 

Israel Police: “The claims included in your request are untrue. Israel Police acts according to the authority granted to it by law and when necessary according to court orders and within the rules and regulations set by the responsible bodies. The police’s activity in this sector is under constant supervision and inspection of the Attorney General of Israel and additional external legal entities. Naturally, the police don't intend to comment on the tools they use. Nevertheless, we will continue to act in a determined manner with all the means at our disposal, in the physical and online spaces, to fight crime in general, and organized crime in particular, to protect the safety and property of the public.”