An inquiry into allegations that Israel’s police force systematically hacked into the mobile phones of Israeli citizens has found that while the police did use NSO Group’s controversial Pegasus malware, there is no evidence suggesting illegality.
In a series of explosive reports over the last two months, the local financial daily newspaper Calcalist accused the police of spying on at least 26 individuals who were not criminal suspects. Those named included politicians, protesters, and members of the former prime minister Benjamin Netanyahu’s inner circle – claims Netanyahu used to delay proceedings in his corruption trial.
Israel’s attorney general’s office ordered an investigation into the alleged police behaviour last month. On Monday, the Israeli justice ministry contradicted the most serious of the newspaper’s claims, saying an interim inquiry discovered “no indication” that the police had bypassed judicial authorisation in using the spyware.
In two instances, unsuccessful attempts were made to hack the phones of people subject to court orders authorising the tracking of their electronic communications, and in a third case the police succeeded, the probe found. It also said investigators looked into the use of a second type of spyware available to police and again found no signs of wrongdoing.
The announcement still represents the first time the Israeli government has confirmed that Pegasus has been deployed against a citizen.
A consortium of 17 media outlets, including the Guardian, revealed last year that the Israeli-made surveillance product had been sold to repressive governments worldwide and used to surveil activists, journalists and lawyers, as well as government officials and heads of state.
NSO has previously said that all its sales are government-authorised and that it does not itself run Pegasus.
Israel says it has since tightened rules on the export of cyberweapons, and NSO was blacklisted by the US in November.
The Israeli state and private firms have developed sophisticated surveillance systems to monitor the activities of people in the occupied Palestinian territories, where Israel implements military law.
Senior NSO officials had previously said, however, that its software was not authorised for use against Israeli and US telephone numbers – reassurances that subsequently caused public outrage when the Calcalist allegations were published earlier this year. The claims were strongly denied by the police service.
An editorial carried by Calcalist on Tuesday acknowledged that the deputy attorney general Amit Merari’s initial findings necessitated “a review of the paper’s allegations”.
NSO, which has been fighting a mounting tide of criticism, welcomed the justice ministry’s announcement, saying in a statement that the company hoped the conclusions “will result in reporting that no longer relies upon misinformation and political organisations issuing biased and prejudiced reports”.
Questions remain over whether current Israeli privacy law, which came into force in 1981, is fit to handle the technical intricacies of modern spyware. Cybersecurity experts have previously suggested that Israeli court orders are not sufficient for authorising the use of invasive malware such as Pegasus.
Merari’s investigation utilising the technological expertise of the Shin Bet and the Mossad, Israel’s domestic and foreign intelligence agencies, continues.
Her team will examine whether spying software was used without court orders on individuals other than those mentioned in the Calcalist reports, and whether the police exceeded their authority in using spyware on citizens, the justice ministry said.