For the past decade or so in Israel, law enforcement authorities have utilized advanced digital forensics tools including spyware and AI to breach and search personal computers and mobile phones as part of an investigation. These authorities include the IDF, the Securities Authority, the Tax Authority and — ironically — the Privacy Protection Authority, according to a new research report from the Israel Internet Association.
The report found that over 20,000 search warrants on smart devices (such as computers and mobile devices) are issued every year and that requests for warrants according to the wiretapping law receive widespread judicial approval: out of 3,692 requests submitted in 2020, only 26 (0.7%) were rejected. In 2021, the police submitted 3,359 requests for wiretapping, of which 3,350 were accepted - more than 99%.
“These data show the extent of the phenomenon and illustrate the extent and potential of the violation of the rights and civil liberties of tens of thousands of people per year,” states the report. “The circle of harm of advanced technologies for penetration and search in mobile phones is not limited to the person being investigated, given the fact that these devices often store information and sensitive data of third parties, such as photos or videos documenting innocent parties not involved, such as spouses and children or correspondence and internal information of organizations and companies. This is a huge number of citizens who are affected by the police use of these technologies.”
Access to everything
According to the report, the information that these investigation tools can unveil is as bountiful as it is granular. By utilizing them, law enforcement bodies can extract records of when software and applications were installed, used and deleted; how frequently a device was used or even turned on or off; when a user read any specific message, whether and when a connection to Bluetooth or Wi-Fi devices was made, their search engine history on the device and more.
Correspondence data, photos and videos, contact lists, browsing history, location data and in many cases access to remote services, such as social networks and cloud services are up for inspection at the hand of the authorities utilizing these tools, and the report warns that even deleted data isn’t necessarily safe from prying eyes, as oftentimes footprints of the deleted files can be found on the device itself, or on cloud backup services.
Law enforcement’s use of spyware
The report states that the Israel Police carries out penetration, hacking, searching, listening and copying of material not only through physical seizure, but also through remotely-installed spyware, which allows full access to the content stored on a PC or smart device over time, as well as tracking its continuous use, performing software operations or activating the hardware without the user's knowledge.
Not only is this a breach of privacy, but it may also hamper the device owner’s security against cyber threats. “Since penetration into a smartphone using spyware is done covertly, performing a penetration or remote search involves changing data and neutralizing or bypassing the information security systems built into the device's hardware and operating system,” the report reads.
Artificial Intelligence joins the foray
While past years may have required either a lot of time or a lot of people to slog through the tons of data made available by these digital investigation techniques, the recent advancement of AI technology and machine learning has made it possible to process the information at an unprecedented pace, even generating automatic insights and presenting patterns that may not have been discoverable by human investigators.
The report points out that the use of machine learning will require policy makers — should they see fit to address the issue with more depth — to deal with the “general risk of bias which characterizes many of the enforcement authorities' use of artificial intelligence and machine learning technologies,” as well as to address the issue of authorities’ limited ability to trace the sourcing behind the AI generated insights.
The current system harms minorities
The report offers a harsh criticism of the law enforcement system’s oppression of minorities. It states that while the Supreme Court ruled that it is impossible to force consent, explicitly or indirectly, populations who are subject to “excessive policing in Israel, such as Ethiopians and non-Jews,” may be less likely to refuse their consent to be investigated with these tools, due to “a sense of threat or an extreme asymmetry in powers and status.”
“Therefore, the extensive use of investigative authorities in Israel in penetration and search technologies on smart phones particularly harms disadvantaged populations or minorities [...] and in poor populations from the whole of Israeli society - all their online activity and the data and personal information they accumulate are based on the smartphone, in the absence of a personal computer,” the report reads.
How to fix the problem
In recent years, Israeli courts have recognized that law enforcement authorities’ intrusion into citizens’ smartphones allows unprecedented access to personal and sensitive information, and that the state’s antiquated search laws do not include adequate supervision and review against the excessive use of these tools. Despite this, the laws regarding their use have not been updated, and at present, all of the above methods of data surveillance and investigation are permitted within the legal system.
The report calls for public and legislative attention to address several concerns. One of its primary points is that there is no limitation to the kinds of data extracted for an investigation. Unlike a search in the physical space which is limited to relevant materials, a cyber investigation enables authorities to access any and all information stored on a given device with no limitations.
“The need to update the legal framework and procedure for using technological means to penetrate and search mobile phones is especially burning today, in the era of cloud computing, since the ability of law enforcement bodies to penetrate and search cloud accounts accessible from the device is a huge expansion of investigative powers and its penetration,” the report states.
As well, the report points out that it is problematic that collecting social media account information, email records, medical and financial information, and cryptographic assets does not require separate warrants or a special investigative program.
In summary, the report’s authors recommend the following points for legislators to address:
- Increased obligation to document the activity of forensic tools for hacking and searching smart devices
- Obligations regarding the handling of information collected from smart devices
- Determining transparency obligations on (non-security) investigative authorities that operate technologies for penetration, search and copying from personal devices
- Regulating the relationship and access to data between investigative authorities and forensic technology providers
- Limiting the power of "consent" to search mobile phones and cloud resources in the absence of a court order
Per the report, addressing these issues properly may yet ensure “A balance between the public interest in the search for the truth and law enforcement and the fundamental rights to privacy, due process and human dignity.”
The threat posed to digital privacy by Netanyahu's legal reform
According to some legal experts, the "legal reform" posed by the new government — which would significantly reduce the authority of the Supreme Court, among other things — could very well prevent any kind of legislative advancement in a more private direction.
"It may be premature to contemplate how the 'New Regime' will address the bleak findings discussed in the report. Yet, [based on] the basic tenets of the 'reforms' promoted by Prime Minister Netanyahu, the Justice Minister and the National Security Minister, one should not be overly optimistic with regard to the future of protection of privacy in this day and age, to say the very least," warned Amir Zolty, partner and head of hi-tech practice at Lipa Meir & Co.
"With the assumption of powers by the National Security Minister, the disarmament/castration of governmental legal counsels, the restrictions on judicial scrutiny, and the judiciary committee packing (and the resulting Supreme Court packing), the shift towards the interests of the executive branch — and away from the personal rights and interests of the citizens— seems almost inevitable," Zolty said.
"With very few internal and/or external restraints, checks and balances, and with a much more 'sympathetic' (or subdued) judiciary, one may expect that systemic and robust invasion of privacy, in the name of national security, shall become the prevailing norm."