Instead of dealing with legislation, we should be changing the paradigm: Enabling the police to use anti-terror technologies is akin to allowing it to use cluster bombs instead of batons. Internal policing should not conduct sweeping searches.
The Pegasus affair refuses to go away, and everyone is talking about the need to amend current laws and bring them into the 21st century. This indicates that very soon we will see bills that propose giving a stamp of approval to technologies such as Pegasus so that, heaven forbid, the police do not end up having to use such technology without legal approval. We believe that this is a serious perceptual error. The debate as to how to define the Pegasus software in legislation and when it may or may not be used misses the point entirely.
First, because technology will always be a step ahead of legislation: Today, the issue is Pegasus; tomorrow, it will be some face-recognition program based on CCTV cameras, with the capacity to distinguish sexual orientation, or an AI-based product that enables the police to establish links between ethnic origin and the propensity for committing financial crimes.
Second, because the real issue is the significance of NSO’s system and the purpose for which it was designed, this raises the question of whether it is right to create a legal basis for the inclusion of such a system in the police’s toolbox. This is not to say that legislation is not urgently needed, but that it is essential to change the paradigm.
Over the last few days, no one has been able to define precisely what the Pegasus software is. An offensive cyber-tool? Not exactly, because it is not designed to paralyze, block or destroy the target phone’s operating system. A digital surveillance tool? No, as wiretapping already covers this. A cyber collection tool? Too broad. Spyware? Too international. On the NSO Group’s website, it describes itself, using neutral terminology, as providing “cyber intelligence.
The issue is that the world of defense intelligence is fundamentally different from that of police investigations. In the military intelligence and in secret services, intelligence work is conducted in part via sweeping searches, that is, gathering data and information using the broadest possible parameters of anything that can be collected, whether manually or by computer, then using analysis tools on the resulting huge ocean of information. The premise is that everything is permissible, as the context is one of operations against enemies of the state and of national security. No particular reason is required to deploy such collection tools, as this is essentially the role of these intelligence agencies. Police investigations work the other way around: They require some firm lead – a complaint, a journalistic investigation, a particular event – from which they are supposed to start. The police do not collect everything possible on the way. Doing so would exceed the powers granted it by law.
CYBERSPACE HAS created similarities between the information-gathering methods used by intelligence agencies and by police investigations, and they both apply similar tools in similar settings now. The police argument is that these technologies already exist: CCTV cameras are there; the Pegasus software is available, so why should we not use all these to make our work more efficient? The answer should not be that the police do not have the relevant powers in law, but rather that these technologies are fundamentally not designed for use by law enforcement and internal policing agencies.
Thus, the NSO affair is not about using technology instead of human intelligence gathering, nor about the fact that this technology was once used only against Palestinian suspects and is now being used against Israeli citizens. Instead, it relates to a substantial leap that the police is attempting to take – from focused and goal-oriented information collection only when it has substantial leads, to fishing-based collection.
Talking about the use of new technologies – such as the Hawk Eye traffic monitoring system, face-recognition systems, or Pegasus – is merely a neutral way of describing this shift from intelligence methods used by the police until now, to intelligence methods deployed by secret services and militaries. Trying to persuade decision-makers that they must allow the police to use new technologies is like requesting that the police be allowed to use cluster bombs instead of batons; to interrogate criminal suspects with methods used against terror suspects; or to comprehensively collect any information that might be useful in the future for applying pressure or for cross-referencing with other information.
Legislative amendments should take into account not just the technologies themselves, but the substantive issue at stake – not just the question of when they can be used and who will provide oversight, but also the principle that internal policing should not conduct sweeping searches.
Dr. Tehilla Shwartz Altshuler is a senior fellow and director of the Democracy in the Information Age program at the Israel Democracy Institute. Brigadier-General (retd.) Itai Brun was head of the Analysis Division of the IDF Military Intelligence Directorate.