June 18, 2021
Israeli lawyer Eitay Mack on bringing transparency to surveillance exports that threaten press freedom
Israeli companies like NSO Group and Cellebrite market equipment to government and law enforcement agencies to fight crime, yet as CPJ has noted, journalists are vulnerable to the same sophisticated tools if they fall into the hands of repressive governments. NSO’s Pegasus spyware can remotely control a cell phone and its contents, while police say they use Cellebrite’s forensics products to extract the contents of devices seized during interrogation, potentially exposing journalists’ colleagues, family members, and sources to monitoring or reprisals.
When Mack learns that such technology is being used to commit abuses — against journalists or others — he tries to stop its export by petitioning the Israeli Ministry of Defense. The ministry is essentially in control of the industry, he said, through its marketing and license export regime; Mack petitions the ministry to withdraw the relevant license.
His work has had an impact, according to the Israeli daily Haaretz: following Mack’s petitions, Cellebrite said that it would stop sales to Russia and Belarus in March 2021, and in September 2020, said it would not supply the government of Venezuelan President Nicolás Maduro despite previous sales to defense and police clients in the country. An Israeli High Court ruling on Mack’s petition to halt the trade of arms to Myanmar in September 2017 was subject to a gag order and hasn’t been disclosed, according to Haaretz.
CPJ spoke with Mack about his efforts to stop exports of the equipment and bring transparency to an otherwise secretive industry. His answers below have been edited for length and clarity.
CPJ sought response to Mack’s remarks from the Defense Ministry, NSO, Cellebrite, and other entities named in the interview. Their replies are detailed below.
How often do you come across journalists affected by surveillance technologies?
There’s a lot of public interest if it can be proved [that the equipment was used] against a journalist or an activist. But journalists [often] rely on people on the ground with a Twitter or Facebook account, and these kinds of technologies are enabling mass surveillance. If you’re talking about NSO, their system targets [a specific] person each time. According to the company, the list of targets is a few hundred. If you’re talking about Cellebrite, Alexander Bastrykin, the head of Russia’s Investigative Committee said in 2020 that in the previous year the system was used more than 26,000 times in Russia. You connect 26,000 phones, take the information – you control the population.
When you figure out where the technology is going, how do you try and stop it?
I file a petition to an Israeli court. My goal is to cancel the export license given by the Ministry of Defense.
The international media say a lot about the companies themselves, which is very comfortable for the Ministry of Defense. But companies are like subcontractors. The agreements are made between governments and the Ministry of Defense decides which company [gets] the deal.
Even if an Israeli surveillance company wants to cancel services because it got information that the system was being used against journalists or to violate human rights, it wouldn’t be able to, because it would cause a crisis [with a] foreign government.
The Ministry of Defense has an information security unit called MALMAB that terrorizes the companies to warn them against leaking, and there are very few people [internally] with security clearance to access the client list. If NSO or another company says, “We are like a normal international company, we have an ethics board with the greatest minds in human rights that can check our work,” [that board doesn’t] have information about what the company is doing.
How many companies in Israel export surveillance technology?
There’s no way to know, because we only know about the companies you see in the headlines. There is digital forensics, like the company Cellebrite; UAVs [unmanned aerial vehicles]; then the classic surveillance stories like the NSO Group’s Pegasus or PicSix in Bangladesh or the unknown Israeli company in Vietnam.
In 2013 I petitioned the Ministry of Defense to disclose the companies in the defense export register. They [only] gave a few numbers in 2014: there were about 80,000 export licenses and 320,000 marketing licenses. In Israel, there’s a unique marketing license [that companies need to negotiate with] potential clients, then a separate export license… [Through the] marketing license, you are exposing your potential client [to the ministry] which can choose to give this client to another company.
I can identify rifles in pictures on social media, and depending on the model, I can estimate when it was exported, but surveillance systems aren’t physical. With NSO, we don’t know names of their clients, it’s hard to prove. Even with Cellebrite, [which] physically connects to the mobile phone, I only got to know that it [was being used] in Russia and Venezuela and Belarus because [local] authorities announced it.
How is the industry regulated in Israel?
They keep changing the bureaucracy to make people like me waste time. In the case of Cellebrite, the Ministry of Economy should approve [civilian clients]. But they told me [its sales to Hong Kong] came under the Ministry of Defense, according to the [Defense Export Control Law] of 2007 governing defense equipment. That law is very problematic, because the only limit is in case of a U.N. Security Council arms embargo, which is very rare. It’s why we are seeing Israeli defense exports around the world.
[In February 2021] the Ministry of Defense told me they had transferred approval from the unit for defense exports to the director of the Ministry of Defense, because digital forensics [systems like Cellebrite’s] fell under a 1974 order for encrypted items. That order is much worse than the 2007 law, because it allows the director to award licenses as he sees fit.
If two laws apply, why choose the older one? In my opinion, they wanted to widen the discretion [to approve] a company like Cellebrite for political and economic [reasons].
This is what I’m trying to change, to introduce a consideration of human rights and democracy. I don’t think Israeli authorities will do it on their own, and they are used to foreign criticism in international forums. It will only happen with pressure from the Israeli public.
Why are cases you’re involved in often subject to a gag order?
In all petitions on defense exports, the Ministry of Defense asks [the court] for a gag order so that only people who are part of the proceedings are able to know the ruling. [Their] representative is not even ashamed to argue that they want the gag order because they don’t have control of the media.
It’s annoying, in 2021, that they need to keep asking. But [a gag order] has no meaning, it’s like a child putting a blanket over its head and saying it’s night. Under defamation law in Israel you can publish information that is part of the legal process, so journalists [can report on the petitions even if they can’t report on the verdict]. And I’m allowed to say whatever I want, just not what happened inside the court.
What should be happening internationally to improve regulation of this industry?
The global framework is already there. We should think about surveillance [the same way we] think about rifles and classic defense exports. Every time we’re talking about sanctions or an arms embargo, we should be talking about surveillance systems.
There should be more demands about the technology and how it is being used, a lot of details are still unknown. Because of NSO Group’s contradictory responses to the media, we don’t know if they are technically able to dismantle [spyware] if they have knowledge of abuse.
With Cellebrite, the problem in a legal scenario – as far as I can tell – is that the system sucks up everything, you can’t [request one] WhatsApp message. Then are [law enforcement] violating a search order, and what do [they] do with all the information?
It seems that companies – and this is also problem with the Israeli government – they don’t see anything as a human rights crisis, but when they have a huge PR crisis, they are ready to be more transparent.
[Editor’s note: NSO Group has told CPJ that it has used a “kill switch” to shut down its systems in cases of serious misuse, but as CPJ and other groups noted in a public letter to the company in April 2021, the company has been vague about how it terminates relationships with clients. Cellebrite told CPJ that its platform “enables selective extraction of major types of digital sources, preservation, analysis and reporting of evidence to accelerate criminal cases” and that its tools are “designed to limit the analysis to only data that might be relevant to the case.”]
Cellebrite has attracted scrutiny because it is preparing to go public on the New York stock exchange. Could that trigger a PR crisis?
It’s an interesting development [when that happens] because it can bring more normalization to the companies. That could push companies to be more transparent, but I don’t think investors outside Israel understand the risk of being 100% dependent on the Israeli government. If the company can’t get an export license, it’s finished. And investors won’t know what the company is doing. They will read [about] it in the newspaper.
Editor’s note: In response to CPJ’s questions about Mark’s remarks, Betty Ilovici, the foreign press advisor of the ministry of defense, said in a statement via email on behalf of the ministry that the Defense Export Controls Agency supervises exports of dual use cyber defense products in line with Israel’s Defense Export Control Law and international regulatory regimes, and with oversight from Israeli courts and the Knesset. “Human rights, policy and security issues are all taken into consideration,” she said, but declined to comment on specific licenses citing ministry policy. The statement did not explicitly address CPJ’s questions about MALMAB or Mack’s characterization of companies as ministry subcontractors.
The statement also said that Israel “is one of the few countries in the world that require a two-stage licensing process by law. In accordance with the two-stage process, the exporter is required to hold a defense marketing license ahead of any marketing or promotional activity and a defense export license, for the export of any product.”
NSO Group characterized Mack’s statements as “a complete misunderstanding of how NSO operates,” in a statement emailed to CPJ via the Mercury Public Affairs group, but refused to respond on specific points because CPJ declined to identify the interviewee in advance of publication, per CPJ’s editorial policy. The statement added that NSO investigates credible claims of misuse and shuts down a customer’s system if warranted; its Governance, Risk and Compliance Committee reviews human rights and compliance issues, and “takes every possible step to ensure NSO’s technology is sold only to those who use it as intended — to prevent and investigate terror and serious crime.”
Cellebrite said its products “can only be used lawfully — either pursuant to a court order or warrant” and “we do not enter into business with customers whose positions or actions we consider inconsistent with our mission to support law enforcement acting in a legal manner,” noting several layers of oversight, including a board. The company could terminate license agreements and block software updates in cases where the technology is used in a manner that does not comply with the company’s values, it said in an emailed statement via the Fusion PR firm.
Al-Jazeera reported that in 2018 Bangladesh’s army secretly purchased equipment from the Israeli company PicSix to capture communications from mobile phones. Bangladesh’s foreign minister has denied purchasing interception equipment from Israel, according to that report. PicSix did not respond to CPJ’s request for comment submitted via its website.
Haaretz reported in 2018 that Vietnam had purchased an Israeli communications interception system. CPJ called Vietnam’s Ministry of Public Security for comment but the line rang unanswered