The true story of the Netanyahu-Pegasus saga - exclusive

How does the police hacking program work? It takes a lot to hack into a cellphone.

 Opposition head Benjamin Netanyahu at the Knesset, November 8, 2021. (photo credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)
Opposition head Benjamin Netanyahu at the Knesset, November 8, 2021.
(photo credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)

After a month of headlines and stories bashing NSO Group’s Pegasus cellphone hacking program, the Israel Police and former chief Roni Alsheich – and of former prime minister Benjamin Netanyahu demanding his trial be halted – another narrative has emerged, The Jerusalem Post has learned.

Whether this second narrative from sources is fully true, partially true or not, it flips the existing narrative completely and leads in a completely different direction.

The pro-Netanyahu, anti-police plot

According to this narrative, for two years, the Netanyahu legal defense team had the recording of the male and female police investigators seeming to admit acting illegally against Shlomo Filber, Netanyahu’s former top aide who turned state’s witness. Releasing the recording was supposed to be the climax of the whole pro-Netanyahu plot to discredit the police and the case against him.

First, they would start with a broader campaign against Pegasus, using the reputable Calcalist publication, which would include Black Flag anti-Netanyahu protesters, Ethiopian-Israelis and mayors, to burn the bridges between the police and a wide variety of players and groups.

An aerial view shows the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel, July 22, 2021. (credit: REUTERS/AMIR COHEN)An aerial view shows the logo of Israeli cyber firm NSO Group at one of its branches in the Arava Desert, southern Israel, July 22, 2021. (credit: REUTERS/AMIR COHEN)

After the public was already up in arms against the police on a broader basis, they sent the recording of the two police investigators to Guy Peleg of Channel 12 and Aviad Glickman of Channel 13. Who better to discredit the case against Netanyahu than two of the leading reporters viewed as close to the prosecution?

In this narrative, it was confusing at first who was behind the Calcalist reports. However, when many of the attacks came out against Alsheich even for the alleged reports of spying against the Black Flag protests, this was an indicator that the main party behind the leaks was the Netanyahu camp.

This became a more likely explanation because Alsheich retired in 2018, and by the time of the Black Flag protests in 2020, Motti Cohen was police chief, not Alsheich. So the focus in the media (seemingly from the sources providing Calcalist and others with leads) on Alsheich only made sense for the pro-Netanyahu camp, which associates Alsheich as the figure behind the Netanyahu cases.

 

The killer Netanyahu case recording

For anyone missing the full transcript of the recording of the two police investigators, it would seem they were talking about Pegasus. The small piece of recording and transcript fed to the media was perfect because it tossed around terms like “illegal” and “outside” (the boundaries of the law, people speculated) when really, outside is referring to talking about what goes on outside the interrogation room.

The entire conversation really was about a new technology to automatically start recording interrogations the second an investigator opens the door of the room.

In the past, investigators needed to click on a button to start recording interrogations, and sometimes they forgot and missed parts of the beginning. This led to complaints of cover-ups by defense lawyers. The new door technology was designed to address this issue.

The investigators were from the Israel Securities Authority, and they were speculating whether it is legal to start recording a suspect when he walks into the room before he sees the investigator has a recording device and presses a button. Whether those investigators are correct or not about the law of the door-activated recording, the entire incident had nothing whatsoever to do with Pegasus.

But it was easy to fool members of the media by releasing the recording along with a separate unrelated transcript in which the police are telling Filber they know everything about him. But the point of that other conversation was that they had a court order and direct physical access to his cellphone without needing to hack. So, yes, they knew everything, but because he had to physically hand over his cellphone.

In this narrative, it might still be admitted that the added hacking of Filber’s cellphone after the police had physical access may have been unwise and not worth the political trouble it is now causing.

Statistically, out of 300,000 cases during Alsheich’s 2015-2018 tenure, the tool was used 90 times, or 30 times per year. It was mostly used in cases against highly sophisticated organized criminals, but is also legally usable under the Computers Law in any case where a felony is committed. That said, from the low statistics, it was reserved for high-profile cases that could not otherwise be cracked.

But out of the 26 alleged names in the Calcalist and the 35 or so names when the Netanyahu cases are added in, only six were ever possibilities, and only Filber was actually hacked in the Netanyahu case.

 

How police cellphone hacking works?

It takes a lot to hack into a cellphone. You don’t just type in the cellphone number and get access to the target cellphone. It is very complicated. You need to check if the technology for the hacking matches up properly, if the specific cellphone has programs that could reveal the hacking attempt and harm the police hacking tool, and then you need to put together a game plan for approval of what you are going to search for and when.

This takes multiple days of planning; it is not something that happens in 10 minutes. There is no going rogue on the side. From the police perspective, it is “an event.”

Although everyone keeps talking about Pegasus, the police do not have Pegasus. They have a much more downgraded hacking program called Ciphon. Pegasus not only gets data from your current cellphone, but all data going back to your first cellphone if you transferred any data at any time when you switched cellphones.

Ciphon can only gather data from now and into the future. It cannot go backwards. It is true that you could get an extra special court order allowing extending the program to go back, for example, for one week. But this does not happen automatically and requires additional planning, programming and court approvals.

By analogy, the same is true with eavesdropping on a phone: You only get to listen in from the point where you started eavesdropping. There is heavy oversight on this. Some police officials might even suggest that these restrictions are too limiting and harm the police’s ability to solve cases.

What if all of the planning for a crime took place two weeks ago, and there were 500 WhatsApp messages then, but now everything is silent? The police hacking program will come up empty-handed. But that is the state of the existing law, and it is respected meticulously.

 

Pre-hacking surveillance

The authority for carrying out pre-hacking electronic surveillance of a cellphone is part of the inherent legal authority to perform any investigation.

Just like a builder must drill small practice holes in a wall before he makes the larger hole, the police never hack to do the real search until after they have done some lower key preliminary diagnostics on the cellphone of the target suspect.

Still, the law does not permit the police involved, let alone the Police Investigations Department, to fully look over the evidence they gather if they later receive legal authorization from the prosecution and the courts.

 

Bugs, copying too much data and erasing hacking logs

All technology has “bugs” that slow things down or send out contradictory commands. Usually, when an individual’s cellphone encounters a bug, the cellphone provider or an already engaged software provider automatically sends an update to fix the issue.

NSO’s hacking technologies do not come from the provider, so sometimes they can encounter or cause bugs or contradictions without a perfect fix. This can accidentally lead to copying additional information beyond what the police were trying to get and beyond the relevant court order. In such cases, the police do not look at the additional information. However, they also do not delete it, because there is always a log that notes what they took.

The police are obligated to maintain the extra information they took in case there is a probe later of what they did and the Police Investigations Department wants to see what data they seized beyond what they were seeking, as referenced in the log. According to sources, the Calcalist story saying the hacking technology could erase logs of what has been hacked is simply wrong.

Why hack Filber’s phone when they already had physical access?

Some sources might admit this was a tactical error, even if not a legal violation. But the way it is explained is that the investigation was a rolling and developing one where the police did not yet know the end of the story.

There was evidence for an indictment at the Israel Securities Authority related to the Tel Aviv District Court Bezeq case, a separate case that predated the Netanyahu Case 4000 Bezeq-Walla Affair but is connected.

Then there was a shocking breakthrough when former Walla CEO Ilan Yeshua came forward. The attorney-general sent him to the police to be investigated and to evaluate his evidence. It was decided to send him to Lahav 433 because if you are recruiting a potential state’s witness, the Securities Authority is not equipped for this.

This eventually led to obtaining Filber’s cellphone and him cracking and becoming a state’s witness. Eventually, the police had everything from his cellphone. But investigators must have wanted to see what else he had on his cellphone at a later date, especially as aspects of his narrative started to be leaked to the media.

But even if this was a tactical error, the additional material was not given to prosecutors, it was after court-ordered access to his cellphone, and it was not used in the indictment.

Every party involved in this saga has an agenda, and the sources who the Post received information from could have one as well. But as time passes without additional proof of the original massive allegations in the initial Calcalist stories, and after the Mossad and Shin Bet (Israel Security Agency) also weighed in and supported the police findings – this narrative will probably only get more and more attention.