Haaretz published two astonishing reports over the past few days about Israeli cyber-security. In the first. it broke a story noting that Israeli police have for years required all internet service providers (ISPs) to offer a backdoor to access the accounts of every Israeli citizen. In addition, police have similar access to every website and may alter the content of any website whose pages are served to Israeli users. Further, none of the ISPs have raised any objections publicly or otherwise to this arrangement. Nor was it ever approved by the Knesset or via legislation. The closest this arrangement ever came to facing any oversight was when the prime minister approved it. Nor do the police have to obtain approval from a judge for any of this.
Many of us complained vociferously about FISA and the Bush administration’s abuse of constitutional protections. We thought the cavalier, opaque nature of FISA applications and approvals was an outrage. We tried to organize to repeal the USA Patriot Act (with limited success). But this news about Israel’s internet permeability goes far beyond anything contemplated by Bush. That’s why I used the term I did in the headline for this post. Permitting police complete access to the private communication of any citizen for any reason or no reason, without any oversight, is the hallmark of a police state.
The problem of course, is that Israel has no constitution, no guarantee of basic rights. Nor does it have a jurisprudence system which can check such excesses. Essentially, compliance with Supreme Court rulings is voluntary. In many cases, the military or intelligence services simply ignore the decisions or interpret them in a way that permits them to continue engaging in the very behavior that was sanctioned.
In the U.S., consumers, privacy NGOs, members of Congress, and telecommunications companies have fought tooth and nail against such a backdoor. Apple has refused to help the FBI access the electronic devices of criminal and terror suspects for fear that it would decimate the overall security of its devices for all users. NGOs believe rightly that creating such backdoors will permit law enforcement to ride roughshod over individual rights, including the right to privacy.
While the FBI, Justice Department and House Republicans rail about coddling criminals and endangering national security, they are oblivious to the erosion of protections afforded by the Constitution against illegal search and seizures, among other rights guaranteed.
Compare this knock-down-drag-out ‘bang’ to the ‘whimper’ of Israelis when facing the same predicament. This system has been in place for seven years before the public even knew it existed. No one, so far, has appealed to the Supreme Court to stop it. It’s not even clear that it would given its composition includes settlers and a majority of right-wing justices appointed by the Likud.
Cellebrite Boasts It’s Defeated Signal Encryption
The second Haaretz report I mentioned above concerns the announcement by Israeli cyber-hacking company, Cellebrite, that it has broken the encryption of one of the most trusted, secure text messaging apps, Signal. It is used around the world by journalists, human rights activists and others who are targets of intelligence agencies and their repressive governments.
In a subsequently deleted post on its website, Cellebrite boasted that it cracked Signal’s encryption by exploiting the fact that the company’s code was open source. This of course is a clear violation of a developer code of conduct which prohibits someone from taking advantage of the transparency of the code product in order to render it useless.
Cellebrite also offers the usual hypocritical narrative about its practices being entirely legal and transparent, and that it sells its products only to “authorized” customers (whatever that means):
Our technology serves 154 countries and has made convictions possible in more than 5 million cases of serious crime, such as murder, rape, human trafficking and pedophilia. We do not provide information about our clients and their activities. We provide our solutions to authorized agencies only, and apply a range of tools dictating the manner in which they can be used. In addition, we work subject to clear policy and accepted international rules to prevent a business relationship with agencies subject to international restrictions.”
Note that the above blather serves to obscure what some of those “authorized agencies” do with its products. Cellebrite sells to Venezuelan dictator Nicholas Maduro, who uses it to hack the phones of his political opponents. While its sales began by targeting national government agencies, it has expanded its market to local police agencies, who use the hacking devices for every purpose imaginable.
As a encryption expert explained to me, UFED devices need physical access to a cell phone in order to hack into its contents. You cannot do so remotely as NSO’s Pegasus tool does:
Cellebrite can only decrypt messages with physical access to a device, this is rendered moot when you enable disappearing messages and complete a full power cycle (turn the device all the way off then on again)
This Reddit thread explores the Signal app and general encryption issues in more detail, and offers skepticism about Cellebrite’s claims. The question arises: did the company exaggerate in order to promote sales of its products? Or has it done what it claims? The latter seems unlikely.
The company until recently offered it devices to China, which used them to spy on Hong Kong human rights activists, who are desperately trying to maintain their democratic system in the face of a massive Chinese onslaught. Only after Israeli human rights lawyer Eitay Mack exposed these sales did Cellebrite cancel its contact.
The corrupt Belarus dictator, Aleksander Lukashenko has purchased Cellebrite gear for his secret police, who use it to intercept personal communications of protest movement leaders attempting to overthrow him after decades in power. When Eitay Mack called out Cellebrite, it cancelled the Belarus deal.
A recent story noted that a Texas public school resource officer persuaded a high school student to give him his cell phone. The officer used Cellebrite to access all of its content, including deleted texts which incriminated a teacher and sent her to jail. This violates Supreme Court decisions which say that a cell phone is private property of its owner and a search warrant is needed to access it. In this case, the high school student gave his phone voluntarily, so he forfeited his rights. But should a teenager have to be a constitutional scholar in order to protect himself from predatory, snooping law enforcement officers?
In addition, unlike Israeli cyber-hacking companies like NSO Group, Cellebrite’s products are not considered military or security-related. So the paltry oversight NSO faces in marketing its Pegasus cyber-hacking tool is entirely absent in Cellebrite’s case. It faces no government regulation at all. It can sell to anyone, anywhere.
As I’ve written here frequently, Israel exports not just these repressive technology products to the most violent regimes on the planet, it also exports the Israeli system which underpins them. A system in which individual rights are derogated, minority citizens are subject to state-sponsored violence and discrimination; in which the military-intelligence apparatus is exalted on the altar of national sacrifice. The Israeli surveillance state exports itself as a brand along with these invasive products.
An Israeli security source, when approached for a comment for this story, refused to respond.