“Prohibited, serious, and offensive”: Comptroller confirms Calcalist’s findings on police use of spyware without approval
In January 2022, Calcalist revealed that police installed NSO’s Pegasus spyware on citizens’ phones without oversight. Four years later, a State Comptroller’s report confirms the investigation’s findings: hundreds of unauthorized intrusions, unlawful collection and use of information, misleading of judges, and a negligent failure of oversight by the AG’s office.
Four years after a Calcalist investigation revealed illegal, unauthorized, and civil rights-violating activities by the police, including the infiltration of citizens’ phones using spyware and wiretapping tools, State Comptroller Matanyahu Englman has published a special audit report on the matter.
The comptroller’s report fully confirms the findings of the newspaper’s investigation and describes the actions of the police’s technological intelligence division between 2015 and 2021 as “prohibited, serious, and offensive.” At the same time, the 276-page report sharply criticizes the oversight system of the then attorney general, headed by the deputy attorney general for criminal affairs, Attorney Amit Merari. Merari also led the team that, after the affair broke, examined the police’s actions, actions that fell under her responsibility as supervisor, and later published what the comptroller describes as a partial and weakened report.
1 View gallery
Kobi Shabtai (from right), Amit Merari, Matanyahu Englman, Roni Alsheikhm and Omer Bar Lev.
(Photos: Shutterstock AI, Alex Kolomoyski, Ministry of Justice, Gil Nehoshtan, Reuvan Kapuntzinski, Yonatan Blum)
Regarding the spyware at the heart of Calcalist’s investigation, NSO’s Pegasus, which was used for the prohibited and offensive activities against citizens, the comptroller wrote that “the police used it hundreds of times without legal review and approval,” and that this amounted to “the operation of an offensive technological tool without approval and without authority.” The comptroller added that he found “cases in which prohibited actions were taken that violated the right to privacy, due to the production of prohibited products or their use.”
The audit team at the State Comptroller’s Office began its work in February 2022 and concluded it in September 2023, shortly before the October 7 massacre. The team conducted an in-depth and comprehensive examination of the police’s use of 15 tools: nine technological tools for hacking into and listening to citizens’ phones, and six auxiliary tools that assist in the collection and production of information. The main tools were spyware, software secretly and remotely implanted in mobile phones and computers to extract information such as WhatsApp messages, photos, applications, and more, as well as to remotely activate microphones and cameras. Additional tools were used to eavesdrop on voice calls, while others were used to obtain communications data from mobile phones, including location data and usage patterns.
“In January 2022, a series of articles were published in Calcalist, according to which the police used a technological tool (NSO’s Pegasus, T.G.) through which information was obtained that exceeded what is permitted under the Wiretapping Law,” the comptroller wrote. “Given the seriousness of the allegations, the State Comptroller announced the opening of an audit on the subject.”
The comptroller’s report addresses three main areas. The first concerns the police’s intelligence and operational conduct toward citizens. In this area, the comptroller found that there were no organized or proper procedures for operating technological tools. He also found that the police bypassed existing procedures, sometimes even manually, effectively neutralizing technological safeguards.
The comptroller determined that the police exercised powers without internal approval and without judicial oversight, concealed information from the prosecution, carried out prohibited actions while hacking into phones, extracted information unlawfully, and used it without proper documentation. These actions, the comptroller found, led to violations of individual rights, including the rights of minors, citizens not suspected of crimes, and victims of crime.
“A review of the work processes in wiretapping,” the comptroller wrote, “reveals significant and fundamental gaps that led to the execution of serious and harmful actions in the areas of submitting requests, installing technological tools on mobile phones and operating them manually, collecting wiretapping products, producing and using those products, and failing to destroy them.”
The second area examined was oversight by the Attorney General’s Office. Here, the report found that technological tools were neither examined nor properly understood, largely due to a lack of knowledge regarding the capabilities of spyware and wiretapping technologies. Legal advice permitted the use of tools that did not meet the requirements of the law, and the Attorney General’s Office did not proactively request information about how the police were operating these tools.
“The dozens of findings are intertwined, as they stem from a weakness in the relationship between the Ministry of Justice and the police,” the comptroller wrote. “This weakness is reflected, on the one hand, in the failure of the police to transfer sufficient information to the Ministry of Justice, and on the other, in the absence of proactive action by the Ministry of Justice to obtain information about the full capabilities of technological tools.” This conduct, the comptroller stated, led to “a growing erosion of restraint in the exercise of power in the field of wiretapping.”
The third area addressed the adaptation of legislation to the use of technological tools. The report found that existing legislation is outdated and unsuitable for such tools, and that some were used without a clear legal basis, resulting in violations of citizens’ privacy.
The police said in response: “The comptroller’s report deals primarily with events from 2016-2021 and issues that were examined in depth as part of the work of the Merari Committee. All the lessons of the Merari Report, published in August 2023, were implemented and revised following its publication, and the comptroller also refers to this. Since then, improved supervision and control mechanisms, both internal and inter-agency, have been developed and are being meticulously implemented, and work procedures and processes have been clarified.”
