To follow users' online activities, the police demanded in recent years that providers integrate another system into their networks to divert the data of specific users to the police-controlled system. In this way, specific individuals' activities – be it on their computers or cellphones – passed, unbeknownst to them, to the police’s oversight system. The police could thus effectively track the online activity of any Israeli citizen on their radar.
According to the information obtained by Haaretz, the police system goes into effect in two scenarios: First, if police view someone as a suspect, the system will route the suspect's information through their oversight system. Second, when the police want to know who is visiting a specific website or IP address, they divert all the traffic to that site through their system.
“The ability to track traffic to different websites is fundamentally different from the ability to track a specific person,” said one of the sources with an understanding of the technology. “This is a much broader and more severe assault” on individual privacy rights, they said.
This is the same type of system used by virtual personal networks, or VPNs, which promise to protect users’ identity but actually collect the data and sell it off to data brokers. This exploit is called the “man in the middle” by hackers and cybersecurity experts.
“The police are not supposed to operate in the shadows in such a way, and the fact that the Israeli public has no idea that the police have such capabilities is very concerning,” said the source.
“This system allows authorities to follow everything someone does online, and even permits them to manipulate the website these users visit,” said ethical hacker Noam Rotem from the CyberCyber podcast. “This system allows tracking of each and every citizen or resident of Israel. But it's not just that; the system is built in such a way that it can also follow intentions or motivations, and not just specific people. For example, it can track everyone who visited the website of the protest movement against Prime Minister Benjamin Netanyahu, and can even block the real website and change what people are seeing.” “People always talk about China as a technological dystopia, but here we see that we live in one too and we just don't know it,” he said.
“A member of Hamas may be presented with the wrong instructions for making a bomb, but a protest activist may be given the wrong location for the carpool to get to a protest,” explains Ran Locker, a cybersecurity research and data scientist. “That is the nature of such systems; from the moment they are operational, they tend to be used for every purpose imaginable.” According to the information obtained by Haaretz, the idea and initial proposal were born after the 2014 kidnapping and murder of three Israeli youths in the West Bank. Senior police officials were concerned at the time that the police did not have advanced technological abilities to deal with such cases, or those related to other crimes, in the future. Haaretz was also told that the initiative to set up such a system was done with written authorization from the prime minister. According to Israeli law, receiving such data requires a court order, unless there is an emergency. The law’s wording gives the state a lot of wriggle room in how it interprets the Communication Data Law, so that such surveillance is in practice often conducted without court oversight.
A recent study by the Israel Democracy Institute found that legal oversight of surveillance in Israel was “partial” and that the “law exempts defense bodies from requesting a court order, making do instead with authorization from ministers and sometime from the attorney general." According to the study's authors, Amir Cahane and Yuval Shany, "Many times in operations targeting criminals, wiretapping is done without a court order, which is needed only in the case the wiretap needs to be renewed. There is currently no oversight of non-urgent uses of this for investigation or general crime prevention.”
In other words, even if the police are operating their system in a way that is congruent with the law, there are still concerns they were conducting such activity without the public’s knowledge.“Online tracking, in as much as it is done, needs to stand on a clear legal footing and be transparent to the public, even if it is in retrospect,” said Yoram Cohen, the head of the Israel Internet Association. “Diverting internet traffic may harm the privacy rights of innocent internet users and impair their access to the internet. The police’s response is very concerning and it is important that the public know about the manner in this surveillance is being conducted."
The police refused to respond to a detailed list of questions sent by Haaretz, saying in response that “the Israel Police acts and deploys mechanisms only in accordance with what the law permits it.”
The Prime Minister’s Office did not respond to a request for comment for this story.