Digital Forensic Technologies used by Israeli Law Enforcement in Smartphone and Cloud Data Searches

In 2023, the Israel Internet Association published an extensive professional review of the digital forensic tools employed in Israel: their capabilities, the manner in which they are used, and a detailed outline of the existing legal framework and police procedures governing their operation.

For the past decade, the Israeli Police and other law enforcement authorities, including the Israel Securities Authority, the Tax Authority, and even the Privacy Protection Authority, have been using advanced digital forensic tools to search personal computers and mobile phones seized during investigations. These tools are able to access a vast amount of revealing data accumulated through everyday use of the device, such as correspondences, photos and videos, contact lists, browsing history, location data, and in many cases credentials for remote services like social networks and cloud data. Israeli courts have indeed recognized in recent years that a more robust legal framework is needed to prevent excessive use of these powerful technological tools and to subject entities employing them to greater scrutiny, yet the laws governing their use remain outdated.

In 2023, we published an extensive professional review of the digital forensic tools employed in Israel: their capabilities, the manner in which they are used, and a detailed outline of the existing legal framework and police procedures governing their operation. Our objective in this research publication is to provide a factual foundation on which decision-makers can base discussion and policy formation, amidst public and judicial calls for the adaptation of search and evidence laws to the current technological reality in the age of the Internet of Things and cloud computing.

The full report (in Hebrew) is available here.

Below, we present the key findings in English.

1. Extraction and Search Capabilities

I.  Overt Investigations (where the device is physically seized)

Personal computers and smartphones store vast amounts of information about their users and environments. This information often includes personal and sometimes highly intimate details. Law enforcement authorities in Israel employ powerful technology that enables them to access, extract and analyze all accessible data from devices seized during an investigation, such as: 

• Data from programs and applications: Most apps and services accessed on smartphones create and store user data – browsing history, medical information, financial information and payment history, written and recorded correspondences and more. The forensic technologies used by authorities can extract data from commonly used programs and apps, and are regularly updated to support additional apps. 
• Metadata: Digital forensic tools can extract records of dates of installation, use, and deletion of programs and applications, and can even show when the device was turned on or off, when a message was read by the user, when connections were made to Bluetooth or Wi-Fi devices and their details, searches on the web or on the device, and more. 
• “Deleted” data: Sometimes these tools can access “deleted” data, since deleting a file does not necessarily remove it from the device, and certainly not from the cloud or other services where it is stored or backed up. 
• Login details for services: Most computers and smartphones store user passwords for numerous public and commercial services. Forensic technologies can extract passwords and use them to retrieve information from any service to which the device is linked.

Our research outlines the procedural steps of digital data extraction performed in overt investigations, categorizing the process into four main stages: device seizure, data replication, data analysis, and transfer of evidence to the legal parties involved. It further elaborates on the technological methodologies employed for data extraction, ranging from manual browsing to more advanced techniques like physical extraction.

II.  The Use of Spyware for Covert Smartphone Search and Extraction

In certain cases, the Israel Police hacks, wiretaps, searches and extracts material using remotely deployed spyware on computers and smartphones. If a spyware program is successfully installed, its operator gains access to the entire history of content accumulated on the device (just as they would in an overt, physical search of the device), in addition to being able to continually monitor its use, operate its software, and activate its hardware unbeknownst to the device owner. This is why spyware like Pegasus, utilized by the Israel Police, raises unique concerns that are not addressed by Israeli law: 

• Unlike wiretapping and non-digital searches, spyware collects information irrespective of any specific authorization date and can access all information available through the device, even if it was produced or accumulated many years ago or by third parties.
• Unlike wiretapping and non-digital searches, spyware exposes the device to additional cyber intrusions from malicious actors and could compromise the assurance of due process and the reliability of the evidence extracted.  Because a spyware phone search is performed remotely, it needs to modify the device’s data and breach the built-in information security systems of its hardware and operating system in order to be successful. The investigator runs the additional risk of contaminating the device’s data as a result of negligence, whether due to unfamiliarity with the targeted system, unforeseen flaws in the spyware program, or unobserved changes to the device’s information by its own defense system. Of course, intentional contamination can also occur if investigators initiate communication on behalf of the device owner or secretly alter its content.

III. Technologies for the Analysis and Cross-Referencing of Extracted Smartphone Data

Recent technological developments have made it possible for authorities to use artificial intelligence (AI) and machine learning technologies, including facial and object recognition, to analyze and cross-reference the immense body of information that can be extracted from a device. These technologies are able to automatically display patterns and practical insights into a suspect’s activity, including extensive information about his or her social connections and contacts – whether or not they are suspects.

These capabilities oblige policymakers to confront the risk of unfounded bias intrinsic to AI and machine learning applications, and address the inability of investigative and prosecuting bodies to accurately dissect AI output generation methods.

IV.  Reliability, Accuracy and Weaknesses of Digital Search Tools Employed by Authorities

Forensic tools for extracting and processing digital information, particularly those used by Israeli investigative bodies, exploit security vulnerabilities in the operating system, hardware, or software of a smartphone in order to bypass its built-in system locks and security mechanisms. But even software specifically designed for smartphone investigation can possess unidentified weaknesses.

• In 2021, serious security vulnerabilities were found in the UFED and Physical Analyzer programs, both of which have been heavily utilized by Israeli law enforcement agencies over the past decade. Device owners who are aware of these vulnerabilities can exploit them to compromise the extraction and processing of their information. To do so, a file is prepared on the device in advance that, upon activation of UFED, corrupts not only the forensic report of the scan but potentially all past and future reports of other scanned devices as well.

Remote forensic tools like Pegasus (a.k.a. Saifan) also rely on software and code that can contain unknown flaws. But as previously noted, their primary shortcoming is that they alter the data and security systems on the device in order to conceal the program’s deployment. To maintain secrecy, these programs tamper with the operating system’s or file system’s automatic logs, which could substantially distort evidence. And again, another concern is that investigators could intentionally or unintentionally modify content stored on the device or use the device to impersonate its owner.

There are valid reasons to be concerned about the reliability of the digital forensic tools under discussion, and yet to date, no procedure has been established in Israel to evaluate the associated risks or to verify the tools’ suitability for use. Meanwhile, other technological systems used by the police, like laser speedometers or traffic enforcement cameras, were thoroughly examined by the court and its experts before being approved for police use. It is crucial that covert digital surveillance tools be evaluated by a neutral third party in order to justify their ongoing use by Israeli law enforcement authorities.

2. The Existing Legal Framework: An Outline

This part of our research provides a comprehensive overview of the existing legal framework governing both overt and covert investigations in Israel, particularly focusing on digital surveillance and searches. It delineates the legal requirements confining law enforcement authorities, comprised of legislation, State Attorney directives, and official procedures. The chapter underscores the ethical, social, and legal complexities inherent in each stage of these procedures, highlighting the growing concerns among Israeli courts about the outdated nature of today’s laws in the face of rapidly advancing forensic technology. It also delves into nuanced legal definitions (e.g., the distinction between “Data in transit” and “Data at rest”) and their implications for what is deemed permissible surveillance or search under current laws.

3. Available Data and Information Gaps Regarding Investigations of Smartphones and Cloud Accounts

The penetration and searching of digital devices is common practice in Israeli law enforcement:

• Over 20,000 search warrants for computers and mobile phones are issued annually. In 2019 alone, approximately 24,000 mobile phone search warrants were requested and granted while numerous devices were searched after obtaining consent from the individual under investigation.

• The military police also conduct extensive searches of mobile phones, in most cases without a warrant, by consent, whether the device is military or personal.

• Requests for warrants based on the Wiretap Law generally receive judicial approval: Out of 3,692 requests in 2020, only 26 were rejected (0.7%). In 2021, the police submitted 3,359 requests for wiretap warrants and 3,350 were approved (over 99%). 

The above statistics are merely the tip of the iceberg, but they illustrate the prospective threat to tens of thousands of civilians’ rights and freedoms each year. As we later explain, the circle of potential harm created by advanced technologies that penetrate and search mobile phones is not limited to the subject of the investigation, but extends to any third party who has had contact with the subject. These devices often store sensitive materials like pictures or videos portraying innocent, uninvolved parties such as partners or children, or organizations’ internal information and correspondences. In other words, countless civilians are implicated by the use of these technologies by police.

Information Gaps

To conduct a responsible and informed debate on the legal and procedural framework for the use of advanced forensic technologies, we need more information about the scope and manner of digital searches in recent years, particularly on smartphones, and their effectiveness in serving the public interest. For example, it would be useful to know how many of these searches have failed to result in indictment. Unsurprisingly, this data is only accessible to law enforcement authorities and has never been fully and systematically disclosed. To allow real, in-depth debate, the following questions, among others, remain to be answered:

Using Technological Tools to Extract Data From Seized Devices

• In how many cases are forensic tools like Cellebrite’s products used by Israeli investigative authorities to penetrate and search smartphones? How many of those cases involve a judicial warrant and how many cases rely on consent? Is use of these tools limited only to serious crimes or to a specific type of crime? If not, how common is the use of these tools across various types of crimes?
• Do investigative bodies employing such tools have clear policies regarding their use? For example, do they limit their use to certain types of crimes? Do they assess their degree of necessity to the investigation? Most importantly, it must be determined whether special rules have been established for dealing with sensitive information, and how many investigators have access to that information.

The Use of Remotely Deployed Technologies to Penetrate Smartphones

• In how many cases do Israeli law enforcement authorities use remotely deployed wiretapping tools like Pegasus (Saifan) to monitor inter-computer communications?

• What is the average execution period for warrants to wiretap computer communications, and how is termination of access guaranteed once the period expires?

• Do Israeli law enforcement authorities employ any other brands of computer communications spyware other than Saifan?

• What is the likelihood that deployment of these tools will contaminate evidence, considering the fact that they inherently disrupt a device’s proper functioning and tamper with its information security mechanisms?

The Use of Technologies for the Penetration, Search or Wiretapping of Smartphones

• How many of the searches performed on smartphones involve extracting data from cloud accounts linked to the device? It is known that forensic tools for smartphone extraction are often used to extract cloud data as well, but the frequency at which this occurs is unknown.
• How many of the searches performed on digital devices, and on smartphones in particular, result in indictments and convictions?

• To what extent do courts approve requests to search mobile phones? We need to distinguish between complete acceptance, acceptance contingent on supplementary conditions, and rejection.
• What happens to the data extracted from digital devices and cloud accounts after the investigation? Is it retained as potential evidence for other investigations? Is it erased if an investigation is closed due to the subject’s exoneration? Does the principle of purpose limitation, commonly referenced in privacy protection laws, also apply to the use of materials collected during this kind of investigation (both covert and overt)?
• Do the vendors supplying these forensic programs have access to information about their use and their targets? We ask this question in light of the findings of the Marari Committee on Police Wiretapping of Computer Communications, according to which the NSO Group provided the Committee with data on “every deployment of its system since its first use by police; the exact time and date of each deployment; and the mobile phone on which it was deployed.”

4. The Need for Legal and Procedural Change

I. Safeguarding Civil Rights in Personal Device Searches

Israel’s outdated legislative framework fails to provide an adequate oversight mechanism for digital search technologies, allowing the potential abuse of these powerful tools to remain unchecked and allowing authorities unfettered access to personal data stored on smartphones and linked cloud accounts.

As demonstrated in depth in the full report, smartphone searches deeply violate the personal freedom of their subjects as well as their right to due process of law. In today’s technological reality, smartphones are inextricably intertwined in our lives, and ongoing technological developments increasingly expand the types and scope of data they store. It is therefore imperative that the existing law be amended to focus on the following problems:

• Unlike a search of a physical space, in which warrants allow only for the seizure of materials relevant to the investigation, smartphone search technologies generally extract all stored information, without pre-filtering for a specific timeframe or for types of material relevant to the investigation.
• The smartphone is a gateway to all kinds of digital property, such as social media accounts, emails, medical and financial information and crypto assets. The procurement of all this data does not require additional warrants or a specialized investigative plan.
• Smartphone searches not only infringe upon the rights of the owner of the device under investigation, but also usually invade the privacy of innocent and unknowing third parties. Examples include confidential corporate information about the owner’s workplace and personal photos and correspondences with close friends, romantic partners, or children and minors in the owner’s proximity.
• The suspect’s ability to review the forensic report of the search of his or her phone is significantly limited compared to other investigative materials submitted for review, both because he or she must rely on law enforcement officials to provide the material in a readable format and because of the level of expertise required to understand the extraction and deciphering processes performed.

In today’s cloud-computing era, granting access to a smartphone equates to granting access to all linked cloud accounts, expanding law enforcement’s investigative scope significantly without a corresponding legal update. The need to revise smartphone search regulations is now more pressing than ever.

II.  Accounting for the Inconclusiveness of Digital Forensic Evidence

The threat to personal privacy and human dignity posed by forensic smartphone extraction is certainly reason enough for regulatory revision, but even more concerning is that the fundamental requirements of due process and evidential reliability are jeopardized by the use of this technology in the criminal justice system. The security vulnerabilities in the UFED and Physical Analyzer systems mentioned earlier are but one example, allowing a device owner to distort not only his or her own scan report, but even stored reports from previous scans and future reports not yet created.

Forensic smartphone search laws and regulations can no longer remain as they are. Change is imperative to protect the public interest, ensure that due process is upheld and guarantee the integrity of evidence presented in court.

III. Disadvantaged Populations’ Heightened Vulnerability in Smartphone Searches

Any time an intrusive investigative tool is put into widespread use, usually the ones most deeply affected are racial minorities and socioeconomically disadvantaged communities, who are systematically subjected to over-policing and whose rate of arrest is disproportionate to their representation in the general population. And though in principle the Supreme Court has ruled that consent cannot be obtained through coercion (whether explicit or implicit), experience and recent court rulings demonstrate that members of over-policed cultural minorities tend to feel compelled to consent to police searches out of fear and a sense of extreme power imbalance.

The widespread use of smartphone search technologies puts over-policed, disadvantaged populations at the greatest risk, as well as those living in poverty, who effectively store the entirety of their online, personal activity on their smartphones, for lack of personal computers.

IV. Extra-Territorial Digital Searches: Israel’s Legal Limits

With the use of cloud storage in smartphones continually increasing, difficulties arise regarding the legality of searches conducted in information repositories located outside of a state’s sovereign territory. For the past two decades there has been a general consensus in democratic countries that a state’s law enforcement organizations are not authorized to conduct a search of data stored in another state without special legal arrangements between the two.

Thus, the current practice of infiltrating digital materials stored outside of Israel’s jurisdiction on the sole basis of a State Attorney permit, without explicit legislative authorization, strays from the accepted territoriality principle and from the internationally acknowledged need for modernized search laws, in a world where almost every smartphone search involves the search of data stored beyond the investigating country’s borders.

5. Development Proposal for Digital Search Laws in Israel

In order to balance the public’s desire for the delivery of justice on the one hand and the fundamental rights to privacy, due process and preservation of human dignity on the other, legislators and courts must consider these guiding principles:

1. Enhanced documentation of forensic activity during the digital search process: The tools used by law enforcement authorities to search smartphones should feature record-keeping functions, most importantly detailed audit logs and automatic screen recordings.
2. Requirements for the handling of content procured from smartphones: Allowing investigators to preserve materials not specified in a digital search warrant is comparable to giving them the right to conduct a search of a house indefinitely. The law needs to stipulate that any extracted data unrelated to the purpose of the search warrant must be deleted within a few months’ time. In the same vein, there should be a legally mandated filtering process for data extracted from smartphones and linked cloud accounts, in which only materials that have been evaluated and found relevant by investigators are entered into the system and stored by the investigating entity, as opposed to the current practice of extracting and saving all available information from the device.
3. Transparency requirements for investigative authorities performing digital search and extraction on personal devices: Effective parliamentary oversight and the establishment of public trust rely on the availability of accurate statistics that paint a clearer picture of how these powerful technological means are being used. In Chapter 3, we discuss the kinds of information that need to be publicly disclosed, both in the interest of public oversight and as the vital groundwork for lawyers, researchers, journalists and policymakers to build upon.
4. Regulation of the data-sharing relationship between investigative authorities and forensic technology vendors: Future regulation needs to prohibit private-sector technology companies from accessing data collected by law enforcement using their tools. Data obtained using these tools and any documentation of their operation must be stored exclusively in state-owned, state-operated databases.
5. Curtailing the power of “consent” in warrantless smartphone and cloud searches: “Consent” to the use of powerful digital search tools is often granted in the context of a power imbalance between the investigators and the suspects trying to appease them, raising further concerns: (a) in the absence of a search warrant delineating the search objectives, the investigator’s invasion of the suspect’s privacy is unconstrained and unsupervised; (b) most device owners are likely unaware of the breadth and intimacy of the information that can be extracted from their devices, in which case the concept of “consent” loses its meaning; (c) When a device is hacked and searched on-site, it is extremely difficult to rule out the possibility of data contamination, whether deliberate or unintentional. For all these reasons, policymakers need to reexamine the legitimacy of operating these technological tools on the ground, based solely on consent.