Police Searches in the Cloud: Israel Worried about International Incidents – But Did Nothing to Prevent Them

Police forces worldwide have encountered a new problem in recent years: Information on suspects’ cellular devices is stored on overseas cloud servers – ostensibly out of reach of local search warrants. A case currently being heard in an Israeli courtroom, however, reveals that local legal authorities were aware of the problem but, despite concerns over harming foreign relations, created a method of bypassing the law and allowing these searches to go ahead – even though it’s in violation of an international charter signed by dozens of countries. Israel is not alone: Only a handful of countries have passed relevant legislation. A Shomrim report

Police forces worldwide have encountered a new problem in recent years: Information on suspects’ cellular devices is stored on overseas cloud servers – ostensibly out of reach of local search warrants. A case currently being heard in an Israeli courtroom, however, reveals that local legal authorities were aware of the problem but, despite concerns over harming foreign relations, created a method of bypassing the law and allowing these searches to go ahead – even though it’s in violation of an international charter signed by dozens of countries. Israel is not alone: Only a handful of countries have passed relevant legislation. A Shomrim report

Police forces worldwide have encountered a new problem in recent years: Information on suspects’ cellular devices is stored on overseas cloud servers – ostensibly out of reach of local search warrants. A case currently being heard in an Israeli courtroom, however, reveals that local legal authorities were aware of the problem but, despite concerns over harming foreign relations, created a method of bypassing the law and allowing these searches to go ahead – even though it’s in violation of an international charter signed by dozens of countries. Israel is not alone: Only a handful of countries have passed relevant legislation. A Shomrim report

Daniel Dolev

Photo Illustration: Reuters

October 4, 2022

Summary

An ongoing criminal case has raised complex issues of sovereignty, international judicial authority, and privacy, all in relation to the widespread use of the cloud for data storage. While the case deals ostensibly with alleged crimes committed in Israel, the issues it raised are common to most countries – at least some of which have never been discussed or dealt with in terms of legislation.

The so-called Telegrass case erupted in Israel in March 2019, when dozens of people were arrested on suspicion of drug dealing using the Telegram instant messaging app. Indictments were filed against some 30 suspects, most of which are still being heard by the Central District Court. During the hearings, it was revealed that, with the court’s permission, remote searches were conducted on computers located outside of Israel – the cloud servers on which the data of some of the suspects was stored. This was done without the permission of the countries where the servers were physically located and without informing the authorities there. It was also revealed that the police’s requests to make these searches were approved by the previous attorney general, Avichai Mandelblit, or another senior figure in the State Attorney’s Office. In the Telegrass case, approval was subsequently given by an Israeli court to conduct the searches – even though it is far from clear whether an Israeli court has the authority to do so.

Right to left: Esther Hayut, President of the Supreme Court of Israel, Gali Baharav-Miara, Attorney General of Israel, Kobi Shabtai, Commissioner of Israel Police. Photos: Mark Nayman - GPO, Tomer Jacobson - Wikipedia, Reuters
Documents obtained by Shomrim suggest that the Justice Ministry has long been aware of how potentially incendiary the issue is and the potential violation of another country’s sovereignty. Nonetheless, it created a mechanism to bypass the stagnating legislation

No Authority for a Foreign Search warrant

According to Israeli law, if the police want to search a computer or a cellular phone, they must first take physical possession of the device and obtain a warrant to search through its contents. This cannot be done clandestinely, and the device’s owner must be aware of the search. In the past few years, however, technological advances have created problems for the police: Much of the data is not stored in the physical memory of the confiscated device but, rather, in the cloud – a server farm used by various companies overseas. Email exchanges, conversations in many instant messaging apps, location history, payments, receipts, and photographs are among the many items of information that are not necessarily stored on the device but in the cloud.

At first glance, it would seem that accessing information stored on a computer outside of Israel is identical to a police search in a foreign country, which would entail a long and complex bureaucratic process: the authorities must submit a request for legal assistance from the country in question and, in most cases, the search will be conducted in the presence of local police officers.

Israel, like many other countries, became aware of the potentially problematic nature of cloud technology around a decade ago. In 2014, when the Justice Ministry submitted proposals for reforming the police’s powers of search, it included the option of a search warrant that would extend to cloud servers. However, the legislation to make these proposals law was never completed, and the courts were not given the authority to approve such searches.

Documents obtained by Shomrim suggest that the Justice Ministry has long been aware of how potentially incendiary the issue is and the potential violation of another country’s sovereignty. Nonetheless, the ministry did nothing to prevent such searches. Instead, it created a mechanism to bypass the stagnating legislation: the attorney general would approve in advance any such request for a search warrant that the police planned on submitting. According to two sources who participated in the discussions, the aim was to ensure that such searches would be conducted sparingly and only in cases where the international risk was considered worthwhile. The courts approved these requests, even though, as already mentioned, it is unclear whether it has the authority to do so.

It appears that approval from the attorney general has been sought since November 2017, and it is unknown in how many cases it was given. A recent document submitted by the state to the Central District Court reveals that there was not even a written record of these requests being submitted. “The stringent procedure for receiving advanced approval at the discretion of the attorney general (…) is a procedure that was introduced at first without written instructions,” the document states. “ (…) It was primarily designed to ensure that the requested operation would not include anything extraterritorial, which could give rise to possible claims of having violated the sovereignty of foreign nations.”

It is unusual for a binding legal process to remain unwritten, but, nonetheless, no one at the Justice Ministry was in any hurry to put it in writing. On the contrary, three years later, in November 2020, the State Attorney’s Office published detailed instructions regarding searches of physical devices, but that publication – 13 pages in length – did not mention cloud searches or approval from the attorney general. The two updates to the instructions that have been published since then also do not bring the issue of cloud storage into the equation.

Just last year, the official procedure was published in writing, and even then, only as an internal directive issued by the Cyber Unit of the Israel Police’s Investigations and Intelligence Department. Since this is just an internal directive, it is not accessible to the general public and is being revealed here for the first time. This directive makes life easier for the police: instead of obtaining approval from the attorney general, they can make do with approval from a senior official from the police’s Cyber Unit and the approval of the head of the Cyber Unit at the State Prosecutor’s Office, Dr. Haim Wismonsky. Those who have had occasion to use the procedure or were exposed to it have nicknamed it the “Wismonsky Permit.”

Attorney Kobi Sudri. Personal Photo

The principle of the Wismonsky Permit was raised recently in connection to the Telegrass case. Kobi Sudri, the attorney representing one of the defendants in the case, claims that the authorities do not have the power to search overseas-based servers without specific legislative approval.

Another issue raised was when the need for the attorney general’s approval came into effect. The procedure, it turns out, was written in 2017, but the State Attorney’s Office claims that it only came into effect four years later, in January 2021 and that, until then, the office worked in accordance with “an unwritten directive.”

“The whole procedure of the Justice Ministry approving these requests are designed to bypass the limitations set by the law,” Sudri argues. “Our contention is that Israeli law does not permit police to hack into a remote computer using a confiscated device, especially when the remote server is located outside the borders of the State of Israel. In order for the state’s actions to be legal, accessing information via a cell phone that was seized in Israel, there needs to be a law permitting it, and not just a police construct. They deliberately misled the courts into thinking this was a legal measure, but it is not.”

In response, attorneys Shiri Rom and Yoni Hadad from the State Attorney’s Cyber Unit claimed in court that the state’s position is that the physical location of the servers is of secondary importance and, in some cases, the state does not even know where they are located. The existing law, they claimed, allows such searches.

“An Israeli investigating body working in Israel to apprehend an Israeli suspect and confiscated from him a cell phone in Israel, in accordance with a warrant issued by an Israeli judge,” Hadad says. “There is information linked to that device. Sometimes we know where that data is stored, and many times we do not. It may well be that it is stored on a server located outside of Israel, (yet) most of the territorial connections are in Israel. We argue that we have authority since, if the suspect can access that information at the click of a button, then a judge can issue a warrant granting police access to it as well.”

“There are extraterritorial considerations when accessing the cloud, but they are very limited, and this is not an obvious case of operating outside of Israel,” Rom adds. “The territorial issue is, in fact, secondary.”

In response to questions from the judges, Rom adds: “There is a potential for the sovereignty of a foreign nation to be violated. If, for example, a certain country believes that any access to servers on its territory is a serious violation of its sovereignty, and anyone who does so must be prosecuted, then, of course, that must be taken into consideration.”

Photo Illustration: Reuters
During the Telegrass hearings, it was revealed that, with the court’s permission, remote searches were conducted on computers located outside of Israel – the cloud servers on which the data of some of the suspects was stored

The Unbearable Ease of Cloud Hacking

The fact that Israeli police conducted searches of foreign cloud servers in the Telegrass case was first revealed a year ago in a report on the Mako website [Hebrew]. Shomrim can now reveal further disturbing details about how the search was conducted.

The police directive specifically states that it has no authority “to crack the password on a remote server using a password cracking tool or bypassing the password.” The reason for this, it seems, is to ensure that technology companies or the foreign countries where the servers are located do not protest about the search or even reveal that the search was conducted. In practice, things were handled very differently.

On the night of the arrest of suspects in the Telegrass case, on March 12, 2019, police confiscated the cell phone of one of the suspects. According to the court testimony of an officer from the Cyber Unit who participated in the operation, the SIM card from the suspect’s phone was transferred to a police device to bypass the password for the device. At this stage, in order to bypass security and access the suspect’s accounts and apps, such as Google services, the investigator pressed the ‘Forgot password’ button and was sent a code to the police device. Then, according to the officer’s testimony, he changed the password to all the suspect’s various accounts and changed access options to allow only the police device to access them. This made it much easier to obtain the code to access the suspect’s device.

Another complex legal issue was raised when police accessed the suspect’s cell phone. Once investigators opened the device, photographs were downloaded from the cloud – including diagrams depicting the organizational structure of Telegrass. The police cyber lab that took possession of the confiscated device created a read-only backup of all the information on it. That backup included incriminating files that were not originally stored on the device. On the witness stand, the officer in question insisted that he had no idea how the files were downloaded onto the device.

Moreover, some of the actions that officers conducted while in possession of the cell phone had been deleted from device’s browsing history, but the mirror image that police made, which lets users restore deleted items, did expose them. In Court, the officer who confiscated the device testified that he does not remember deleting any activity, but the activity log showed that some data was indeed deleted.

Photo Illustration: Shutterstock
Attorneys Shiri Rom and Yoni Hadad from the State Attorney’s Cyber Unit claimed in court that the state’s position is that the physical location of the servers is of secondary importance and, in some cases, the state does not even know where they are located

The International Picture

Israel is not the first country to face legal issues related to cloud computing. In 2001, long before the prevalence of cloud-based servers, the Council of Europe drafted the first-ever agreement on the issue, designed to regulate cooperation between member states in the fight against cybercrime. Since then, 65 countries have signed the agreement, including Israel, which joined in 2016. The agreement, known as the Budapest Convention, contains a provision allowing trans-border access to stored computer data without the agreement or consent of the host country only when the data is publicly available or if it obtains the “lawful and voluntary consent of the person who has the lawful authority to disclose the data through that computer system.” 

Dr. Roy Schöndorf, who served until June 2022 as deputy attorney general for international law, refused to discuss the hearings in which he participated but explained that “international law does not determine unequivocal guidelines when it comes to the question of searches on servers that are located in another country. A working group under the auspices of the Budapest Convention is currently discussing this very matter. In the meantime, each country has a different practice, and most of them are rather vague on the matter.”

“There are countries like Canada, which reject with the option of conducting direct searches on servers located in a foreign country. In contrast, Belgium, for example, does not see any problem conducting such searches,” adds Schöndorf, who specializes in international and cyber law. The Supreme Court of Norway also ruled that, under certain circumstances, a search warrant could be issued against a Norwegian body or person, during the course of which searches could be made on servers located outside of the country. Australia, one of the only countries to have set out clear instructions on the matter, determined that in the case of relatively serious crimes, searches could be conducted on over-seas-based servers if a reasonable effort failed to determine the physical location of those servers.”

While the Budapest Convention is seen as the most serious effort to establish a framework for international cooperation in the fight against cybercrime, several countries have not become signatories, including Russia and China, which are both extremely hawkish when it comes to their internet sovereignty. Russia, for example, passed the Sovereign Internet Law in 2019. According to news reports, this law would allow Moscow to disconnect the Russian internet from the global web completely. The same year, Russia also spearheaded a resolution in the United Nations General Assembly, establishing a working group that would work toward the creation of a new global cyber covenant. Russia and China would certainly not look kindly on any access to data stored on servers on their territory.

A similar problem arose in the United States in 2013 during a drug-dealing investigation by the Federal Bureau of Investigation. As part of the investigation, the FBI obtained a warrant instructing Microsoft to provide it with the emails of an American citizen who was one of the suspects. The company refused, claiming that the data was stored on servers located in Ireland and was, therefore, beyond the authority of an American court.

When the Supreme Court of the State of New York sided with Microsoft, Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018. That law stated that authorities in the U.S. are entitled to enter into mutual cooperation agreements with foreign countries, which would allow tech companies to comply with such warrants – even if the data in question is stored on servers outside of the United States. The only caveat is that the cooperation agreements must be mutual and that they safeguard the rights of American citizens. The agreements in question are general, and they mean that American authorities do not need to submit requests for legal assistance in every case. According to the U.S. Justice Department, agreements have been signed with the United Kingdom and Australia alone, and there are advanced contacts with the European Union and Canada.

There was also some discussion of the issue in the U.K. A panel of experts appointed by the Home Office to look into the whole issue of police searches issued its recommendations some two years ago, asserting that the current law is not clear enough on this question and that, in practice, police searches of cell phones often include access to data stored in the cloud. The panel recommended changing the law to stipulate explicitly that authorities can ask for a warrant that includes access to cloud-stored data and that the new law specifies the exact criteria for such a warrant. As for the question of cross-border access, the experts with whom the panel conferred reached the conclusion that international law does not provide a clear-cut answer to the question and that, in practice, the chances of a foreign country viewing a search of servers located on its territory as a violation of its sovereignty were extremely low.

“The biggest problem with the situation in Israel is that the law isn’t up-to-date,” says Dr. Asaf Weiner, head of regulation and policy at the Israel Internet Association. “Our legal system just does not deal with all the challenges of digital searches, specifically searchers on remote servers, and the courts have been begging the legislative branch to address the issue. In the end, it’s impossible to use a law drafted in 1995, long before the age of internet in every home and light years before anyone even thought about cloud computing, to address the technology we have in 2022. So what happens is that the courts usually manage to interpret the law in a way that grants police the authority, but they do not set clear boundaries for police powers to protect civil rights.”

“An equally pressing problem, which is exacerbated by access to data in the cloud, is the unbearable ease with which police can create an exact copy of all the data a person possesses the moment that their device is in the hands of an investigator,” Weiner adds. “And this isn’t just about the police, by the way. Several bodies have the legal authority to investigate, like the Tax Authority, the Military Police, and even the Privacy Protection Authority.”

“This can include the location history that Google automatically saves, your internet searches, photographs, documents, conversations on any platform, including dating apps, and so on,” Weiner says. At the press of a button, a law-enforcement body can make a copy of all this information. What happens to that data when the case is closed? Do they have to delete it entirely, or is it kept as part of their intelligence material? And what about the privacy of third parties or information stored in the cloud and protected as privileged information? After all, everything can be duplicated, and filtering is only done in retrospect. The Knesset must provide answers for these issues.”

Response

The Justice Ministry submitted the following response: “Conducting searches by accessing remote servers is acceptable in many countries in the world, and it allows law-enforcement authorities to conduct effective searches of materials used by the suspect in committing a crime. The power to conduct such searches is taken from the General Criminal Procedure Law and the Computers Law, and it is being widely discussed at the time in the courts as part of the Telegrass case. The legal arguments of both sides on this legal issue are being heard before the court, which will rule on them.

It should be clarified that the searches in question are always carried out by court order and are not clandestine searches conducted without the knowledge of the person being investigated, who is shown the search order for computerized materials. It should also be stressed that this authority does not contradict the European Commission’s covenant on Cybercrime (the Budapest Covenant), to which the State of Israel is a signatory. This covenant sets the lowest common denominator for member countries but does not prevent any country that has signed the covenant from implementing practices for searches of material stores in remote servers. Indeed, various signatory countries, such as Belgium, Spain, Cyprus, the Netherlands, and others, implement such practices for searching remote servers.

“As for the question that refers to the move to legislate the various aspects of the power to search computers within the proposed search law, it should be noted that this move does not detract from the possibility of interpreting the existing law as granting said authority.

“As for the question that refers to additional cases in which warrants were used to access remote servers, this figure mentioned concerns pending cases, some of which have not seen indictments issued. The request for information regarding this matter in the Telegrass affair requires an appropriate judicial decision, therefore, it is not possible to provide information regarding this matter.”

In relation to its conduct in the Telegrass case, the Israel Police submitted the following response: “Since the legal process in the case is still ongoing, we are not at liberty to discuss it. We would stress that the investigation was accompanied by the State Attorney’s Office and accessing the remote servers referred to in your question was conducted in accordance with a court order and with the approval of the State Attorney.”

This is a summary of shomrim's story published in Hebrew.
To read the full story click here.