On April 23, 2026, the University of Toronto's Citizen Lab published "Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors", documenting two covert campaigns that exploited SS7 and Diameter — the signaling protocols mobile networks use to route calls and roaming traffic between operators — to silently geolocate phones in Thailand, South Africa, Norway, Bangladesh, Malaysia, Denmark and beyond. One campaign logged more than 500 location-tracking attempts beginning in November 2022. A second fired over 1,700 SS7 attacks from a single network address between October 2023 and April 2025, and deployed the SIMjacker zero-click exploit; Haaretz's follow-on investigation counts more than 15,700 SIMjack tracking attempts since late 2022.
The entry points matter as much as the volume. Surveillance traffic repeatedly traversed 019Mobile, an Israeli mobile virtual network operator branded Telzar 019, whose infrastructure was reachable through Partner Communications, one of Israel's largest carriers — alongside Tango Networks UK and Airtel Jersey, per Commsrisk's analysis. Citizen Lab deliberately declined to attribute the campaigns to a named company, but lead researcher Gary Miller told TechCrunch the indicators point toward an Israeli-based commercial geo-intelligence provider, and Haaretz's reporting identifies Rayzone and Exelera Telecom among the companies operating in this ecosystem.
A regime written for Pegasus, not for signaling
Israel has, on paper, one of the world's most developed surveillance-export regimes. The Defense Export Control Law, in force since the end of 2007, requires Ministry of Defense licensing — administered by the Defense Export Controls Agency (DECA) — for exports of defense equipment, know-how and services. Pegasus-class intrusion software is classified as a weapon under this regime, and after the NSO Group scandals, DECA published an updated End User Declaration in December 2021 restricting cyber and intelligence systems to the investigation of terrorism and serious crime, and stating explicitly that expressing an opinion or criticism does not constitute a terrorist act.
But every element of that architecture assumes a product crossing a border: software delivered to a foreign government, an end user who signs a declaration, a license that can be revoked. Signaling surveillance breaks each assumption. Nothing is shipped. A geo-intelligence vendor leases "global titles" — network addresses — from a cooperative operator, then sends location queries across international interconnects from wherever its servers sit. The foreign "end user" may never touch a system at all; they buy lookups as a service. If the platform physically stays in Israel, it is far from clear the 2007 law's export trigger is ever pulled. And the companies whose networks carried the traffic are licensed telecom operators answering to the Ministry of Communications, not defense exporters answering to DECA. The result is a class of cross-border surveillance — functionally equivalent in its effect on a target to Pegasus-grade geolocation — sitting in a regulatory blind spot between two ministries.
The case for sweeping controls — and the case against
The strongest argument for pulling all of this under the defense-export regime deserves a fair hearing. Covert location tracking is not an abstract privacy harm: knowing where a dissident, journalist or estranged spouse sleeps is frequently the predicate to arrest or violence, and the NSO era demonstrated that voluntary industry restraint does not hold. Citizen Lab's authors note that despite years of public reporting, this activity "continues unabated and without consequence." Regulators who conclude that only hard licensing changes vendor behavior are reasoning from evidence, not paranoia.
Yet the maximalist response — classifying signaling access or geo-intelligence capability wholesale as a defense article — would be a category error. Israel's telecom and network-security sector is overwhelmingly legitimate; the same SS7 expertise that enables tracking powers the firewalls that block it. Weapons-grade licensing for an entire protocol layer would burden hundreds of lawful firms to reach a handful of bad actors, and would do nothing about the structural problem Citizen Lab actually identified: operators leasing signaling access with minimal accountability.
The proportionate fix
Three targeted moves would close the gap without collateral damage. First, telecom-license conditions: the Ministry of Communications should make operators strictly accountable for global-title leasing and third-party signaling access — mandatory vetting, audit trails, and license consequences when their identifiers surface in tracking campaigns. This mirrors Citizen Lab's own recommendations on interconnect screening and verification of GSMA IR.21 roaming records. Second, an explicit "surveillance services" category in export control, so that selling location-tracking-as-a-service to foreign clients requires the same DECA license and end-user scrutiny as selling the system itself. Israel's legislature is plainly capable of moving here: the Ministry of Economy published a draft dual-use export bill — the Law for the Regulation of Foreign Trade: Control of Civil Dual-Use and CBRN Exports, 5786-2026 — on March 26, 2026, with public comments closing April 25, two days after Citizen Lab's report landed. That bill targets dual-use goods and proliferation, not signaling surveillance; the Knesset should close the services gap deliberately rather than leave it to accident. Third, international alignment: signaling abuse is jurisdiction-shopping by design — the same campaigns ran through the UK and Jersey — so operator-accountability standards belong in multilateral telecom fora, not just Israeli law.
The lesson of the NSO era is not that Israel lacks rules. It is that controls written for yesterday's product can be lawfully irrelevant to today's service. Proportionate regulation means matching the rule to the abuse: hold licensed operators accountable for what rides their signaling links, extend end-user discipline to surveillance sold as a service, and keep the rest of the innovation economy out of the blast radius.