Within 48 hours in January 2026, two separate investigations into Israel's surveillance technology collapsed or confirmed something alarming—not because of new exploits or data breaches, but because of governance failures on either side of the same coin. On January 20, Israel's State Comptroller released a report finding that police had used Pegasus-class spyware "hundreds of times without legal review and approval." Two days later, a Spanish High Court judge closed his investigation into the same technology because Israel had refused to respond to five cooperation requests over nearly three years. These events are not unrelated. They are symptoms of the same structural failure: Israel classified Pegasus as a defense export requiring Ministry of Defense approval, then built almost no accountability mechanism around that classification—domestically or internationally.
Spain's Probe: A Foreign Court Stonewalled
Spain's investigation began in May 2022 after it emerged that Pegasus had been used to infiltrate the phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles. Judge José Luis Calama sent cooperation requests to Israeli authorities—five in total, spanning from 2022 through early 2025. Israel did not respond to a single one. On January 22, 2026, Calama closed the case, stating Israel had committed "a manifest breach of its international obligations" and violated "the principle of good faith that should govern relations between states."
The steelman case for Israel's position deserves honest consideration. Pegasus is classified as a weapon under Israeli law. Revealing operational details about surveillance tools—even to a friendly foreign court—can compromise intelligence methods and legitimate defense partnerships. States routinely protect sensitive defense technologies from foreign judicial scrutiny, including allied states. This is a genuine tension between national security confidentiality and legal accountability.
But blanket non-response is not a proportionate invocation of that principle. Spain is a democratic ally. The targets were sitting government ministers. A calibrated response—acknowledging the requests, engaging through diplomatic channels, providing whatever non-classified confirmation was possible—would have respected both obligations. What Israel offered instead was three years of silence, which goes beyond legitimate caution into effective impunity. The export license system, in practice, functioned as a shield against accountability rather than as a mechanism for ensuring responsible use.
At Home: The Comptroller's Damning Findings
The State Comptroller's January 20 report is, in some ways, more troubling still. The finding that Israeli police used surveillance tools including Pegasus "hundreds of times without legal review and approval" is not a story about a foreign government abusing Israeli-made technology. It is a story about Israeli law enforcement abusing it against Israeli citizens—including minors, crime victims, and individuals never suspected of crimes.
Comptroller Matanyahu Englman described the violations as "fundamental and significant," stating that "prohibited installations were performed, prohibited data was collected, and prohibited outputs were produced and used"—all "without sufficient regulation in legislation, without appropriate legal approvals and without following orderly procedures." The Attorney General's Office, which should have served as an oversight backstop, was found to be "not an active partner in the examination of the use of technological tools processes."
The institutional response made things worse. In February 2026, members of the committee established to investigate police Pegasus use resigned, alleging that police had actively obstructed their inquiry. That an oversight body formally quit over obstruction—weeks after the Comptroller published evidence of years of unauthorized surveillance—describes a system in which accountability mechanisms exist on paper and dissolve under pressure.
The Regulatory Architecture and Its Gaps
Israel's Defense Export Control Law in theory makes Israel responsible for every deployment of Pegasus globally, since each sale requires Ministry of Defense licensing on a country-by-country basis. In practice, the Spanish probe demonstrated that Israel interprets this responsibility as covering only the initial export, not downstream use—and treats any foreign request for accountability as outside the scope of what it owes the world.
Domestically, the Knesset granted preliminary approval to a Cyber Capabilities and Spyware Law in November 2024, which would authorize court-approved use of surveillance technology for serious crimes. But the Comptroller's report covered violations from 2015 to 2021—years before this legislation, and well within an existing legal framework the police chose to circumvent anyway. A new law that authorizes what was already happening without oversight does not solve the oversight problem.
NSO's US Pivot
Meanwhile, NSO Group has been engineering its own rehabilitation. In October 2025, US investors led by film producer Robert Simonds acquired a controlling stake. Former US Ambassador to Israel David Friedman—a close Trump ally—was named Executive Chairman in November 2025, with the stated goal of pursuing US government contracts and exiting the US Commerce Department's Entity List, where NSO has been blacklisted since November 2021 for "enabling foreign governments to conduct transnational repression."
The Trump administration's December 2025 decision to lift sanctions on executives of rival spyware firm Intellexa has encouraged industry optimism about NSO's prospects. Whether US ownership actually changes NSO's accountability posture—rather than its lobbying posture—is a different question. A federal court's October 2025 permanent injunction barring NSO from accessing WhatsApp remains in force. The underlying technology and governance structure have not changed; only the corporate ownership and political connections have.
What Proportionate Oversight Requires
The case for regulating powerful surveillance technology is strong and well-grounded. Pegasus-class tools can extract messages, calls, emails, location data, and real-time audio and video without the target clicking anything. The potential for abuse—whether by authoritarian governments that bought licenses or by domestic law enforcement operating outside judicial supervision—is empirically demonstrated, not hypothetical.
But "export controls on spyware" and "no accountability for what happens next" are not the same policy. A coherent framework would require: export accountability that extends beyond the initial sale to cover documented misuse; an independent domestic oversight body with genuine independence from the institutions it audits; and engagement—not stonewalling—with legitimate judicial cooperation requests from democratic allies. Israel has the legal scaffolding for the first (the Defense Export Control Law) and nominal structures for the second (the comptroller, the oversight committee), but has applied neither with any teeth. On the third, its record is simply a refusal to engage.
The two January 2026 revelations are not separate policy failures. They are the same failure seen from two different vantage points. Israel has built a system that controls who can buy Pegasus. It has not built a system that controls what anyone—buyer or seller, foreign government or domestic police force—actually does with it.