In the Netanyahu case the question arose whether the examination of witnesses or defendants had been affected by phone intrusion, following the police Pegasus affair. Per reporting, the court ordered some of the materials related to the examinations disclosed to the defense, balanced against privilege over operational methods — and did not, at that stage, rule the evidence broadly inadmissible. In other words: not “everything,” and not the tool itself.
That distinction is technical, not only legal. A useful framework for an expert: operational spyware can be divided into three layers — code (a black box that is almost never disclosed), operational configuration (who deployed it, when, against whom), and operational output (what was actually collected). When a court orders partial disclosure, the critical question is which layer access was granted to — and decoding that is exactly what an expert is for.
That is what matters: access to the code is almost never available, so a “the tool was biased” claim is hard to ground. But if the operational configuration or its output were disclosed, claims like “the deployment was disproportionate” or “material was collected that should not have been” can be examined — because those, once handed over, can be read.
For defense counsel in a matter like this, the question is not “is Pegasus criminal” but: in this specific deployment, at what scope, what kind of data flowed, and which part of it belongs to the investigation? That is a technical question, not a legal one. Without a spyware expert who can separate metadata from content, targeting from network artifacts, and an artifact created by the tool from one created on the endpoint device — the opinion will be shallow.
The lesson: in a matter where surveillance spyware is part of the evidence, the software expert does not examine the code (which is unavailable). The expert examines the story that the available evidence tells — and highlights where it does not line up with the prosecution’s claims.