On July 18, 2021, The Wire India published its article as part of its global collaborative investigation, under the name “Pegasus Project” which revealed shocking details about the Israeli spyware and how it’s being used to follow the phones of journalists, ministers and activists. The news piece revealed how a leaked database had thousands of phone numbers, believed to have been listed by multiple government clients on an Israeli Surveillance technology firm, includes more than 300 verified Indian mobile phone numbers. These numbers belong to ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others as per the news agency’s investigation (Varadarajan, 2021).
Forbidden Stories, a Paris-based media non-profit, and Amnesty International were the ones to gain access to the leaked database. Forensic tests were conducted by Amnesty International’s Security Lab, as a part of this project on a small fraction of phones associated with these numbers (FAQ: On the Pegasus Project’s Digital Forensics, 2021). A total of 37 phones, ten of which were in India, showed clear signs of being infected with Pegasus spyware. Without running a technical analysis on a phone, it is not possible to say definitively whether it witnessed an attack or was successfully compromised. The app can also turn on the microphones and camera of the user without their knowledge. All this information collected via the software is available to the person infecting the devices.
The Pegasus spyware is a product developed and sold by the Israeli security company, NSO to “vetted government clients”, used to hack into and conduct surveillance on targeted Windows, Mac computers and Andriod and iOS smartphones. The NSO is said to have sold the same in over 40 countries.
The transforming ways of NSO’s spyware over the past few years The spyware company which surfaced early last decade has changed its ways of infiltration for gaining an edge over other such software. The hacking software’s methods were first discovered in 2016 (Pegasus Spyware: How Does It Work?, 2021). The malware installed itself on targets' phones using booby-trapped text messages back then. All the software required was for the user to click on the link in the message for the spyware to download. With people becoming aware of the harms of clicking on such links, installation of the software became difficult. However, with times, the spyware’s operations have changed, with it using a “zero-click” system to download itself. In such a scenario, the user wouldn’t even have to click on any suspicious or malicious links, that is no target engagement is required. It is this feature that made Pegasus stand out amongst its competitor spyware firms (Mazoomdaar, 2021).
The spyware uses a vector to infiltrate into the devices of the targeted users. The vector which carries the spyware can do so in the form of numerous applications like Whatsapp, messaging, emailing, etc. Most of these applications self download messages or other data received before scanning it for any malice. After that, the spyware installs itself on the device and starts monitoring the user's activity over the internet, as well as other platforms (Mazoomdaar, 2021). It was through Amnesty’s 2019 report that people found out about the spyware’s technique of installing itself without any user interaction. Right after, Whatsapp filed a lawsuit in a US court accusing the Israeli surveillance firm of helping government spies break into the phones of more than 1,400 users across four continents.
Being so discrete in its working, and with its developers getting better at hiding any trace of the software, it is becoming harder to track the phones infected with the spyware. However, more recent reports by international media indicate that more than 50,000 phone numbers have been classified as being of interest to NSO clients. "Pegasus is probably one of the most capable remote access tools there is," said Alan Woodward, a cybersecurity professor at the University of Surrey, UK (Pegasus Spyware: How Does It Work?, 2021).
Who is being spied through this software? How are these people at risk? As per reports by the Forbidden Stories, nearly 200 journalists around the world has been the target of this spying spree, in the interests of NSO’s clients (Pegasus: The New Global Weapon for Silencing Journalists • Forbidden Stories, 2021). Over 180 journalists' phones were selected in 20 countries by at least 10 clients of NSO. Apart from these journalists, target users include human rights defenders, political opponents, lawyers, diplomats and heads of state. The reason for such spying seems pretty clear to almost everyone. Many of them being reporters from notable organisations, involved in highly classified investigations and operations, some even involving scandals and corrupt activities of personalities. Gaining access to information that could threaten people at the highest levels of power would be highly resourceful for NSO’s clients, which supposedly come from such eminent positions themselves. Journalists and reporters of many countries already face various levels of threats and restrictions in the forms of stalking, verbal threats, censorship and other forms of coercion. If this wasn’t enough to scare those who are involved in throwing light on some of the most important matters to make the public aware, the spyware with its highly invisible and discrete nature of surveillance, is a huge blow to the media’s confidence belonging to the countries believed to be buyers of the spying software. Such invasion into the devices of some of the most resourceful people in the country not only threatens the individuals but also their sources, leads, loved ones, acquaintances and so on. Getting hands-on highly sensitive information might stop it from reaching the public altogether.
Countries where journalists were chosen as targets as claimed by The Forbidden Stories Forbidden Stories investigation conveys that NSO’s clients range from countries with autocratic authorities like Bahrain, Morocco and Saudi Arabia to democracies like India and Mexico. NSO refused to confirm or deny the identity of its customers stating “contractual and national security considerations”. When approached by the Forbidden Stories, these alleged client countries either didn’t respond by deadline or denied the claims.
Despite constant claims by the NSO group that its products are used only to monitor activities of serious criminals and terrorists, the forensic analysis by Amnesty has brought to light the degree of surveillance of the targetted journalists and human rights defenders.
A Response from the NSO to such allegations As per a letter addressed to The Wire by Thomas Clare, a US-based attorney engaged by the NSO- said that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that their sources had provided them with information with no “factual basis” (Read: NSO Group’s Response to the Pegasus Project and Our Take, 2021). Clare also wrote that the NSO Group had reason to believe that the records of thousands of numbers that the Pegasus Project’s media partners examined were not a list of Pegasus targets of various governments, but instead part of a larger list of numbers that “might have been used by NSO Group customers for other purposes.”
The Response of the Indian Central Govt The Indian union government has stated, “The allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever.” and called the story “bereft of facts but also founded on pre-conceived conclusions”(The Pegasus Leak: What You Need to Know Right Now, 2021). In a statement released after these reports surfaced, Meity said India was a robust democracy that treated the right to privacy as a fundamental right (Bose, 2021). The ministry also added, "It is important to note that Government agencies have a well-established protocol for the interception, which includes sanction and supervision from highly ranked officials in central & state governments, for clearly stated reasons only in the national interest. The allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever," it added in its reply.
What are the laws that oversee surveillance in India? It is important to discuss this in the context of the Pegasus spyware revelations as the Indian government claims that all surveillance taking place is done lawfully. Two laws namely; the Telegraph Act, 1985 and the Information Technology Act, 2000 govern communication surveillance in India (Vishwanath, 2021). The Telegraph Act allows for the interception of calls in case of an “occurrence of any public emergency, or in the interest of public safety” and the IT Act deals with surveillance of all electronic devices which allows for the interception, monitoring and decryption “for the investigation of an offence” in addition to the conditions already stated by the Telegraph Act. There are several gaps in the laws that are yet to be taken into consideration. The extremely wide reach of these laws and their effect on an individual’s privacy will inevitably make one wonder whether these are in compliance with the fundamental rights of citizens.
The Right to Privacy is a fundamental human right that states that “surveillance and censorship, can only be justified when they are prescribed by law”. Reports about the Pegasus software which claim that many journalists, politicians and experts around the world are under the radar of this sophisticated form of cyber-surveillance, have left people alarmed and in doubt of the Government’s true intentions. While both the Telegraph Act and IT Law mention specific conditions under which an individual can be monitored, surveillance and monitoring of journalists, politicians and activists, people who tend to hold some of the most sensitive and highly confidential information serves to directly threaten one’s fundamental right to privacy and might also eventually put under risk the freedom of opinion and expression. It is these people who truly bring out the true nature and shortfalls of the standing government, and an interference of such sort will directly hamper the liberty that they have earned through the very constitution of this country.
Conclusion Despite having denied any truth in the Pegasus Project and asserted that no unauthorised interception has taken place, the fear still remains as NSO has stated time and again that it sells its products only to governments and government’s institutions. By using these methods to hack into computers or phones, one is committing 'hacking', a punishable offence under the Information Technology Act, 2000. Be it the Indian government or a foreign government, both scenarios are quite bothering for the citizens.
What citizens wish for right now is for government to take the necessary action to investigate the legitimacy of these reports and give some concrete evidence to the public to support their stand on this matter. Finding the truth should be the aim of the government (Banerjee, 2021). Rather than blatantly calling such reports fake, the government must start with whether they purchased the spyware product or not. Only then can people look into whether the surveillance has been authorised or not. While authorised surveillance needs to be backed by well-founded reasoning, unauthorised surveillance of such kind is a punishable offence making it important for those involved in the same to be charged appropriately.
References
1. Varadarajan, S. (2021). Pegasus Project: How Phones of Journalists, Ministers, Activists May Have Been Used to Spy On Them. The Wire. https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying
2. FAQ: On the Pegasus Project’s Digital Forensics. (2021). The Wire. https://thewire.in/tech/faq-pegasus-project-digital-forensics
3. Pegasus spyware: How does it work? (2021, July 20). The Economic Times. https://economictimes.indiatimes.com/news/politics-and-nation/pegasus-spyware-how-does-it-work/articleshow/84571771.cms
4. Mazoomdaar, J. (2021, August 13). Explained: How Pegasus spyware infects a device; what data may be compromised. The Indian Express. https://indianexpress.com/article/explained/pegasus-whatsapp-spyware-israel-india-7410890/
5. Pegasus: The new global weapon for silencing journalists • Forbidden Stories. (2021, July 26). Forbidden Stories -. https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/
6. Read: NSO Group’s Response to the Pegasus Project and Our Take. (2021). The Wire. https://thewire.in/tech/pegasus-project-nso-response
7. The Pegasus leak: What you need to know right now. (2021, July 20). Tech2. https://www.firstpost.com/tech/news-analysis/the-pegasus-leak-what-you-need-to-know-right-now-9819351.html
8. Bose, S. K. (2021, July 18). “No Unauthorised Interception”: Government On Pegasus Spyware Row. NDTV.Com. https://www.ndtv.com/india-news/pegasus-spyware-report-centre-says-no-unauthorised-interception-by-government-agencies-2489425
9. Vishwanath, A. (2021, August 3). Explained: The laws for surveillance in India, and concerns over privacy. The Indian Express. https://indianexpress.com/article/explained/project-pegasus-the-laws-for-surveillance-in-india-and-the-concerns-over-privacy-7417714/
10. Banerjee, R. (2021, July 20). One Question: Did We Buy Or Not Buy Pegasus? Https://Www.Outlookindia.Com/. https://www.outlookindia.com/website/story/opinion-one-question-did-we-buy-or-not-buy-pegasus/388826
Comments