In-Depth: Pegasus spyware scandal and growing chorus to regulate private surveillance
[body][dropcap]I[/dropcap]ndia woke up on July 19 to explosive revelations by a consortium of news publications about eminent politicians, journalists, activists, and bureaucrats allegedly being under illegal surveillance using Pegasus, a spyware developed by an Israeli firm.
The claims were based on a document leaked to a non-profit Paris-based media, Forbidden Stories and Amnesty International, which collaborated with a clutch of media companies, including the Washington Post, the Guardian, Le Monde, and Delhi-based The Wire to analyse and publish the list.
The list contains 50,000 telephone numbers of people identified as potential targets via Pegasus between 2016 and June 2021. The names include at least 65 business executives, 85 human rights activists, 189 journalists and over 600 politicians and government officials, including heads of state, prime ministers, cabinet ministers, diplomats, military and security officers.
Over 300 people in the list were Indian politicians, activists, business persons and journalists.
NSO Group, which created and leases the Pegasus spyware, has denied such a list exists. It said the spyware is only meant for use in fighting crime and that it is exported only after the approval of Israel's defence ministry.
It is yet to be ascertained who put the numbers on the list or why.
While the presence of a number in the list does not necessarily mean it was hacked, investigators were able to confirm with forensic analysis that at least 37 smartphones of journalists, human rights activists and business executives were hacked.
Believed to be one of the most powerful mobile phone hacking tools available, Pegasus enables clients to secretly read every message of a target, track their location, operate their microphone and even film them through their camera remotely.
The malware infects both ios and Android devices and grants access to all information stored in a smartphone.
[title]Calls for probe[/title]
[body][dropcap]A[/dropcap]petition has been filed in the Supreme Court seeking an independent probe by its sitting or retired judge into reports of snooping. The court will hear the petition next week.
Over 300 verified Indian mobile phone numbers, including those of two ministers, over 40 journalists, three opposition leaders, several businesspersons and activists in India were allegedly targeted.
Opposition leaders, including former Congress President Rahul Gandhi, Minister of State for Jal Shakti Prahlad Singh Patel, Railways and IT Minister Ashwini Vaishnaw, a former CBI chief and at least 40 journalists are on the list of the leaked database.
However, it is not established that all the phones were hacked.
Supreme Court lawyer and cyber law expert Pavan Duggal says that the allegations must be investigated as privacy is a part of the fundamental Right to Life.
"It can only be deprived of in a court-issued procedure established by the law. At present, the government can only lawfully intercept under Section 69 of the Information technology Act and on certain limited grounds,” Duggal told Moneycontrol.
Since a spyware is not authorised under the law, the use of malware like Pegasus amounts to cybercrime, he added.
Congress has demanded an inquiry into the Pegasus scandal, accusing the government of "treason".
"The prime minister and the home minister have used this weapon against the Indians and our institutions. The only word for this is treason.... and this has to be investigated,” said Rahul Gandhi, one of the politicians on the list.
Besides, in a letter to Chief Justice of India (CJI) NV Ramana, over 500 individuals and groups have called for an immediate intervention of the Supreme Court in the matter.
The letter, signed by activists, including Aruna Roy, Anjali Bhardwaj, Harsh Mander, scholars and eminent lawyers like Vrinda Grover, Jhuma Sen among others, calls on the top court to declare a moratorium on the export, sale, transfer and use of Pegasus spyware in India.
They also urged the court to direct the Centre and the Israeli firm NSO to answer questions regarding the “state-sponsored cyber-warfare” waged against Indian citizens.
President Ram Nath Kovind has also been urged to intervene in the matter. Seven opposition parties recently wrote to Kovind seeking directions to discuss the Pegasus report in the ongoing Monsoon session of Parliament.
BSP, RLP, SAD, National Conference, CPI, CPI(M), NCP are the signatories to the letter.
The Union Government has thus far rejected spying claims and said that any covert surveillance is done as per strict rules and oversight.
Union ministers, including Home Minister Amit Shah, have alleged that the release of the reports by the global media consortium was deliberately coordinated to coincide with the eve of the current session of the Indian parliament.
However, the Centre has neither accepted nor denied claims that it is a client of NSO Group.
Meanwhile, the Parliament could hardly transact any business as the Pegasus issue dominated the discourse since the Monsoon Session started on July 19.
Congress party workers carrying banners and placards shout slogans as they take part in a demonstration against the BJP-led government against alleged surveillance operation using the Pegasus spyware, in New Delhi on July 20, 2021. (Photo by Prakash SINGH /AFP)
[body][dropcap]T[/dropcap]here is no law that prohibits the Centre from procuring spywares like Pegasus. The government can lawfully surveil only under limited circumstances under the section 69 of the IT Act. But even for those instances, the government cannot use spyware.
“Spyware usage is tantamount to hacking of a communication device. It performs activities like copying data, sending data to outside device, all without the permission or knowledge of the concerned person. These are classical offences under Section 66, 43 of the IT Act,” said Duggal.
He said spyware cannot be brought within lawful interception under Section 69 of the Act.
[title]Response across the globe[/title]
[body][dropcap]L[/dropcap]ike COVID-19, the controversy has led to different symptoms in countries named on the list. While Saudi Arabia and UAE have dismissed allegations that they used Pegasus malware to spy on journalists and human rights activists, protests have erupted in Hungary, which is the only EU country listed as a potential user of the spyware.
Staging a protest in Hungary's capital, around 1,000 protesters demanded answers to allegations that the country's right-wing government used Pegasus to secretly monitor journalists, lawyers and business figures.
Hungarian prosecutors have said they had opened a probe into allegations.
French President Emmanuel Macron held an emergency cybersecurity meeting recently to weigh possible government action after reports that his cell phone and those of government ministers may have been targeted by spyware.
French newspaper Le Monde, a member of the consortium, in a report said that a Moroccan security agency had Macron and 15 then-members of the French government on a list of potential targets of the spyware in 2019.
Morocco government has denied wrongdoing saying that it "never acquired computer software to infiltrate communication devices".
Morocco has even filed defamation claims against Amnesty International and Forbidden Stories.
Moroccan King Mohammed VI and other royals are also on the list of numbers identified as potential Pegasus targets by Moroccan intelligence services.
Kazakhstan has also said the claims are "without evidence".
A man holds up a poster showing Hungary's Prime Minister Viktor Orban reading: "We say no to your observation! Do you want me to steal our privacy?" during a protest against the Hungarian government for using Pegasus spyware to monitor journalists, opposition leaders and activists in Budapest, Hungary, July 26, 2021. REUTERS/Marton Monus
[title]History of abusive surveillance[/title]
[body][dropcap]P[/dropcap]egasus first garnered limelight in 2016 after it was discovered on a smartphone that belonged to a human rights activist. Since then, there have been several revelations, including that it was installed on the device used by the wife of Jamal Khashoggi, the US-based critic of the Saudi Arabia government, who was killed in the Saudi consulate in Istanbul in October 2018.
Experts believe Pegasus uses boobytrapped text messages to install itself onto the target’s phones. The person is required to click on the link in the message for the spyware to download.
But this limits the chances of successful installation, with phone users growing increasingly wary of clicking on suspicious links.
To eliminate the uncertainty, more recent versions of Pegasus have exploited weak spots in software commonly installed on mobiles.
Now, by simply calling a person via WhatsApp, Pegasus could secretly download itself onto their phone -- even if the call was never answered. Moreover, the spyware even deletes the call logs, leaving no trace.
Facebook has sued NSO Group in the US for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with a zero-click exploit.
The spyware is also reported to have exploited weaknesses in iPhone’s iMessage app. The exploit called zero-click allows Pegasus to become operational without needing any user input.
Since the recent developments, NSO Group has on multiple occasions vehemently denied any wrongdoing and claims the global investigation is “full of wrong assumptions and uncorroborated theories.”
According to the group, these allegations are “so outrageous and far from reality” that it is considering a “defamation lawsuit”.
NSO also insists its software is only intended for use in fighting terrorism and other crimes.
It also reiterated that the spyware is exported only after Israel's defence ministry’s approval given the sensitive nature of the sector.
The firm also says it only sells its software to “vetted government agencies”.
In another statement titled ‘Enough is Enough’ the firm announced that it will no longer be responding to media inquiries on this matter and it will “not play along with the vicious and slanderous campaign”.
NSO licenses Pegasus to governments in 45 undisclosed countries, and has maintained that they do not operate the systems once sold to their clients, nor do they have access to the data of their client’s targets.
After the list came to light, Israel's defence establishment set up a committee to review the firm's business, including the process through which export licenses are granted. Israel has also denied having access to information from Pegasus.
French President Emmanuel Macron, center, leads a emergency security meeting at the Elysee Palace, Thursday, July 22, 2021. French President Emmanuel Macron convened an emergency security meeting Thursday to discuss the government’s response to reports that the cell phones of Macron and top French officials may have been targeted by spyware. (Ludovic Marin/Pool Photo via AP)
[title]Not the only one[/title]
[body][dropcap]T[/dropcap]ech giants, including Apple and Google, invest huge amounts of money every year in ensuring that their systems aren't vulnerable to hackers. The companies also offer "bug bounties” -- handsome rewards to hackers if they warn the company of flaws in their software. But the system is never fool proof.
Although NSO Group has been in the eye of a storm over Pegasus, it is not the only company helping governments suppress dissent with their surveillance technology.
A recent investigation by The Citizen Lab found another Israeli company that sells spyware called Candiru to foreign governments.
The spyware appears to have been similarly used to target dissidents, journalists, human rights defenders, activists, and politicians.
The Citizen Lab along with Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia and Singapore.
In 2017, Citizen Lab found that Ethiopia had used spyware developed by yet another Israeli firm -- Cyberbit -- to infect the computers of exiled dissidents.
Israel is not the only country hosting companies that sell “hack-for-hire” spyware. Similar to Pegasus, Germany's FinFisher is also marketed as a tool to agencies to fight crime. But it has also faced accusations of being used for abusive surveillance, including on Bahraini journalists and activists.
Besides, Italian firm Hacking Team was at the centre of its own Pegasus-style scandal in 2015 when a leak revealed it was selling spyware to dozens of governments worldwide.
While these may be the ones in news, others also offer expertise in the same kind of technology.
The controversy has raised the pitch of calls for regulation of the surveillance industry. Amnesty International has called for a moratorium on the sale and use of surveillance technology.
In a statement, it warned of "the devastating impact of the poorly regulated spyware industry on human rights worldwide."
"Not only does it expose the risk and harm to those individuals unlawfully targeted, but also the extremely destabilising consequences on global human rights and the security of the digital environment at large," Agnes Callamard, Amnesty's Secretary-General, said in the statement.
Amnesty called for an immediate moratorium on any export, sale, transfer and use of surveillance technology "until there is a human rights-compliant regulatory framework in place."
[body][dropcap]A[/dropcap]s the Pegasus scandal rumbles on, the chorus is growing for the private surveillance industry to face greater scrutiny. But in reality, it is easier said than done as almost all stakeholders are responsible for keeping this industry secretive and unregulated because they benefit from it.
In recent times, “hackers-for-hire” industry has boomed with spyware becoming a more widely used tool of oppression. It is powerful, easy to outsource and difficult to trace.
And since no target is too small, anyone with a computer or smartphone is vulnerable.
Duggal, who specializes in the field of cyberlaw, believes appropriate checks and balances are needed to stem the misuse of such snooping tools.
“There is no denying the fact that usage of spyware constitutes a direct violation of the fundamental right to privacy. Ultimately, it is crucial to restore the confidence of the people,” he said.
Duggal says that time has come for the digital liberties of users to be appropriately protected in India.
While no one explosive revelation can upend the international order, cumulatively, these reports suggest that privacy is no longer sacrosanct.
And, if nothing else, the recent reports are a testament to fact that almost no one is too pedestrian to be targeted.
The cover image was made by Suneesh Kalarickal.
Read more weekly in-depth articles from Moneycontrol here