By Sarosh Bana
India’s Parliament was rocked on Monday when inflamed Opposition MPs reacted to worldwide reports on the government’s use of an Israeli spyware to cybersnoop on select citizens, who included certain Parliamentarians, even two ministers, journalists, activists and other public figures disenchanted with the leadership.
It was incongruous seeing newly-inducted IT minister Ashwini Vaishnaw downplaying the alleged government-sponsored surveillance when he himself was one of those targeted, even as the Opposition cried “treason” and demanded a judicial or Parliamentary inquiry into the “role” of Prime Minister Narendra Modi in the matter as also the dismissal of his confidant, Home Minister Amit Shah.
In what has now become customary in most controversies, the government equated itself with the nation by deriding the Opposition for seeking “to malign Indian democracy and its well-established institutions”. In a press statement that avoided any mention of the government’s involvement in the matter, Shah asserted: “This is a report by the disrupters for the obstructers. Disrupters are global organisations, which do not like India to progress. Obstructers are political players in India who do not want India to progress.”
The leaked global database of 50,000 telephone numbers was first accessed by French non-profit Forbidden Stories and Amnesty International, essentially revisiting a global scandal that first emerged in 2019. They shared their information with 16 “media partners”, including Washington Post, Le Monde, Die Zeit, the Guardian and Indian news website The Wire, which concertedly carried reports of military-grade spyware from Israeli NSO Technologies Group’s Pegasus company aiding 45 governments across the world, including India, to successfully hack the smartphones of thousands of citizens for tracking their activities in real time.
In its responses before publication, NSO was quoted as calling the investigation’s findings “exaggerated and baseless” and maintaining that it did not operate the spyware licensed to its clients. Post publication, NSO chief executive Shalev Hulio remarked, “We understand that in some circumstances, our customers might misuse the system and in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
Those in India who have been targeted can seek judicial recourse, especially considering that the Supreme Court in a 2017 judgment had recognised privacy as a Fundamental Right, including identity privacy in the digital age. However, the suggestion for a Data Protection Bill that had been made in 2018 by a 10-member committee, headed by retired Supreme Court judge B.N. Srikrishna, has remained pending even after three years before a Joint Parliamentary Committee.
There are moreover calls in India for the Pegasus issue to be brought before the International Court of Justice, in The Hague, which is the principal judicial organ of the United Nations. Both the Indian and Israeli governments are being held cognisable, because NSO acknowledges that it caters only to government entities and not private agencies or individuals, and that too after written approval from the Israeli defence ministry. In this instance, it is not perceived to be akin to foreign military, political or financial assistance to a country in fighting anti-national militia or rebels, but to siding with a government that seeks to crack down on dissenters and, in India’s case, violates the Constitution, Article 19 of which guarantees the right to freedom of speech and expression to all citizens.
In a statement put out on Monday, UN High Commissioner for Human Rights, Michelle Bachelet, found the apparent widespread use of Pegasus spy software to illegally undermine the rights of those under surveillance, including journalists and politicians, “extremely alarming” and confirming “some of the worst fears” surrounding the potential misuse of such technology.
It was recently reported that NSO Group – which is based in Herzliya, near Tel Aviv, and also goes by the name Q Cyber Technologies – appeared unlikely to prevail in its bid to foil a lawsuit filed in October 2019 by the Facebook-owned WhatsApp messaging platform that publicly blamed NSO for the malware attacks. Named after the winged horse in Greek mythology, Pegasus worms its way into the mobile phones of its targets through WhatsApp’s video calling feature. During arguments in April, all three empanelled judges of the 9th US Circuit Court of Appeals seemed disinclined to grant NSO’s request to dismiss the suit.
The malware attack requires but a click on a specially crafted exploit link by the user to penetrate the security features on the phone and deliver a chain of zero-day exploits to install Pegasus without the user’s knowledge. When WhatsApp announced an update designed to block the malicious code, NSO developed an even more undetectable and supremely sophisticated software that could intrude simply via a missed call on the messaging app and breach the app’s encrypted communication system.
Pegasus reportedly exploits the phone by linking to the NSO operator’s command and control (C&C) servers to receive and execute operator commands, and stream the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, a feature that NSO refers to as “room tap”.
According to WhatsApp’s plaint, Pegasus is capable of surveillance on three levels: initial data extraction, passive monitoring and active collection. This cyber espionage tool cannot be uninstalled, even through factory reset, leaves no trace on the device, consumes minimal battery and memory, and has a self-destruct option that can be used any time. Even buying a new handset does not help, unless those targeted change all their passwords.
WhatsApp protects its own messaging application by the strongest encryption means known today, disallowing any third party, including itself, from viewing encoded messages as they traverse phones. Pegasus, however, disables this protection completely, enabling all conversations and attachments to be uploaded to the monitoring server silently in the background.
The Indian government seems unlikely to ask NSO for an explanation. Though cyber laws are yet weak in India, Section 75 of the Information Technology Act, 2000, applies to “any offence or contravention committed outside India by any person irrespective of his nationality”…..“if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India”.