-
Shah: blaming disrupters and obstructers
Both the Indian and Israeli governments are under the scanner, because NSO acknowledges that it caters only to government entities and not private agencies or individuals, and, that too, after written approval from the Israeli defence ministry. According to NSO, the sale of spyware is meant for use against criminals and terrorists and made available only to military, law enforcement and intelligence agencies from countries with good human rights records. However, as the controversy snowballed, the impression that gained ground globally was that this was another case of an authoritarian government snooping on critics and busybodies. The Modi government’s known intolerance of dissent has made it an easy suspect.
What made things even worse is that India was bracketed with countries like Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the UAE, where most of the telephone numbers held by 1,000 people spanning over 50 countries were clustered. Human rights bodies, digital rights activists and other freedom advocates across the world have expressed outrage that products sold by NSO, the Israeli surveillance technology company, were so brazenly used to hack and invade the private communications of thousands of people across the globe. In a statement, UN High Commissioner for Human Rights, Michelle Bachelet, found the apparent widespread use of Pegasus spy software to illegally undermine the rights of those under surveillance, including journalists and politicians, ‘extremely alarming’ and confirming ‘some of the worst fears’ surrounding the potential misuse of such technology.
Raman Jit Singh Chima, Asia Pacific Policy Director and Global Cybersecurity Lead at Access Now, notes that hacking is a crime, with no exceptions to be made, even if it is directed by a government. He demanded that the Indian government must answer whether its agencies or security services were dealing with NSO. “Previous statements have evaded the question, and vaguely asserted that safeguards are followed to avoid overboard surveillance. This is clearly not the case,” he said. “The largest democracy in the world cannot be at the mercy of a shady, private company.”
The leaked global database of 50,000 telephone numbers was first accessed by French non-profit Forbidden Stories and Amnesty International, essentially revisiting a global scandal that first emerged in 2019. They shared their information with 16 ‘media partners’, including Washington Post, Le Monde, Die Zeit, The Guardian and Indian news website The Wire, which concertedly carried reports of military-grade spyware from Israeli NSO Technologies group’s Pegasus company aiding 45 governments across the world, including India, to successfully hack the smart phones of thousands of citizens for tracking their activities in real time.
Worm in your mobile!
In its responses before publication, NSO was quoted as calling the investigation’s findings ‘exaggerated and baseless’ and maintaining that it did not operate the spyware licensed to its clients. Post publication, NSO chief executive Shalev Hulio remarked, “We understand that in some circumstances, our customers might misuse the system and in some cases like we reported in (NSO’s) Transparency and Responsibility Report, we have shut down systems for customers, who have misused the system.”
It was recently reported that NSO group – which is based in Herzliya, near Tel Aviv, and also goes by the name Q Cyber Technologies – appeared unlikely to prevail in its bid to foil a lawsuit filed in October 2019 by the Facebook-owned WhatsApp messaging platform that publicly blamed NSO for the malware attacks. Named after the winged horse in Greek mythology, Pegasus worms its way into the mobile phones of its targets through WhatsApp’s video calling feature. During arguments in April, all three empanelled judges of the Ninth US Circuit Court of Appeals seemed disinclined to grant NSO’s request to dismiss the suit.
-
NSO’s Pegasus spyware unleashes malware attacks in its targets
The malware attack requires but a click on a specially crafted exploit link by the user to penetrate the security features on the phone and deliver a chain of zero-day exploits to install Pegasus without the user’s knowledge. When WhatsApp announced an update designed to block the malicious code, NSO developed an even more undetectable and supremely sophisticated software that could intrude simply via a missed call on the messaging app and breach the app’s encrypted communication system.
Pegasus reportedly exploits the phone by linking to the NSO operator’s command and control (C&C) servers to receive and execute operator commands, and stream the target’s private data, including passwords, contact lists, calendar events, text messages and live voice calls from mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, a feature that NSO refers to as ‘room tap’.
According to WhatsApp’s plaint, Pegasus is capable of surveillance on three levels: initial data extraction, passive monitoring and active collection. This cyber espionage tool cannot be uninstalled, even through factory reset, leaves no trace on the device, consumes minimal battery and memory, and has a self-destruct option that can be used any time. Even buying a new handset does not help, unless those targeted change all their passwords.
WhatsApp protects its own messaging application by the strongest encryption means known today, disallowing any third party, including itself, from viewing encoded messages as they traverse phones. Pegasus, however, disables this protection completely, enabling all conversations and attachments to be uploaded to the monitoring server silently in the background.
The government of India seems unlikely to ask NSO for an explanation. Though cyber laws are yet weak in India, Section 75 of the Information Technology Act, 2000, applies to “any offence or contravention committed outside India by any person irrespective of his nationality….. if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India”.
Though there are calls in India for the issue to be brought before the International Court of Justice, in The Hague, this will be a long-winded approach. A more viable option will be for the Supreme Court to step in and ensure that the government comes clean. The Pegasus allegations are debilitating in their potential effect on the trust that underpins the pact between government and people. The court must thus play its role in ensuring that the questions are answered, and due process is followed, no matter where it might lead to.
The top court’s intervention is essential because the countries on the list, India, the UAE and Saudi Arabia, have flatly denied any wrong-doing and agreed to a full enquiry. France has ordered a series of enquiries into surveillance of its citizens, including President Macron and his cabinet. The UK is considering an enquiry, given that about 400 citizens are on the list, with allegations they were under surveillance from NSO clients in the UAE. Algeria’s public prosecutor has also ordered an enquiry, the government accusing Morocco of targeting its citizens. In Hungary, the Budapest Regional Investigation Prosecutor’s Office said it will investigate the Pegasus case, for the suspected ‘crime of gathering unauthorised secret information’.
-
Pegasus reportedly exploits the phone by linking to the NSO operator’s command and control (C&C) servers to receive and execute operator commands, and stream the target’s private data, including passwords, contact lists, calendar events, text messages and live voice calls from mobile messaging apps
Technology sold only to governments
Even Israel’s new government has reportedly ordered an enquiry and set up a special commission to look into whether policy changes are needed for the export of surveillance tech. The country’s Defence Minister Benny Gantz has stressed that the technology is sold only to governments for legal use, that those countries must meet those terms and licences of those found in violation would be cancelled. If the Israeli investigation into the use of Pegasus software were to ever find that the government of India has misused the technology meant to target rogue agents, it could lead to a breach of contract, or a cancellation, which would impact bilateral ties. As it is, the Pegasus surveillance has been tied in India to former Israeli PM Netanyahu’s meeting with Modi in 2017. The current PM, Naftali Bennet was a minister at the time, but could distance his new government from the contract(s) if things get hot.
Of late, the Modi government has been hectoring Big Tech companies like Twitter on what’s right and wrong. It has been gloating about the rise of tech unicorns in India in a range of services, where the citizen’s phone and her data are, effectively, the engines of entrepreneurship. Trying to snoop unlawfully now not only maligns Indian democracy but also defeats the spirit of country’s tech prowess. Importantly, it blurs the lines between the totalitarian, shadowy statecraft in China and the democratic one in India.
Besides, snooping on rivals it can extract serious costs, as it did in the case of Richard Nixon, former US president. It is not surprising that the Pegasus affair is therefore being compared by some to a mini-Watergate scandal. It is in the interest of all to make a clean breast of the Pegasus affair.