Business India ×
  Magazine:
Focus

Published on: July 26, 2021, 5:43 a.m.
Pegasus affair rocks the nation
  • Pegasus is capable of surveillance on three levels: initial data extraction, passive monitoring and active collection

By Sarosh Bana. Executive Editor, Business India

Parliament was rocked by unruly scenes the other day when inflamed Opposition MPs reacted to worldwide reports on the use of an Israeli phone spyware by certain interested parties to snoop on select citizens who, in India, included Parliamentarians, journalists, activists, constitutional functionaries and other public figures – even a serving Union minister. As the newly-inducted Information Technology minister Ashwini Vaishnaw refuted the allegation of government-sponsored surveillance, though he himself was one of those targeted before joining the BJP, an irate Opposition member snatched his papers, tore them into pieces and flung them at the Chair. The concerned MP, Santanu Sen of Trinamool Congress, was suspended for the remaining part of the monsoon session, marking a new low in government-opposition ties. 

The Opposition has accused the government of compromising national security by collaborating with a foreign entity, apart from violating the privacy of its citizens, by deploying Pegasus, the spyware developed by the Israeli cyber-arms firm NSO group that can be covertly installed on mobile phones (and other devices) running on most versions of IOS and Android. “Is spying on India’s security forces, judiciary, cabinet ministers, Opposition leaders including Rahul Gandhi, journalists and other activities through a foreign entity’s spyware not treason and an inexcusable dismantling of national security?” Congress spokesman Randeep Surjewala asked at a press conference. The Opposition has demanded a judicial or Parliamentary inquiry into the ‘role’ of Prime Minister Narendra Modi in the matter, as also the dismissal of Home Minister Amit Shah. 

The government, on its part, has derided the Opposition for seeking ‘to malign Indian democracy and its well-established institutions’. In a press statement, Shah asserted: “This is a report by the disrupters for the obstructers. Disrupters are global organisations, which do not like India to progress. Obstructers are political players in India who do not want India to progress.”

Clearly, this is one controversy which is not going to die down soon. While every country has established procedures and protocols through which lawful interception of electronic communication is carried out for national safety and security and the mere presence of a phone number in the database is not confirmation that the corresponding device was hacked, the government has so far not been able to address the growing impression that red lines may have been breached, for its agencies to target political opponents, critics, activists and even those lobbying for lucrative arms deals. For one thing, it has yet to even deny that its agencies ever contracted Pegasus technology. 

 Abuse of power

The Pegasus controversy is certainly more than the constitutionally guaranteed right to privacy of individuals. The allegations have cast a shadow on the integrity of institutions. The Election Commission and, indirectly, even the Supreme Court have come within its sweep. Earlier, governments at the Centre and in some of the states have also operated in grey zones of espionage. There have been accusations of phone tapping of political opponents. 

And, there have been political casualties on this count as well, the most prominent being Ramakrishna Hegde, who lost the chief minister’s job in Karnataka, when his government was found tapping the phones of political rivals.

Yet, the nature of this alleged scandal is different – both because of the scale of the purported abuse of power and the political climate that forms its backdrop. The sophistication of technology now makes possible a level of invasiveness that wasn’t possible earlier. 

  • Shah: blaming disrupters and obstructers

    Shah: blaming disrupters and obstructers

Both the Indian and Israeli governments are under the scanner, because NSO acknowledges that it caters only to government entities and not private agencies or individuals, and, that too, after written approval from the Israeli defence ministry. According to NSO, the sale of spyware is meant for use against criminals and terrorists and made available only to military, law enforcement and intelligence agencies from countries with good human rights records. However, as the controversy snowballed, the impression that gained ground globally was that this was another case of an authoritarian government snooping on critics and busybodies. The Modi government’s known intolerance of dissent has made it an easy suspect. 

What made things even worse is that India was bracketed with countries like Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the UAE, where most of the telephone numbers held by 1,000 people spanning over 50 countries were clustered. Human rights bodies, digital rights activists and other freedom advocates across the world have expressed outrage that products sold by NSO, the Israeli surveillance technology company, were so brazenly used to hack and invade the private communications of thousands of people across the globe. In a statement, UN High Commissioner for Human Rights, Michelle Bachelet, found the apparent widespread use of Pegasus spy software to illegally undermine the rights of those under surveillance, including journalists and politicians, ‘extremely alarming’ and confirming ‘some of the worst fears’ surrounding the potential misuse of such technology.

Raman Jit Singh Chima, Asia Pacific Policy Director and Global Cybersecurity Lead at Access Now, notes that hacking is a crime, with no exceptions to be made, even if it is directed by a government. He demanded that the Indian government must answer whether its agencies or security services were dealing with NSO. “Previous statements have evaded the question, and vaguely asserted that safeguards are followed to avoid overboard surveillance. This is clearly not the case,” he said. “The largest democracy in the world cannot be at the mercy of a shady, private company.”

The leaked global database of 50,000 telephone numbers was first accessed by French non-profit Forbidden Stories and Amnesty International, essentially revisiting a global scandal that first emerged in 2019. They shared their information with 16 ‘media partners’, including Washington Post, Le Monde, Die Zeit, The Guardian and Indian news website The Wire, which concertedly carried reports of military-grade spyware from Israeli NSO Technologies group’s Pegasus company aiding 45 governments across the world, including India, to successfully hack the smart phones of thousands of citizens for tracking their activities in real time.

 Worm in your mobile!

In its responses before publication, NSO was quoted as calling the investigation’s findings ‘exaggerated and baseless’ and maintaining that it did not operate the spyware licensed to its clients. Post publication, NSO chief executive Shalev Hulio remarked, “We understand that in some circumstances, our customers might misuse the system and in some cases like we reported in (NSO’s) Transparency and Responsibility Report, we have shut down systems for customers, who have misused the system.”

It was recently reported that NSO group – which is based in Herzliya, near Tel Aviv, and also goes by the name Q Cyber Technologies – appeared unlikely to prevail in its bid to foil a lawsuit filed in October 2019 by the Facebook-owned WhatsApp messaging platform that publicly blamed NSO for the malware attacks. Named after the winged horse in Greek mythology, Pegasus worms its way into the mobile phones of its targets through WhatsApp’s video calling feature. During arguments in April, all three empanelled judges of the Ninth US Circuit Court of Appeals seemed disinclined to grant NSO’s request to dismiss the suit.

  • NSO’s Pegasus spyware unleashes malware attacks in its targets

    NSO’s Pegasus spyware unleashes malware attacks in its targets

The malware attack requires but a click on a specially crafted exploit link by the user to penetrate the security features on the phone and deliver a chain of zero-day exploits to install Pegasus without the user’s knowledge. When WhatsApp announced an update designed to block the malicious code, NSO developed an even more undetectable and supremely sophisticated software that could intrude simply via a missed call on the messaging app and breach the app’s encrypted communication system.

Pegasus reportedly exploits the phone by linking to the NSO operator’s command and control (C&C) servers to receive and execute operator commands, and stream the target’s private data, including passwords, contact lists, calendar events, text messages and live voice calls from mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, a feature that NSO refers to as ‘room tap’.

According to WhatsApp’s plaint, Pegasus is capable of surveillance on three levels: initial data extraction, passive monitoring and active collection. This cyber espionage tool cannot be uninstalled, even through factory reset, leaves no trace on the device, consumes minimal battery and memory, and has a self-destruct option that can be used any time. Even buying a new handset does not help, unless those targeted change all their passwords.

WhatsApp protects its own messaging application by the strongest encryption means known today, disallowing any third party, including itself, from viewing encoded messages as they traverse phones. Pegasus, however, disables this protection completely, enabling all conversations and attachments to be uploaded to the monitoring server silently in the background.

The government of India seems unlikely to ask NSO for an explanation. Though cyber laws are yet weak in India, Section 75 of the Information Technology Act, 2000, applies to “any offence or contravention committed outside India by any person irrespective of his nationality….. if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India”.

Though there are calls in India for the issue to be brought before the International Court of Justice, in The Hague, this will be a long-winded approach. A more viable option will be for the Supreme Court to step in and ensure that the government comes clean. The Pegasus allegations are debilitating in their potential effect on the trust that underpins the pact between government and people. The court must thus play its role in ensuring that the questions are answered, and due process is followed, no matter where it might lead to.

The top court’s intervention is essential because the countries on the list, India, the UAE and Saudi Arabia, have flatly denied any wrong-doing and agreed to a full enquiry. France has ordered a series of enquiries into surveillance of its citizens, including President Macron and his cabinet. The UK is considering an enquiry, given that about 400 citizens are on the list, with allegations they were under surveillance from NSO clients in the UAE. Algeria’s public prosecutor has also ordered an enquiry, the government accusing Morocco of targeting its citizens. In Hungary, the Budapest Regional Investigation Prosecutor’s Office said it will investigate the Pegasus case, for the suspected ‘crime of gathering unauthorised secret information’. 

  • Pegasus reportedly exploits the phone by linking to the NSO operator’s command and control (C&C) servers to receive and execute operator commands, and stream the target’s private data, including passwords, contact lists, calendar events, text messages and live voice calls from mobile messaging apps

Technology sold only to governments

Even Israel’s new government has reportedly ordered an enquiry and set up a special commission to look into whether policy changes are needed for the export of surveillance tech. The country’s Defence Minister Benny Gantz has stressed that the technology is sold only to governments for legal use, that those countries must meet those terms and licences of those found in violation would be cancelled. If the Israeli investigation into the use of Pegasus software were to ever find that the government of India has misused the technology meant to target rogue agents, it could lead to a breach of contract, or a cancellation, which would impact bilateral ties. As it is, the Pegasus surveillance has been tied in India to former Israeli PM Netanyahu’s meeting with Modi in 2017. The current PM, Naftali Bennet was a minister at the time, but could distance his new government from the contract(s) if things get hot.

Of late, the Modi government has been hectoring Big Tech companies like Twitter on what’s right and wrong. It has been gloating about the rise of tech unicorns in India in a range of services, where the citizen’s phone and her data are, effectively, the engines of entrepreneurship. Trying to snoop unlawfully now not only maligns Indian democracy but also defeats the spirit of country’s tech prowess. Importantly, it blurs the lines between the totalitarian, shadowy statecraft in China and the democratic one in India. 

Besides, snooping on rivals it can extract serious costs, as it did in the case of Richard Nixon, former US president. It is not surprising that the Pegasus affair is therefore being compared by some to a mini-Watergate scandal. It is in the interest of all to make a clean breast of the Pegasus affair.

Focus

Case for an Indian Maersk

Houthi attacks and container crunch are hitting exporters’ profits, reigniting the debate for a bigger Indian shipping line

Corporate Report

How Lake Shore redefines urban retail

Lake Shore is redefining the retail experience for urban spaces

Corporate Report

Equitas scales up to become a universal bank

Equitas Small Finance Bank is on track to become a universal bank

Cover Feature

Is India’s banking sector at risk?

How significant is the debate around credit-deposit ratios in Indian banks?

E-MAGAZINE
Is India’s  banking sector at risk?
Retail Bug
PSUs: The Next Frontier
FROM THIS ISSUE

Government

M&A

States

Startup

Technology

Corporate Report

Agriculture

The introduction of black pepper as an inter-crop in the sopari and coconut orchards, has enabled farmers to cultivate crops simultaneously

Skill Development

In 2020-21, the programme reached over 112,482 girls in urban and rural locations across six states in India, including 10,000 across Delhi

Collaboration

The event brought together stakeholders and changemakers to participate in a series of conversations on global trends and recent developments

Healthcare

The programme will focus on educating children on oral health and building awareness around the dangers of tobacco use

Biogas

German BioEnergy enters Indian market

Published on Aug. 17, 2023, 11:54 a.m.

BioEnergy will showcase its innovative biogas technology in India

Mobility

Ather looks to double its market share

Published on Aug. 17, 2023, 11:26 a.m.

Ather aims to produce 20,000 units every month, soon

Green Hydrogen

‘Kerala Hydrogen ecosystem a model for all states’

Published on Aug. 17, 2023, 11:06 a.m.

German Development Agency, GIZ is working on a roadmap for a green hydrogen cluster in Kochi

Renewable Energy

Adani Green eyes 45GW RE

Published on Aug. 17, 2023, 10:45 a.m.

AGEL set to play a big role in India’s carbon neutrality target