The software secretly gathers data from a user’s phone/computer
Originally published on Global Voices
The Pegasus Project, a collaboration of 17 media organisations, released a report on July 18 detailing the potential hacking and illegal surveillance of 50,000 phone numbers, mostly in countries with authoritarian regimes, through the use of the Israeli-made spyware Pegasus. The targets of this alleged espionage include human rights defenders, activists, journalists, politicians, high-ranking public officials and business people. Reportedly, more than 1,000 phone numbers from India are a part of this list.
Pegasus users can access unencrypted content stored on a phone (messages, emails, photos, videos, etc.), record phone calls, track geo-locations and activate microphones and cameras without the user’s authorization.
The leaked list of Pegasus targets includes two phone numbers of Rahul Gandhi, a member of the Indian Parliament and the former President of the Indian National Congress (INC), who was unsuccessful in his election campaign against the incumbent Indian Prime Minister Narendra Modi in 2019. The Guardian noted that the selection of Indian phone numbers coincided with Modi’s 2017 visit to Israel that led to significant growth in the relationship between India and Israel. INC, the main opposition party in the Indian parliament, has accused Modi of ‘treason’ and compromising the country’s national security.
Also included on this list is the phone number of former bureaucrat Ashok Lavasa, who was an election commissioner in 2019. As commissioner, he argued for imposing sanctions on Modi for his heated political speeches, which were linked to increased attacks on Indian Muslims.
Ashwini Vaishnaw, India’s Minister of Railways, Communications and Electronics and Information Technology and Prahlad Singh Patel, the Minister of State for Jal Shakti (the water ministry), are two recently sworn-in ministers whose numbers have also been found on the list. Incidentally, Vaishnaw’s ministry oversees India’s digital surveillance regulations.
What is Pegasus?
The Pegasus Project includes 80 journalists from 17 media organizations from 10 countries, with Paris-based media not-for-profit Forbidden Stories coordinating and the human rights not-for-profit Amnesty International overseeing forensic tests. Siddharth Varadarajan and M.K. Venu, the two founding editors of the Wire, an independent Indian media organisation that is assisting in the investigations, both had devices infected with Pegasus. One other editor from the Wire and three regular contributors also had their phone numbers on the list.
Amnesty’s Security Lab produced a detailed technical report after analyzing the leaked list. So far they have analysed 67 phones and found traces of Pegasus in 37 of them. Citizen Lab, an interdisciplinary research lab based at the University of Toronto, Canada has independently reviewed and approved Amnesty’s forensic examination methods.
BREAKING: massive, global leak of the targets of NSO Group’s Pegasus spyware. *huge deal.*
We @citizenlab conducted peer review.
— John Scott-Railton (@jsrailton) July 18, 2021
While having a phone number on this list does not necessarily confirm that the phone has been infected with Pegasus, the users of these phones can theoretically be targetted by one of the NSO Group’s clients. The Amnesty Security Lab has also published the Mobile Verification Toolkit (MVT), an open-source mobile forensic tool to simplify the process of gathering and analysing data from potentially compromised Android and iOS devices.
The aftermath in India
Reporters Without Border calls India ‘one of the world’s most dangerous countries for journalists trying to do their job properly’, while placing the country’s Press Freedom Index at 140 out of 180 ranked countries. Journalists like Nitin Sethi cited conscious efforts to not report about the Pegasus Project in mainstream Indian media outlets.
Lesson for journalists: A controlled way to kill a story in the headline and by prioritizing down information in the main text. pic.twitter.com/YvXgEZuA19
— Nitin Sethi (@nit_set) July 20, 2021
The range of potential Pegasus victims is huge. It includes political activists who have been accused of Maoist links who were arrested in 2018 to those who opposed the National Register of Citizens (NRC) and Citizenship Amendment Act (CAA). Eight of the arrested activists were arrested based on evidence planted on their devices before their arrests. Both CAA and NRC are controversial for their alleged role in the probable displacement of more than 1.9 million residents — mostly minority Muslims — in the state of Assam.
Media outlets that are critical of Modi’s ruling Bharatiya Janata Party are seeing a retaliation in the form of tax raids. The noted Hindi-language newspaper Dainik Bhaskar was raided by tax officials on July 22. Dainik Bhaskar not only reported on Pegasus but has persistently questioned the government’s choice to downplay COVID-19 related deaths.
Under Prime Minister Modi several critical media outlets have found themselves in tax investigators’ cross-hairs, raising fears about the health of the independent press in the world’s largest democracy. With @gerryshih #DainikBhaskar https://t.co/DJovrPBVta
— Niha Masih (@NihaMasih) July 22, 2021
The Indian government has largely avoided addressing the issue, not confirming whether they purchased and or used Pegasus. An official response claimed that the recent report is based on conjecture:
The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.
Speaking in Rajya Sabha (the upper house of the Indian parliament), Vaishnaw termed the media reports on the government’s link to Pegasus a ‘sensational story’.
In the past, similar claims were made regarding the use of Pegasus on WhatsApp. Those reports had no factual basis and were categorically denied by all parties, including in the Supreme Court. pic.twitter.com/tDhNsLc8p0
— Ashwini Vaishnaw (@AshwiniVaishnaw) July 22, 2021
Journalist Barkha Dutta commented on the situation through Twitter:
I never thought I’d write the following : India’s IT Minister revealed to be on Pegasus list of surveillance targets on day he denied the charge of unauthorised surveillance.
— barkha dutt (@BDUTT) July 19, 2021
On July 22, 2021, public interest litigation was filed in the Indian supreme court, seeking a court-monitored probe by a Special Investigation Team into the reports about Pegasus’ intrusion in India.
Hacking devices for surveillance remains illegal in India. Other forms of interception and monitoring are permitted to authorised agencies via the Rule 419A of the Indian Telegraph Rules, 1951, Section 92 in the 1973 Code of Criminal Procedure, Section 69 and 69 B in the 2000 Information Technology Act of the Indian Constitution.
However, as Indian lawyer and co-founder of tech and policy nonprofit the Centre for Internet and Society Pranesh Prakash highlights, there is no clarity about when these rules apply. The Center for Public Interest Litigation and Software Freedom Law Center in Delhi each filed a petition in December 2020 looking to stop several state-run surveillance agencies. But many forms of rampant surveillance continue in India today. Indian society is currently grappling with the tensions between government surveillance and citizens’ right to privacy — a guaranteed constitutional right under Article 21 of the Indian Constitution.