Pegasus Issue Explained

Human rights and press freedom activists are up in arms about a new report on NSO Group, the notorious Israeli hacker-for-hire company.

The report, by a global media consortium, expands public knowledge of the target list used in NSO's military-grade spyware. According to the report, that now not only includes journalists, rights activists and opposition political figures, but also people close to them, the groups have decried the virtual absence of regulation of commercial surveillance tools.

A number of reports on Pegasus Spyware in India indicate that at least 1,000 Indian phone numbers are in a list of potential targets of surveillance using the Pegasus spyware. An Israeli company, the NSO Group, sells the Pegasus spyware to “vetted governments”.

The evidence is strong that Indian citizens were indeed targets of a vicious and uncivil surveillance campaign by a government entity, Indian or foreign.

About the Pegasus Project

• Pegasus is a type of malware classified as a spyware. Pegasus enables law enforcement and intelligence agencies to remotely and covertly extract” data “from virtually any mobile devices”
• The Spyware Pegasus can gain access to devices without the knowledge of users. After this, it can gather personal information and relay it back to whoever is using the software to spy.
• A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error. Pegasus can infect a device without the target’s engagement or knowledge. So, all awareness about how to avoid a phishing attack or which links not to click are pointless.
• The Israeli firm NSO Group (set up in 2010) developed the Pegasus spyware. Since then, NSO’s attack capabilities have become more advanced.

How compromising is Pegasus?

• Upon installation, Pegasus contacts the attacker’s command and control (C&C) servers to receive and execute instructions and send back the target’s private data. This data can include passwords, contact lists, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps).
• The attacker can control the phone’s camera and microphone, and use the GPS function to track a target.
• To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server.
• The spyware can evade forensic analysis and avoid detection by anti-virus software. Also, the attacker can remove and deactivate the spyware, when and if necessary.

Pegasus Spyware Earlier Controversy

• Researchers discovered the earliest version of Pegasus in 2016. This version infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
• In 2019, WhatsApp blamed the NSO Group for exploiting a vulnerability in its video-calling feature which secretly transmitted malicious code in an effort to infect the victim’s phone with spyware without the person even having to answer the call.
• In 2020, a report showed government operatives used Pegasus to hack phones of employees at Al Jazeera and Al Araby.

Recent Pegasus Spyware Attacks in India

• Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm. Indian ministers, government officials and opposition leaders also figure in the list.
• In India, several opposition leaders including Rahul Gandhi were on the leaked potential targets’ list.
• Smartphones of Politicians, Journalists were hacked for gathering confidential information.
• This is the first time in the history of this country that all pillars of our democracy — judiciary, parliamentarians, media, executives and ministers — have been spied upon.
• The Indian government has denied any wrong doing or carrying out any unauthorised surveillance. However, the government has not confirmed or denied whether it has purchased or deployed Pegasus spyware.

Issues with Government’s surveillance

• In 2012 in Himachal Pradesh, the new government raided police agencies and recovered over a lakh phone conversations of over a thousand people, mainly political members, and many senior police officials, including the Director General of Police (DGP), who is legally responsible for conducting phone taps in the State.
• In 2013, India’s current Home Minister Amit Shah was embroiled in a controversy dubbed “Snoopgate”, with phone recordings alleged to be of him speaking to the head of an anti-terrorism unit to conduct covert surveillance without any legal basis (as there was no order signed by the State’s Home Secretary which is a legal necessity for a phone tap).
• The UPA government in 2009 said that the CBDT had placed a PR professional, under surveillance due to fears of her being a foreign spy. Later on, the CBDT did not prosecute the person.
• Such examples of unlawful surveillance which seem to be for political and personal gain are antithetical to the basic creed of democracy. Consequently, they also bring up the need for ensuring that the surveillance is necessary and proportionate.

Legislations on Surveillance

The laws authorising interception and monitoring of communications are:

• Section 92 of the Criminal Procedure Code (CrPC)
• Rule 419A of the Telegraph Rules, and
• The rules under Sections 69 and 69B of the IT Act

Who can conduct Surveillance?

A limited number of agencies are provided powers to intercept and monitor.

• In 2014, the Ministry of Home Affairs told Parliament that nine central agencies and the DGPs of all States and Delhi were empowered to conduct interception under the Indian Telegraph Act.
• In 2018, 9 central agencies and 1 State agency were authorised to conduct intercepts under Section 69 of the IT Act.
• The Intelligence Organisations Act, which restricts the civil liberties of intelligence agency employees, only lists four agencies. However, the RTI Act lists 22 agencies as “intelligence and security organisations established by the central government” that are exempt from the RTI Act.

K.S. Puttaswamy judgment, 2017 regarding Surveillance

• The K.S. Puttaswamy judgment, 2017, made it clear that any invasion of privacy could only be justified if it satisfied three tests:
  1. The restriction must be by law;
  2. It must be necessary (only if other means are not available) and proportionate (only as much as needed);
  3. It must promote a legitimate state interest (e.g., national security).

• The judgement held that privacy concerns in this day and age of technology can arise from both the state as well as non-state entities. As such, a claim of violation of privacy lies against both of them.
• The Court also held that informational privacy in the age of the internet is not an absolute right and when an individual exercises his right to control over his data, it may lead to the violation of his privacy to a considerable extent.
• It was also laid down that the ambit of Article 21 is ever-expanding due to the agreement over the years among the Supreme Court judges. A plethora of rights have been added to Article 21 as a result.
• The court stated that Right to Privacy is an inherent and integral part of Part III of the Constitution that guarantees fundamental rights. The conflict in this area mainly arises between an individual’s right to privacy and the legitimate aim of the government to implement its policies. Thus, we need to maintain a balance while doing the same.

Various recommendations in the past regarding Surveillance

• In 2010, then Vice-President called for a legislative basis for India’s agencies and the creation of a standing committee of Parliament on intelligence to ensure that they remain accountable and respectful of civil liberties.
• The Cabinet Secretary in a note on surveillance in 2011 held that the Central Board of Direct Taxes having interception powers was a continuing violation of a 1975 Supreme Court judgment on the Telegraph Act.
• In 2013, the Ministry of Defence-funded think-tank published a report which recommended that the intelligence agencies in India must be provided a legal framework for their existence and functioning; their functioning must be under Parliamentary oversight and scrutiny.
• In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India’s intelligence agencies are “potentially unconstitutional”. This is because they are not constituted under a statute passed by Parliament — the National Investigation Agency being an exception.