Pegasus Watch

At a time when the Indian government is locked in a tussle with social network service providers over guarding the privacy of users and preserving their right to criticise government actions and policies, a shattering report published July 18 reveals activists, politicians and journalists from around the world are under surveillance with the help of the Israeli company NSO Group’s software – Pegasus. As per the NSO’s declared policy, only government agencies are sold the spyware to track terrorists and India is among its clients. In fact, phones of 40 Indian journalists and social activists, two Union ministers and three Opposition leaders were among those allegedly bugged and kept under watch. An investigation by the France-based media non-profit Forbidden Stories and Amnesty International into a massive data leak was shared with The Guardian, The Washington Post, The Wire (of India) and 15 other media outlets.

The report said ‘authoritarian governments’ abused the Pegasus software, ‘hacking smartphones.’ The leak contains a list of more than 50,000 numbers believed to have been of interest to clients of NSO since 2016. Over 1,000 individuals, including 189 journalists, 600 politicians, 65 business executives and 85 human rights activists in 50 countries were allegedly selected by NSO clients for potential surveillance.

The Washington Post reported numbers on the list also belonged to heads of states and prime ministers, members of Arab royal families and diplomats. The inclusion of the numbers of heads of states and ministers suggest their relatives were also being spied on. The list included journalists for media organisations around the world including The Hindustan Times, The Hindu, The Wire, The Indian Express, Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, The Associated Press, Le Monde, Bloomberg, The Economist, Reuters and Voice of America, among others.

According to forensic analysis by Amnesty’s Security Lab, two women, close to slain Saudi columnist Jamal Khashoggi, were targeted with Pegasus spyware. The phone of Khashoggi’s fiancée, Hatice Cengiz, was infected with the spyware days after his murder in the Saudi consulate in Istanbul in October 2018, the Washington Post reported.

The surveillance tool developed by NSO is so sophisticated that the victims can be easily taken off guard and their phones hacked through the technique called ‘zero click’. Claudio Guarnieri, who runs Amnesty International’s Security Lab, said once a phone was infected with Pegasus, a client of NSO could in effect take control of the phone, enabling them to extract a person’s messages, calls, photos and emails, secretly activate cameras or microphones, and read the contents of encrypted messaging apps such as WhatsApp, Telegram and Signal. By accessing GPS and hardware sensors in the phone, a person’s past movements and present location can also be tracked with pinpoint accuracy. By simply placing a WhatsApp call to a target device, Pegasus code could be installed on the phone, even if the target never answered the call. The scale is staggering compared with anything the world has ever seen.

Predictably, the NSO, which previously alleged police abuses of its software, has firmly denied what it calls ‘false claims’. It said in a release published by The Guardian that most of the claims are “uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.”

Amnesty International insists the spyware is being used since December to compromise telephones of journalists of well known media outlets in four continents. Forensic tests conducted as part of this project showed clear signs of targeting by Pegasus spyware in hundreds of phones, of which 300 are Indian. The leaked database was accessed by Forbidden Stories and Amnesty International as part of a collaborative investigation called the ‘Pegasus Project’. A majority of the numbers identified in the list were geographically concentrated in 10 country clusters: India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

India’s Ministry of Electronics and Information Technology has immediately begun damage control, asserting the allegations regarding government surveillance on specific people have no ‘concrete basis’. Ironically, the newly appointed Minister for Electronics and Information Technology Ashwini Vaishnaw who denied misuse of Pegasus in India has had his name come up in the list of Indians being spied on. The government’s defence appears to be on weak grounds since NSO’s declared policy is to pass on its spyware only to governments and their agencies and India is one of its clients. If that is so, it is no big guess who is using Pegasus for snooping on India’s journalists, social activists and politicians. This snooping spyware was supposedly to be used against terror and criminal activities. Unfortunately in India, it is being exclusively used for monitoring those whom the Central government does not trust.