In India, while the government refused to initiate any probe into the Pegasus row, the Technical Committee appointed by India’s Supreme Court has been recording statements from experts and petitioners.
As part of the investigation, cybersecurity expert Anand Venkatanarayanan analysed the smartphones of Siddharth Varadarajan, founding editor, The Wire and Sushant Singh, senior fellow, Centre for Policy Research and a former defence journalist, Indian Express. They were found to have been infected with Pegasus.
While appearing before the Committee headed by former Supreme Court Judge Justice RV Raveendran, Venkatanarayanan concluded:
“I found out is that malware was indeed found on the phones of Siddharth Varadarajan and Sushant Singh, who are journalists. The malware is indeed the Pegasus of NSO and that there are enough indicators that the Indian state had bought Pegasus.”
The conclusions are in sync with the latest The New York Times report. According to the NYT report, Pegasus has been sold to Poland, Hungary and India.
After investigating the Pegasus case for over a year, NYT, in its report, said:
“Their countries [India and Israel] had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 Bn— with Pegasus and a missile system as the centerpieces. Months later, Netanyahu made a rare state visit to India.”
However, before we proceed further, let’s take a look at the Pegasus malware. What makes it so dangerous and how it threatens the very existence of democracy in India.
The Pegasus Spyware
Pegasus is a malware/spyware developed by Israel’s NSO Group. The spyware suite is designed to access any smartphone through zero-click vulnerabilities remotely. Once a phone is infiltrated, the spyware can access entire data on that particular phone. It also has real-time access to emails, texts, phone calls, as well as the camera and sound recording capabilities of the smartphone.
After infiltration, the entire control over the device can be handed over to the Pegasus operator, who can remotely control all the functionalities of the phone and switch on or off the different features.
In its latest Transparency and Responsibility Report, the NSO Group has yet again clarified that Pegasus spyware is used exclusively by government intelligence and law enforcement agencies and also that the NSO Group does not operate the Pegasus system.
Venkatanarayanan, in his submission, explained that the Pegasus spyware has existed since 2016. Since then the virus has been updated multiple times. In the beginning, it was activated by sending an SMS to the target mobile, and the target user had to click the link to activate the malware. Over the years, the malware has been fully automated and needs zero-click from the target.
The latest version of malware is so powerful that it even stops Apple iPhones and Android mobiles from sending crash reports and log files which could help trace its presence.
According to an Amnesty report, over 50,000 mobile phone users were identified as people of interest by the clients of NSO Group. Out of these, over 300 mobile numbers belonged to Indians. These users may have been infected by the spyware. In 2019, WhatsApp had stated that Pegasus spyware has infected at least 1,400 users globally, including 121 users from India.
By August 2021, the mobile phones of 10 Indians were forensically analysed and confirmed to have been infected by Pegasus.
Since NSO Group does not operate Pegasus directly, Venkatanarayanan said that Pegasus clients would need a dedicated physical space of 100 square feet to set up uplink connectivity, SMS gateways etc. This could easily be verified as it is most likely to be at the site of ISPs.
What’s Happening In India?
The Pegasus spyware applications are being investigated globally, including Israel. The Indian government, on the other hand, has so far declined to have bought Pegasus and its usage on the citizens for spying.
Instead of ordering a probe, it also alleged that Pegasus is being used to malign the Indian government.
Are Indian journalists being targeted by using Pegasus spyware?
This question was raised by Sanjay Raut and Ritabrata Banerjee in the Rajya Sabha, the Upper House of the Parliament in 2019. The then Minister of State for Electronics and Information Technology, Sanjay Dhotre responded that few statements have appeared based on reports in the media, regarding the breach of privacy of Indian citizens on WhatsApp.
“These attempts to malign the Government of India for the reported breach are completely misleading. The Government is committed to protect the fundamental rights of citizens, including the right to privacy. The Government operates strictly as per provisions of law and laid down protocols. There are adequate safeguards to ensure that no innocent citizen is harassed or his privacy breached,” said Dhotre.
On December 3, 2021, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, in response to a similar question, said that there is no proposal for banning any group named ‘NSO Group’.
Further, in the Supreme Court, the Solicitor General of India, Tushar Mehta denied all of the allegations. Mehta said, “A bare perusal of the captioned petition and other connected petitions makes it clear that the same are based on conjectures and surmises or on other unsubstantiated media reports or incomplete or uncorroborated material. It is submitted that the same cannot be the basis for invoking the writ jurisdiction of this Hon’ble Court.”
Despite Supreme Court’s observation that the responses by the Indian government are incomplete, the solicitor general has declined to file a detailed submission stating that “the disclosure of certain facts might affect the national security and defense of the nation.”
Later, the government submitted its willingness to constitute a committee of experts to look into the matter which the Supreme Court declined.
What Is Supreme Court’s Order?
“Every citizen of India ought to be protected against violations of privacy. It is this expectation which enables us to exercise our choices, liberties, and freedom,” – Supreme Court of India on the Pegasus Case
In Supreme Court, over a dozen people have filed writ petitions (criminal) against the Indian government for violating the right to privacy. Among the petitioners are: Supreme Court lawyer ML Sharma, The Hindu’s N Ram, Rajya Sabha member John Brittas, journalist Paranjoy Guha Thakurta, Editors Guild of India, among others.
Having found the government response inadequate and incomplete, the Supreme Court of India, on October 27, 2021, constituted a technical committee under the supervision of former SC judge, Justice RV Raveendran.
The Court stated, “Rather than relying upon any Government agencies or any, we have constituted the Committee and shortlisted expert members based on biodatas and information collected independently.”
The three members of the committee include:
- Dr. Naveen Kumar Chaudhary, Professor, Cybersecurity and Digital Forensics, and Dean, National Forensic Sciences University, Gandhinagar, Gujarat
- Dr. Prabaharan P, Professor, School of Engineering, Amrita Vishwa Vidyapeetham, Amritapuri, Kerala
- Dr. Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay, Maharashtra
The technical committee was asked to enquire, investigate and determine whether the Pegasus suite of spyware was used on phones or other devices of Indian citizens to access stored data, eavesdrop on conversations, intercept information and/or for any other purposes and whether the Pegasus suite of spyware was acquired by the Indian government, or any state government, or any central or state agency for use against the citizens of India?
Task Ahead For The Technical Committee
The Technical Committee has recorded statements of a dozen experts and petitioners, including Anand Venkatanarayanan, former journalist Sashi Menon, cybersecurity expert Sandeep Shukla, N Ram, Siddharth Varadarajan and MP John Brittas.
Sashi Menon in his submission stated, “One of the concerns is that autocracies or totalitarian regimes naturally shop for this malware because it helps them to spy on their own citizens, not necessarily for national security but to cover their own insecurities. The disturbing trend that is emerging is that democracies which otherwise may not need to equip themselves with this kind of intelligence might resort to it to bypass the systems that are in place.”
The Technical Committee has published two public notices on January 2, 2022, and February 3, 2022, requesting people to submit their phones/data which Pegasus seemingly infected.
So far, the Technical Committee has met with partial success. Many people who initially claimed that their phones were infected with Pegasus have not submitted their phones citing the possibility of their PII (Personal Identifiable Information) data breach. A special National Investigation Agency (NIA) Court, on February 8, 2022, allowed NIA to submit mobile phones of seven accused in the Elgar Parishad-Maoist case to the Supreme Court-appointed technical committee looking into the Pegasus issue.
According to forensic analysis, one of the accused in the case, Rona Wilson’s smartphone was infiltrated via the Pegasus spyware a year before his arrest in the Elgar Parishad case in 2018. A lawyer representing one of the accused had requested the phones to be submitted to the Technical Committee.
The committee will also enquire about the NSO Group about its dealings with the Indian government.
Amid international pressure, there are chances that the NSO Group may have to stop selling Pegasus or even shut down its shop. However, one might ask if the damages can ever be truly undone?
The post Pegasus Row: What’s The Status Of India’s Investigation Into The Spyware? appeared first on Inc42 Media.