A consortium of 17 international media organizations published an investigation on 19 July into a leaked list containing phone numbers globally, known as the Pegasus project. These numbers are believed to be part of a “target” list of phones that were hacked/to become hacked using the Pegasus spyware product, which Israel’s NSO Group sells. This list is notable for its size and the presence of prominent journalists, dissidents, politicians from different countries, judges, business people, rights activists, heads of state, and judges. Some of the targets have cooperated with Amnesty International and the consortium of media to conduct a forensic exam of their devices and found evidence of hacking using Pegasus.
What is Pegasus?
Pegasus is a spy software suite that NSO Group, an Israeli company, sells to “vetted government customers.” It can hack into and spy on Windows, Mac, Android, and iOS phones. You can send the spyware via SMS or email or use more advanced ‘0-day” vulnerability exploits. These are bugs or security flaws that even device manufacturers don’t know about. It is difficult, time-consuming, and highly specialized to find and exploit these ‘0-day” vulnerabilities. At one time, it was possible to infect target phones by simply placing a WhatsApp phone call.
Who has seen this data?
The data was accessed and shared by Forbidden Stories and Amnesty International in Paris, which then shared it with 17 international media organizations as part of The Pegasus Project. These included The Guardian, The Washington Post, and, in India, The Wire. Forbidden Stories claims this list contains intended targets for NSO Group’s Pegasus suite of software. It is important to note that simply because a number is listed in the data does not mean that it was targeted successfully or intended for hacking attempts.
What is the point?
According to The Wire‘s reports, the NSO Group’s client lists include the governments of Azerbaijan and Bahrain, Hungary, Kazakhstan. Mexico, Morocco, Rwanda. Saudi Arabia, Saudi Arabia, UAE Saudi Arabia, Saudi Arabia, Kazakhstan, Mexico, Morocco. The Wire reports that there are 300 Indian nationals on the list. This includes some journalists, rights activists, and politicians. According to the NSO Group, the Pegasus suite is sold only to “vetted government” entities and not private entities. This suggests that the target list includes people under surveillance by the Government.
Private entities are not able to afford the suite due to its high cost. Amnesty International examined a small number of 37 phones and discovered signs of the Pegasus infection. These phones belonged to journalists, politicians, and businesspeople – not terrorists or criminals. This is a list of Pegasus spyware targets.
Hacking is the act of attempting to hack into phones or computers by using these methods. This offense is punishable under the Information Technology Act 2000.
What the Indian Government has to say
In its official statement, which you will find below, the Central Government said that the story was “bereft” and “been founded in preconceived conclusions.” It also stated that it seemed like you were trying to play the roles of an investigator, prosecutor, and jury.
The Government stated categorically that “The allegations concerning government surveillance of specific people have no concrete basis or truth associated it whatsoever.”
This statement can be continued:
India has a well-established process that allows lawful interception to be made of electronic communications in India for national security purposes, especially in case of a public emergency or in the interests of public safety. The Centre and the States do this. These lawful interceptions of electronic communications are requested according to the relevant rules in section 5(2) Indian Telegraph Act 1885 and section69 Information Technology (Amendment) Act 2000.
The competent authority approves each case of interception and monitoring as well as decryption. The Union Home Secretary. These powers are also available for the competent authority within the state governments according to IT (Procedure & Safeguards for Interception Monitoring and Decryption Information) Rules 2009.
Briefly, the protocol for government interception and monitoring of electronic communications is established by Indian law to protect national security. The Union Secretary approved it.
Today, Ashwani Vaishnav, Minister of Electronics and Information Technology, stated in Parliament that “the report itself clarifies the presence of a number doesn’t amount to snooping.” She also added that “NSO has also stated that the list showing countries using Pegasus was incorrect and that many of the countries listed are not our clients.” It stated that the majority of its clients were from western countries.
The NSO Group’s opinion
NSO Group, an Israeli company, spoke to The Wire through its lawyers. They insist that the leaked list doesn’t contain a “target” list for hacking governments but that it “may be part of a larger number of numbers that could have been used for other purposes by NSO Group customers.” NSO Group customers refer to their “vetted government.” Amnesty International’sforensic analysis seems to show that these devices were indeed targeted.
But, I use Signal/Telegram/WhatsApp. Can anyone read my messages?
The short answer is yes. Because of end-to-end encryption, messaging platforms such as Signal and WhatsApp can be considered safe. It doesn’t matter if your device is infected with spyware. Someone is watching you. It’s almost like having the best security system in the world, but the thief is already inside.
The long answer is: Technology can be manipulated or bypassed if there are enough resources and time. Pegasus’s case shows that smartphones infected by spyware are infected using sophisticated attacks that exploit security flaws that the phone manufacturer may not be aware of – the so-called “0-day” vulnerabilities. These resources are not available to all entities, but anyone with enough resources can find ways to spy on your communications. If you ask the question “Who would do such an act?” the answer is “anyone who has enough money and motivation.”
The Pegasus Project claims are true, but it is clear that there needs to be more regulation and surveillance reform. Because technology is everywhere, it’s now possible to perform highly intrusive surveillance. The technology for such management is not accessible to everyone (as far we are informed). Still, it is available to “vetted governments clients,” which, in NSO’s example, include India, Bahrain, Hungary, and Kazakhstan. We must also remember that Pegasus does not come at no cost.
Or, Ashwani Vaishnav, Minister of Electronics and Information Technology, stated in Parliament today, “When we view this issue through the prisms of logic, it is clear that there is no substance to this sensationalism.”