On 19 July, a consortium of 17 international media organizations published an investigation around a leaked list of phone numbers from across the world, dubbed the Pegasus Project. These numbers are allegedly a “target list” of phones hacked/to be hacked by the Pegasus spyware product sold by Israel’s NSO Group. The list is apparently notable for its sheer size and containing prominent journalists, dissidents from various countries, politicians, judges, business people, rights activists, and heads of state. Some targets listed have cooperated with the consortium of media and Amnesty International for a forensic examination of their devices and have found evidence of hacking using the Pegasus suite.
What is Pegasus?
Pegasus is a spyware suite sold by Israeli company NSO Group to “vetted government clients.” It is used to compromise and conduct surveillance on targeted Windows, Mac computers, Android, and iOS smartphones. The spyware can be delivered using links sent via email or SMS, via WhatsApp, or using far more sophisticated ‘0-day’ vulnerability exploits, which are security flaws or bugs unknown even to devise manufacturers. Finding and exploiting such ‘0-day’ vulnerabilities is a highly specialized, complex, and time-consuming task. It has, at one point, been able to infect target smartphones simply by placing a WhatsApp call, regardless of whether the call was answered or not.
Who has seen this data?
The data was accessed by a Paris-based non-profit called Forbidden Stories and Amnesty International, who then shared it with 17 international media organizations worldwide as part of the Pegasus Project, including The Guardian, The Washington Post, and India, The Wire. Forbidden Stories claims that this list comprises intended targets for the NSO Group’s Pegasus software suite. However, it is understood that just because a phone number is listed in the data does not automatically imply that it was successfully targeted or even an intended target for a hacking attempt.
Why is this important?
According to The Wire’s report, the NSO Group’s client list includes the governments of Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, the United Arab Emirates, and India. On the list, The Wire reports, are 300 numbers of Indian nationals, including some politicians, rights activists, and journalists. The NSO Group claims to sell the Pegasus suite only to “vetted governments” and not private entities, suggesting that the target list comprises persons under surveillance by the government.
The cost of the suite also puts it out of the reach of most private entities. A small sample of 37 phones was subjected to forensic analysis – including 10 Indian phones – by Amnesty International and found to show signs of a Pegasus infection. These devices belonged to journalists, politicians, businesspersons, legal and other professionals – people of note, not criminals or terrorists. The correlation being drawn is that this is indeed a list of Pegasus spyware targets.
Infiltrating phones or computers using such methods comprise ‘hacking,’ which is a punishable offense under the Information Technology Act, 2000.
What the Indian Government says
As part of its official statement, which we will reproduce below, the Central Government has called the story “bereft of facts but also founded in pre-conceived conclusions,” adding that “It seems you are trying to play the role of an investigator, prosecutor as well as jury.”
The government categorically stated that: “The allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever.”
The statement also goes on:
“In India, there is a well-established procedure through which lawful interception of electronic communication is carried out for national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States. The requests for these lawful interceptions of electronic communication are made as per relevant rules under section 5(2) of the Indian Telegraph Act,1885 and section 69 of the Information Technology (Amendment) Act, 2000.
Each case of interception, monitoring, and decryption is approved by the competent authority, i.e., the Union Home Secretary. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009.”
In brief, there is an established protocol for government interception of electronic communication, as per Indian law for “national security,” and approved by the Union Home Secretary.
Today, in Parliament, the Minister of Electronics and Information Technology, Ashwani Vaishnaw said, “the report itself clarifies that presence of a number does not amount to snooping,” and added “NSO has also said that the list of countries shown using Pegasus is incorrect and many countries mentioned are not even our clients. It also said that most of its clients are western countries.”
What NSO Group says
Israeli firm NSO Group spoke to The Wire through their lawyers and insisted that the leaked list does not comprise a “target list” for hacking by governments but “may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes.” Here, “NSO Group customers” refers to their “vetted governments.” Forensic analysis by Amnesty International seems to bear out that a sample set of these listed devices were indeed targeted by Pegasus.
But I use Signal/Telegram/WhatsApp. Can someone read my messages?
Short answer: Yes. Communicating via messaging platforms including Signal and WhatsApp are deemed ‘safe’ due to their use of end-to-end encryption. However, if your device itself is compromised with spyware, it doesn’t matter that your communication is encrypted because someone is already looking over your shoulder. It’s like having the world’s best security system and locks for your house, except that the thief is already inside.
Long answer: Any technology can be worked around or circumvented given enough time and resources. In the case of Pegasus, smartphones are infected with spyware using a variety of sophisticated attacks that exploit security vulnerabilities that even phone manufacturers may not know about – so-called ‘0-day’ vulnerabilities. These are not resources available to just any entity, but one with enough resources and motivation can most certainly find ways to spy on your communications. If the question is “who would do such a thing?” the answer is “anyone with enough money and motivation.”
If there is truth to the claims of the Pegasus Project, it clearly demonstrates that more needs to be done to regulate and reform surveillance. The ubiquity of technology and devices means that deeply invasive forms of surveillance are now possible. While the tech for such surveillance is not available to anyone who asks (as far as we are told), it is available to “vetted government clients,” which – in NSO’s case – include the governments of Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates, apart from India. And we must remember that Pegasus is just one of many such software suites available at a cost.
Or, as Minister of Electronics and Information Technology, Ashwani Vaishnaw said in Parliament today: “When we look at this issue through the prism of logic, it clearly emerges that there is no substance behind this sensationalism.”