Mainstream Weekly

Home > 2021 > Pegasus – obfuscating the obvious | Upal Chakraborty

Mainstream, VOL LIX No 33, New Delhi, July 31, 2021

Pegasus – obfuscating the obvious | Upal Chakraborty

Friday 30 July 2021

by Upal Chakraborty *

The “Pegasus” spyware was conceived as a Trojan horse with soldiers sitting stealthily inside, ready to strike at the earliest opportunity. Conceived, developed and marketed by the NSO Group of Israel, it has, in reality, no horses or soldiers but is a piece of code sitting inside one’s phone – iPhone or Android – tracking his calls, messages, locations visited, items shopped, political views, reading material, names of friends and acquaintances , financial status. It boasts of a “Zero-click capability” that exploits a vulnerability in the messaging software “iMessage” used in iPhones, enabling the spyware to penetrate the phone without the user clicking on any link – unlike how most malware operate. It can be installed on Android phones by simply initiating a WhatsApp call – even if the target has not responded to the call.

The Guardian reported in 2019 that WhatsApp had revealed that NSO’s software was employed to send malware to more than 1400 phones, including several Indian ones, by exploiting an innate vulnerability. Will Cathcart, Head of WhatsApp, corroborated the statement later. On August 23, 2020, the Israeli newspaper Haaretz reported that NSO Group had sold the software to the United Arab Emirates and other Gulf States for surveillance of anti-regime activists, journalists, and political leaders from rival nations. The techniques employed in the attack were “clandestine”, “sophisticated” and “difficult to detect” - the “targets” unaware that they had been hacked. A report, released in December 2020 by Citizen Lab, a research unit at the University of Toronto specializing in cybersecurity, alleged that the phones of 36 journalists and other employees working for the Qatar-based Al Jazeera network had been compromised.

The tsunami erupted in July 2021. A leaked list of 50,000 individuals worldwide of which more than 1,000 phone numbers were from India was shared with news outlets by Forbidden Stories, a Paris-based NGO, and Amnesty International, after thorough testing in their Forensic labs. This included members of the judiciary, a former Election Commission official, bureaucrats, businessmen, politicians, reputed journalists, a lady who had accused a former Chief Justice of sexual harassment and even members of the PM’s Cabinet.

Surveillance in India is not a recent phenomenon. The author remembers a couple of “informers” perched outside the residence of his uncle, a cultural activist in Kolkata, during the mid-sixties in Kolkata - for days on end. The Government of Manmohan Singh acknowledged surveillance of Opposition politicians in 2013. The minority government led by Chandra Shekhar collapsed in 1991 when the Congress withdrew support on the ground that two Intelligence operatives were spotted outside the residence of its leader. The tapping of the telephone of Samajwadi Party leader Amar Singh or the controversy between Pranab Mukherjee and Chidambaram are too recent to forget.

Pegasus spyware, however, provides a new dimension to bugging in India. The technology is capable of detecting a host of information – not limited to the affected individual’s political beliefs and activities. It intrudes upon his private life, blurring the distinction between intimately personal and public domains. It is criminal in both its intent and methodology. Foremost, it is illegal as the Government can, as per the law, only under exceptionable circumstances and through intermediaries – in this case mobile service-providers like Airtel, Vodafone or Jio - initiate such action.

However, the appearance of a number in the Database that was detected does not conclusively establish that it was hacked. Some devices were found to have been compromised - mostly iPhones. In Android phones, operating systems do not provide convenient logs and hence infection is tough to establish. The Washington Post categorically stated that forensic analyses performed on 22 smartphones in India showed that at least 10 were targeted with Pegasus, seven successfully. This does indicate that attempts were made on the listed numbers although it does not follow that all the numbers were successfully or unsuccessfully penetrated. Although the time periods indicate that the Government had sufficient grounds to pry on some of the individuals. For example, the contacts of Ashok Lavasa - the former Election Commissioner – appeared in the list immediately after he recorded a dissenting opinion to a ruling that favoured the Prime Minister before the 2019 General Election.

What is intriguing is the lack of an outright denial by either the Government or Pegasus. Responses have been at best evasive. Pegasus, in a statement issued shortly after the leak, stated that the company is "not related to the list published by Forbidden and the company does not have access to the data of its customers," It later clarified that it only offered its program to "vetted governments for the sole purpose of saving lives through preventing crime and terror acts". It is only expected that NSO would not have access to the database, because, although it hosts the database and provides the technology in a cloud environment, the database is accessible only through passwords available or generated by its clients.

The Government on its part has refrained from directly denying its involvement unlike the Rafael episode perhaps because it is apprehensive that if more conclusive proof is provided in future, it may add to its embarrassment. During the 2019 expose, it was stated “that the Cyber and Information Security Division of the Home Ministry had no information about this.” According to the then IT Minister, “To the best of my knowledge, no unauthorised interception has been done.” Amit Shah, of course, takes the cake. The aim of the reports, according to him, is to “do whatever is possible and humiliate India at the world stage, peddle the same old narratives about our nation and derail India’s development trajectory… This is a report by the disrupters for the obstructers.”

But where is your denial, Sir? Evidently, the last word is yet to be said – notwithstanding the Government’s valiant attempts to obfuscate the truth.

(Author: Upal Chakraborty has worked for various corporate organizations in a long career of 35 years, and, after retirement, currently focuses on writing articles on various social topics, consultancy and teaching )

Notice: Mainstream Weekly appears online only.