The Parliament proceedings in the Monsoon Session saw the ‘Pegasus’ spying issue becoming the centerpiece of much havoc in the Parliament. The Opposition chose to converge its strategy to corner the government over the damning accusations that an Israeli spyware, developed by a private company, was used by different countries, including India, to spy on its own citizens. In India, the spyware allegations allegedly include over 300 Indian citizens, including activists, journalists, politicians and businessmen.
The issue becomes significant as it involves debates about the seriousness or superficiality of unbacked allegations on a serious issue, the scope of privacy in the age of information technology and the imperatives of national security considerations.
The Pegasus Spyware
Pegasus is a spyware technology that has been manufactured and marketed by an Israeli company called NSO, consisting mainly of veterans of Israeli intelligence agencies. The spyware is used for spying on its ‘targets’ or victims by infiltrating their mobile phone (usually a smartphone) or any other smart gadget, gaining access to their private information and transferring their data on to a master server, without the knowledge of the target/victim.
The NSO group stated that it sells this technology only to ‘vetted foreign governments’. The spyware is described as ‘a world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract data from virtually any mobile devices’ (Mazoomdaar 2021).
Typically, till 2018, the spyware worked – like any other software virus – when the victim clicked on, or opened, links on their mobile phones or computers/laptops, usually transmitted through messages. It normally works in a smartphone or any device with an internet connection, disguising itself subtly as a useful protective application, which, after gaining user permissions, works in the background in the device, recording and transmitting all user information, by becoming ‘device administrator’ without the user’s knowledge and vision (TIE 2021).
After 2018, more updated versions of the spyware can work even when the victim does not open or click on any link. This was documented by Amnesty International in a 2019 report, wherein it was shown that ‘network injections’ could be used to infect a smart device without needing any interaction with the target or the user (Mazoomdaar 2021).
Based on the instructions of its remote master server, the spyware inside a smart device can automatically turn on the camera and microphone, record a person’s speech and can access a person’s chats, messages, emails, contacts and various other data on the device, and transmit all this information to the central server. In other words, it enables the person’s smart device to become a digital spy.
Allegations of Surveillance:
The existence of this spyware, Pegasus, was first reported in 2016 by a lab based at the University of Toronto. In 2019, a major controversy regarding the spyware was created when an American technology firm, WhatsApp, sued the NSO group in a U.S. court, alleging that its spyware was being used to compromise the privacy of WhatsApp users.
Subsequently, a group of journalists and activists, under the umbrella of Amnesty International, undertook a collaborative investigation – known as the ‘Pegasus Project’ – into the spyware issue. In 2021, Amnesty International and an unknown non-profit group ‘Forbidden Stories’ – along with a consortium of 13 global media outlets – released their report into the spying allegations. From India, an extreme Left digital portal – The Wire – was a part of the project.
The report detailed how the spyware was used by at least 10 countries to spy on their own citizens – a charge that all the implicated governments have consistently denied. These countries include Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Hungary, India and the UAE. India was faced with the charge of being the only democracy on this list.
The Pegasus Project alleged that the phone numbers of prominent Indian politicians, businessmen, activists and journalists were found on a common database linked to Pegasus spyware, and that they were potential hacking targets. Besides, it was alleged that the Indian government was using the spyware to eavesdrop on foreign leaders – Pak PM Imran Khan and diplomats from Iran, Afghanistan, China, Nepal and Saudi Arabia.
The Indian Government and NSO Response:
In the Monsoon session of the Parliament, India’s Defence Ministry categorically denied having any links or transactions with the NSO group, and, subsequently, in a recent Supreme Court hearing on the issue, the Indian government denied the use of Pegasus. The government has also stated that any covert surveillance is done as per strict rules and oversight. The government also stated that the issue potentially has national security implications.
Presently, the case is pending in the Supreme Court and the Court has assured that it will not undertake any course of action that might compromise the security or national defence of the country, while looking into allegations by ‘persons of eminence’ whose phones were alleged to have been hacked. The Court may undertake any action, such as the setting up of an inquiry committee for investigation into the issue.
Israel’s NSO group has maintained that no such database of potential targets exists as has been alleged by Amnesty International and its associated media partners in the investigative project. The NSO group has also stated that it only sells its software to clients after the prior approval from the Israeli Defence Ministry. Therefore, it is not clear who put these phone numbers on a list/database and why this was done. The group has threatened to sue the Pegasus Project partners, and alleged that the Project was likely being funded by either Qatar or anti-Israel movements.
According to the official statement of the group, “The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the ‘unidentified sources’ have supplied information that has no factual basis and is far from reality” (Asian News International 2021). The group also clarified that, “the list of countries in this story is totally incorrect, some are not even our clients” (Asian News International 2021).
Presently, NSO licenses Pegasus to governments in 45 undisclosed countries. The group has maintained that they do not operate the systems once sold to their clients, nor do they have access to the data of their client’s targets (Mishra 2021).
A Spurious, Speculative Issue
Despite the massive sensationalization of the Pegasus issue, till now, it has unsurprisingly done little damage to the government’s position, based as it is on unproven and uncorroborated media speculations. The manner in which the Pegasus issue was sensationalized – with burning media headlines and by Opposition creating a havoc in the Parliament, has not resonated much with the common people.
As per a 12-state survey by an organization, Prashnam, only 15% people knew about the Pegasus issue (Jain 2021). Even the Opposition is not entirely sure that prioritizing the Pegasus issue will help them at all in the upcoming state assembly elections next year (Nair 2021).
The issue clearly does not resonate with the masses, who would perhaps be more concerned about the COVID19 mis-management, the economic condition etc. The issue is premised on the argument that the governments use technology like Pegasus to spy on their own citizens and wield private information to criminalise dissent, violate the right to privacy and violate the freedom of speech and expression.
Right to Privacy Not Absolute
In India, there are specific laws governing privacy, with rules, codes and designated government and intelligence agencies that have the authorization to interception. These include Section 92 of the Criminal Procedure Code (CrPC), Rule 419A of the Telegraph Rules and Sections 69 and 69B of the Information Technology Act.
In 2017, in the Puttaswamy judgement, the Supreme Court had ruled that in the age of internet when individuals freely divulge their data, the right to privacy is not absolute, and can be compromised legally on the legitimate ground of national security considerations.
During the time of UPA, there were some attempts – though never implemented – to dilute the power of intelligence agencies, such as the 2010 recommendation by the Vice-President to ensure that intelligence agencies are within Parliamentary scrutiny. However, in India, as in most other countries, interception and intelligence-gathering continue to be based on the grounds of national security and remain outside the purview of public speculation and debate.
While Pegasus issue clearly falls within this domain, even a basic review of Amnesty allegations place them on a rather spurious ground.
Gray Areas Abound
The global investigation spearheaded by Amnesty clearly has various gray areas that, as of now, struggle to meet the standards of even basic legal and public scrutiny.
First, the biggest diluting point for Amnesty and other partners of the Pegasus Project is the fact that the presence of phone numbers on a certain list or database – whose ownership has further been denied by NSO – does not lead to the conclusion that these phones were hacked. Even if they were hacked, it cannot be conclusively proven who hacked them. Legally, as in any criminal law investigation, the mere fact that a certain client (in this case, a government) was the buyer of a technology does not lead to the conclusion that it was used by them, unless concretely proven.
Forensic analysis – done by Amnesty itself – has shown that around 37 numbers were hacked out of the list containing at least 50,000 world-wide ‘potential targets’ (Mishra 2021). In India, forensic analysis by Amnesty showed that 7 phones had traces of hacking or attempted hacking. Even in these instances, no causality can be attributed to anyone, without a proper, legal criminal investigation, and impartial verification of Amnesty’s forensic analysis.
Second, Amnesty and its co-partners have been unable to provide any concrete evidence to support their claims that the ‘list’ of phone numbers was linked to NSO database. In their public statements, Amnesty and others do not dispute NSO’s claim that the ‘list’ of potential targets never originated at NSO. This automatically means that there must be multiple lists of targets of individual countries – which no government would ever share with a commercial vendor like NSO, as it is intelligence data, or place on a common ‘database’ – which Amnesty somehow managed to obtain from across the world. This mysterious list has never been independently found or verified and is simply based on claims of Amnesty. It can neither be produced or proven in a Court of Law. Amnesty has refused to reveal the source of the ‘list’ which neither originated at NSO nor with any government.
Third, even the list of targets is only a list of ‘potential’ targets – which means they may or may not have been tapped. According to the statement of one of the Amnesty’s media partners, “The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts” (The Guardian 2021). It appears that even allegations about ‘potential targets’ are based on ‘belief’ and partial forensic analysis of a handful of phone numbers.
Fourth, the Supreme Court in hearing petitions filed against the government on the Pegasus issue raised pertinent questions about why the victims had not filed an FIR prior to approaching the Court in a matter as serious as this, and, why was the issue raised at this moment after a gap of two years, when the spying allegations had been levelled in 2019. Finally, the Court also observed that the petitions are based on newspaper reports rather than any concrete evidence so far.
The Future of Technological Advancement
The Pegasus issue has once more brought to the forefront the role of technology and science in human advancement in general, and, as an instrument of statecraft and cyber-warfare in particular in this specific case. As the nature of the perceived enemy changes, so does the deployment of technology. The emerging threats to national security due to the nature of non-state actors operating within country’s borders keep assuming new forms, and technology has become an integral part of sustaining the modern nation-state.
While ordinary citizens, politicians, journalists, activists, businessmen and other elite of society have, since decades, potentially played a useful role in being on foreign payroll and transmitting sensitive information, this has become more magnified with the changing nature of technology at the disposal of people. Cyber progress has made such transmission of information much easier.
New internet-enabled digital communication platforms – such as WhatsApp, iMessage, Telegram, social media outlets and numerous other modes of cyber communication – have encryption features that can block government from accessing the information transmitted. While this is done ostensibly to protect the right to privacy, yet it may also include much that can be used for criminal purposes such as money-laundering, illegal activities, terrorism etc. Besides communication, there are other forms of technology at people’s disposal that can, both, make lives materially advanced as well as aid in crime and perversion. For, technology is a double-edged sword.
It is for this reason that the governments have kept pace with technological progress by deploying technologies to keep ahead of potential illegal activities by its own citizens or by hidden enemies residing within national borders. Legally, the governments – India, EU, US, Australia etc. – have done this by forcing the big technology companies to relax their encryption features, follow laws of the land and relay sensitive information to the government of the day.
Tacitly or covertly, governments have done this by deploying new, ever-changing set of technological products that can enable advanced spying on transmission of information that can be illegal. Such spying, to put in a lay language, has existed since ages – for good or for bad – and only its forms have changed; for, without it, it would be impossible to govern with a strong hand, resulting in regime instability. In contemporary parlance, many epithets have been used in intellectual vocabulary to resist such state power, and arguments have been advanced that the government often ‘weaponizes’ secretly obtained information to suppress dissent.
Regardless, in the age of information technology, where freely divulged data is easily available, governments can weaponize such information by obtaining data either through technology companies or by interception – the end result may be the same.
Furthermore, arguably, it is not only the governments, but even technology companies that can ‘weaponize’ information – not through direct coercion as used by state power, but by using the data for engineering preferences, behaviour and manipulating mass psychology, which is driving new-age consumerism and harming the collective psyche infinitely more than targeted interceptions by governments.
And, such targeted state-backed interceptions are – and have been – much more deeply-rooted than the superficial expose on a spyware like Pegasus suggests. Countries have always engaged in interception and its legitimacy has gone beyond certain limits of public outrage and inquiry. Numerous instances abound.
US is amongst the top-ranked countries in spying on its citizens with its controversial PRISM programme through which it spied on various governments all over the world including India and on its own citizens as revealed by Snowden leaks, while India also developed a similar sophisticated spying program – Central Monitoring System (CMS) and NETRA – during the UPA era. CMS was described as “the single window from where government arms such as the National Investigation Agency or the tax authorities will be able to monitor every byte of communication” (Grant 2013). In the wake of 2008 terrorist attacks, India especially accelerated internet communications interceptions, such as via Skype and others. India’s National Cyber Coordination Centre (NCCC) – reported during the UPA – gives government access to all Internet accounts, including e-mails, blogs or social networking data.
China and Russia may not have their names among ‘leaked’ Pegasus’s clients, but use far more sophisticated technology – including behaviour-control technology – to keep their citizens under surveillance, with Russia even having a spying programme for minors. These are countries where free media, human rights and all other modern liberal constructions are virtually dead – without the use of a small software like Pegasus. Israel is a leader in all major forms of technology used for ends of domestic control and cross-border warfare.
There are numerous precedents of Pegasus-like technology currently being sold and bought by various countries – some unearthed and numerous secret. Non-governmental exposures have revealed various other precedents. Some examples include – An Israeli spyware called Candiru being sold to foreign governments with ‘victims’ observed in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia and Singapore; an Israeli group, Cyberbit, selling similar spyware; Germany’s FinFisher group sells similar spyware to Pegasus; Italian firm Hacking Team sells Pegasus-like spyware to numerous foreign governments etc. (Mishra 2021). In Pegasus scandal itself, while Amnesty could disclose only names of 10 governments using the spyware, yet, the NSO group supplies to around 45 undisclosed countries (Mishra 2021). Indeed, the NSO group disclosed that, “The majority of our clients are Western democracies” (Asian News International 2021).
This is not an issue which can be candidly disclosed in the Parliament or in the Supreme Court. It is clearly an issue where national security dimensions get involved, thereby outweighing the importance of the right to privacy, and sensitive national security information cannot become a subject of cheap, debatable public spectacle. Therefore, hypothetically, even if the Indian government were using the Pegasus – which it has denied categorically – it is not the kind of issue that will either see a prolonged debate in details or a public disclosure, regardless of how much public noise and spectacle is created to sensationalize it.
Asian News International. 2021. July 19. Accessed August 20, 2021. https://twitter.com/ANI/status/1417006667535814657.
ANI. July 19, 2021. Accessed August 20, 2021. https://www.aninews.in/news/national/general-news/list-of-countries-using-pegasus-totally-incorrect-some-not-even-clients-international-conspiracy-says-nso-group-in-an-interview-to-ani20210719123022/.
Grant, Rebecca. 2013. Venture Beat. June 20. Accessed August 20, 2021. https://venturebeat.com/2013/06/20/india-rolls-out-its-own-version-of-prism-to-spy-in-the-name-of-security/.
Jain, Rajesh. 2021. The Print. August 4. Accessed August 22, 2021. https://theprint.in/opinion/only-15-indians-know-about-pegasus-but-once-aware-their-distrust-of-modi-govt-grows/708698/.
Mazoomdaar, Jay. 2021. The Indian Express. August 13. Accessed August 16, 2021. https://indianexpress.com/article/explained/pegasus-whatsapp-spyware-israel-india-7410890/.
Mishra, Megha. 2021. Money Control. July 31. Accessed August 18, 2021. https://www.moneycontrol.com/news/india/in-depth-pegasus-spyware-scandal-and-growing-chorus-to-regulate-private-surveillance-7254741.html.
Money Control. 2021. Money Control. July 21. Accessed August 20, 2021. https://www.moneycontrol.com/news/india/find-out-the-cost-of-putting-pegasus-into-a-smartphone-for-spying-7200991.html.
Nair, S.K. 2021. The Hindu. August 21. Accessed August 23, 2021. https://www.thehindu.com/news/national/other-states/opposition-divided-over-focus-on-pegasus/article36037352.ece.
The Guardian. 2021. The Guardian. July 18. Accessed August 20, 2021. https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus.
TIE. 2021. The Indian Express. August 3. Accessed August 16, 2021. https://indianexpress.com/article/explained/project-pegasus-india-spyware-controversy-quixplained-7412960/.
 Amnesty’s operations were completely frozen in India in 2020 in wake of government regulations. Even during Congress rule, the global NGO was restricted in terms of finance access due to the dubious nature of its India agenda.