OPINION/JAIJIT BHATTACHARYA
THE AUTOR 15 PRESIDEN
The Pegasus Whodunnit
The Israeli spyware has become synonymous with large-scale
cross-border digital snooping. What is the issue and who did it?
ON 223 28.theword eruptea
with news coming in that
50,000 phones globally
were being snooped into.
The technology used to snoop into
these phones is allegedly a spyware
called Pegasus, that has been created
by an Israeli company called NSO.
This is a company that was sold toa
private equity firm called Francisco
Ventures, and then bought back by
the founders in 2019. The name of the
spyware, Pegasus, in itself explains
what it does - it stands for a winged
trojan horse that “flies” into your
phone, “over the air”. Itessentially
implies that without your knowledge,
the spyware embeds itself into your
phone. And it does so “over the air”
asa mobile phone is essentially @
wireless device.
The first question that comes up is
whether this is at all technically pos-
sible. The answer is that itis certainly
in the realm of possibility Ifthe sys-
tems of an Iranian nuclear centrifuge
could be hacked, even though they
‘were not connected to the internet in
any way, a connected mobile phone
can certainly be hacked, if enough
resources are allocated to do so.
Given that this is not the first time
that Pegasus or any other spyware
has been detected in mobile phones,
why is this incident creating such
a furore? For the records, Pegasus
was first detected in 2016, and it was
already a very sophisticated spyware,
infecting both Android phones and
iPhones. So why is the Sunday expose
such abig deal?
The reason for the global uproar
on Pegasus is three folds. One, the
extent of reach that Pegasus has had,
has rarely been seen before. Second,
the targets of Pegasus have been the
who's who of the world, including
24 ovnook lavaust 2, 2021
Presidents and Prime Ministers as well as cabinet ministers and well-
known journalists, Itis also believed that the state-sponsored murder of
Jamal Khashoggi was enabled through Pegasus. And third, which is the
most critical issue, is that NSO sells Pegasus only to governments, Hence,
ifwe now stitch up the three points, the obvious story that comes out is,
that a government or multiple governments, have been snooping on oth-
ers or on their own heads of states and ministers as well as on journalists
at an unparalled scale. This is certainly ominous. It is a threat to civil
liberties, privacy and freedom of expression, besides being an extremely
powerful weapon to convert democracies into virtual autocracies.
‘And that is the reason why there has been a global outrage at the
discovery of this spyware infecting thousands of phones.
‘Therefore, the immediate question that comes in is, who did it?
Unfortunately, with the gigabytes of writeups online on the issue, since
the news first broke out in a select set of newspapers globally, the actual
information available is still very sketchy. If we go by Washington Post,
which had the privilege of being in the select club of 17 media organi-
sations that received information from the so-called “Project Pegasus”
which actually carried out the probe into
the spyware's influence, and was led by
Ifanuclear the Paris-based media nonprofit organ-
; isation Forbidden Stories and Amnesty
centrifuge in Iran International—Pegasus is confirmed
not connected to to have infected 37 phones, out of the
: targeted 50,000. Curiously, Washington
the internet could Post singles out India and sates that out
of the 37 phones that are confirmed to
be hacked, a cell have been hit by Pegasus, 10 arein India.
phone too can Almost asa footnote, italso mentions
at another 5 are in Hungary. It does not
be snooped on. reveal where the balance 22 phones are
from, neither does it reveal names of the
87 people whose phones are confirmed to
have been hacked. Washington Post also makes the context sinister, as it
starts the report by stating upfront that the spyware i
inphonesin countries “known toengage insurvelllaee sf era os
and also known to have been clients of NSO Group.”
Therefore, Washington Post also appears to build a narr nia
isa "known villain’ that engages insurveilance oftvene nee
that it sa client of NSO, the maker of Pegasus. It is important to eal at
this convoluted narrative inorder tounderstand the “wretem ate wet
of the issue. Torun a government and to maintain interrat aad eee
security, surveillance of suspected people inside the bemmdaniceee
country has been practiced for thousands of years These ens
government that doesnot surveil select suspects Itissumvinnae
Washington Post singles out India, nd choses toput ogee
India Hungary beinga footnote in thelargercontexd, while sconesilent on the antecedents of the rest
of the compromised phones. More
importantly, if NSO keeps its client
list confidential, how did Washington
Post or any other entity get access
to their client list, in order to make
the claim that certain governments
are known tobe clients of NSO? Did
they hack into NSO's systems? What
spyware did they use to carry out
their operation? Or are these claims
baseless?
Expectedly, there has been a
spirited defence of the government
from both the newly-appointed
Union Ministers of IT and Home
Affairs. One of their defences has
been that the timing of the release
of the report, just before the start of
the monsoon session of Parliament,
issuspect, and meant to affect India’s
democratic processes. Even though
this seems to be a valid point, itis
worthwhile to note thata country
ofthe size and complexity of India,
always has some important event or
the other going on. A few months ago,
itwas the season of tate elections. A
few months later, there will be more
state elections, and 50 on. So, any
time that a politically slanted report
isreleased, will coincide with some
political process or the other.
UT why has Washington Post
its data? Perhaps it could be
because another version of Pegasus
was detected in India in 2019,
one that infected phones through
‘Whatsapp. Facebook, the owners of
Whatsapp, had proactively declared
this compromise in Whatsapp’s secu-
rity and helped pinpoint journalists
‘whose phones were compromised.
Even though this appears to be
4 proactive step from Facebook,
given its past record of hiding
security breaches, or perhaps actively
participating in data breaches, as
was evident from the Cambridge
Analytica case, it was indeed curious:
as to why Facebook went public with
this breach by Pegasus. In addition,
given that Whatsapp has been trying
to legally compromise the privacy
of individuals by forcing them to
Most politicians sign-off their privacy, it would look
like a case of the pot calling the kettle
use feature black. However, this earlier brush with
Pegasus could perhaps be the reason
phones, also why Washington Post singled out India
called button this time. But then again, Pegasus was
: first detected in 2016, and has raised its
phones, which ugly head in multiple countries globally.
don’t have a pro- So clearly; India being singled out by the
consortium of entities that are releasing
grammable OS.
information from their analysis, seems
tobe motivated.
However, the question—who in India
authorised it—remains? To look into that matter, one should find out who
got impacted in India and the possible motivation of the perpetrator to
target them. Based on further updates, the targets apparently include
800 phone numbers (not yet verified) from India, including that of Rahul
Gandhi, a key member of a key Opposition party, two serving ministers
including the newly-appointed IT Minister Ashwini Vaishnaw, poll
strategist Prashant Kishor, 40 journalists, one sitting judge and many
business people. The narrative that emerges is that the Union govern-
ment was targeting them. Clearly, the Indian government stands to
benefit by snooping into phones of Opposition politicians and journalists.
However, this narrative becomes questionable when even the name of
the recently-appointed IT Minister gets involved. Why is that surprising?
Because, for one, the potential value of tracking someone who was
not even a minister at the time his phone was tracked, is very low. For
ayoust 2,202 }ounooe 26OPINION/JAIJIT BHATTACHARYA
another, as anyone who has worked
closely with the government would
testify, most politicians and ministers
use feature phones—popularly called
button phones—for their sensitive
‘communications. Feature phones do
not have a programmable operating
system like in a smartphone, and
are hence immune from infection
once they leave the factory. Having
said that, it still does not take the
needle of suspicious away from the
government.
‘Others who could potentially gain
from such widespread surveillance
are key Opposition politicians
themselves. We do have savvy
politicians from various parts of the
country such as Maharashtra, UP, ete
who harbour ambitions of being the
Prime Minister, and they do stand
to gain from tapping into the phones
of some of the targets. However, as
per NSO, they sell their software
only to governments, ruling out any
non-government player. Or does
it? Pegasus has been known to have
been used by Mexican drug cartels,
to target and intimidate journalists
and government representatives.
The spyware has likely moved into
the hands of non-state actors by
now. So, it could potentially also
bbe Opposition politicians who are
behind the surveillance.
ND then we have the possi-
lity of aforeign government
a foreign non-state actor,
‘which launched this surveillance.
There would be a million reasons why
a foreign entity would be interested
in doing so. However, i that is the
case, why are phones of the Prime
Minister, and those of key defence
personnel, not compromised? We
don’t know the answer, but the
chance of such an event should be
realistically very slim, not to mention
that they typically use feature phones
and use over-encrypted communica-
tion systems.
Lastly, itis also possible that the
surveillance was done by entities,
having business interests in the
country and globally. These could be
26 ovniooe avoust 2,202)
Who funded
Forbidden
Stories and
Amnesty to carry
Indian businesses or foreign ones. For
‘that matter, there is another unanswered
question—who funded Forbidden Stories
and Amnesty International to embark
upon this digital forensic analysis that
took months and millions of dollars,
a and why? Why did they not investigate
outthis probe that = Whatsapp or Tiktok to checkif there
cost millions of appsare snooping on people? Why
only Pegasus? Is ita coincidence that
dollars, and why? Washington Post is owned by Jeff Bezos,
the founder of Amazon, one of the largest
global e-commerce platforms?
Unfortunately, with the sketchy information available, one can only
postulate multiple hypotheses, and arrive at inconclusive deductions.
As one of my co-panelists on a TV show on this issue remarked—is the
information sketchy or is it dodgy? Perhaps itis both. But one should
not get lost in semantics, as the Pegasus case is a watershed moment in
the history of our digital civilisation, where perhaps anyone can get into
your phone, turn on its eamera, watch what you are doing, listen to
‘what you are saying or read what you are reading. We have surely
stepped into an Orwellian society, with anyone and everyone having the
ability to snoop. @
(Views expressed are personal)