OPINION/JAIJIT BHATTACHARYA THE AUTOR 15 PRESIDEN The Pegasus Whodunnit The Israeli spyware has become synonymous with large-scale cross-border digital snooping. What is the issue and who did it? ON 223 28.theword eruptea with news coming in that 50,000 phones globally were being snooped into. The technology used to snoop into these phones is allegedly a spyware called Pegasus, that has been created by an Israeli company called NSO. This is a company that was sold toa private equity firm called Francisco Ventures, and then bought back by the founders in 2019. The name of the spyware, Pegasus, in itself explains what it does - it stands for a winged trojan horse that “flies” into your phone, “over the air”. Itessentially implies that without your knowledge, the spyware embeds itself into your phone. And it does so “over the air” asa mobile phone is essentially @ wireless device. The first question that comes up is whether this is at all technically pos- sible. The answer is that itis certainly in the realm of possibility Ifthe sys- tems of an Iranian nuclear centrifuge could be hacked, even though they ‘were not connected to the internet in any way, a connected mobile phone can certainly be hacked, if enough resources are allocated to do so. Given that this is not the first time that Pegasus or any other spyware has been detected in mobile phones, why is this incident creating such a furore? For the records, Pegasus was first detected in 2016, and it was already a very sophisticated spyware, infecting both Android phones and iPhones. So why is the Sunday expose such abig deal? The reason for the global uproar on Pegasus is three folds. One, the extent of reach that Pegasus has had, has rarely been seen before. Second, the targets of Pegasus have been the who's who of the world, including 24 ovnook lavaust 2, 2021 Presidents and Prime Ministers as well as cabinet ministers and well- known journalists, Itis also believed that the state-sponsored murder of Jamal Khashoggi was enabled through Pegasus. And third, which is the most critical issue, is that NSO sells Pegasus only to governments, Hence, ifwe now stitch up the three points, the obvious story that comes out is, that a government or multiple governments, have been snooping on oth- ers or on their own heads of states and ministers as well as on journalists at an unparalled scale. This is certainly ominous. It is a threat to civil liberties, privacy and freedom of expression, besides being an extremely powerful weapon to convert democracies into virtual autocracies. ‘And that is the reason why there has been a global outrage at the discovery of this spyware infecting thousands of phones. ‘Therefore, the immediate question that comes in is, who did it? Unfortunately, with the gigabytes of writeups online on the issue, since the news first broke out in a select set of newspapers globally, the actual information available is still very sketchy. If we go by Washington Post, which had the privilege of being in the select club of 17 media organi- sations that received information from the so-called “Project Pegasus” which actually carried out the probe into the spyware's influence, and was led by Ifanuclear the Paris-based media nonprofit organ- ; isation Forbidden Stories and Amnesty centrifuge in Iran International—Pegasus is confirmed not connected to to have infected 37 phones, out of the : targeted 50,000. Curiously, Washington the internet could Post singles out India and sates that out of the 37 phones that are confirmed to be hacked, a cell have been hit by Pegasus, 10 arein India. phone too can Almost asa footnote, italso mentions at another 5 are in Hungary. It does not be snooped on. reveal where the balance 22 phones are from, neither does it reveal names of the 87 people whose phones are confirmed to have been hacked. Washington Post also makes the context sinister, as it starts the report by stating upfront that the spyware i inphonesin countries “known toengage insurvelllaee sf era os and also known to have been clients of NSO Group.” Therefore, Washington Post also appears to build a narr nia isa "known villain’ that engages insurveilance oftvene nee that it sa client of NSO, the maker of Pegasus. It is important to eal at this convoluted narrative inorder tounderstand the “wretem ate wet of the issue. Torun a government and to maintain interrat aad eee security, surveillance of suspected people inside the bemmdaniceee country has been practiced for thousands of years These ens government that doesnot surveil select suspects Itissumvinnae Washington Post singles out India, nd choses toput ogee India Hungary beinga footnote in thelargercontexd, while sconesilent on the antecedents of the rest of the compromised phones. More importantly, if NSO keeps its client list confidential, how did Washington Post or any other entity get access to their client list, in order to make the claim that certain governments are known tobe clients of NSO? Did they hack into NSO's systems? What spyware did they use to carry out their operation? Or are these claims baseless? Expectedly, there has been a spirited defence of the government from both the newly-appointed Union Ministers of IT and Home Affairs. One of their defences has been that the timing of the release of the report, just before the start of the monsoon session of Parliament, issuspect, and meant to affect India’s democratic processes. Even though this seems to be a valid point, itis worthwhile to note thata country ofthe size and complexity of India, always has some important event or the other going on. A few months ago, itwas the season of tate elections. A few months later, there will be more state elections, and 50 on. So, any time that a politically slanted report isreleased, will coincide with some political process or the other. UT why has Washington Post its data? Perhaps it could be because another version of Pegasus was detected in India in 2019, one that infected phones through ‘Whatsapp. Facebook, the owners of Whatsapp, had proactively declared this compromise in Whatsapp’s secu- rity and helped pinpoint journalists ‘whose phones were compromised. Even though this appears to be 4 proactive step from Facebook, given its past record of hiding security breaches, or perhaps actively participating in data breaches, as was evident from the Cambridge Analytica case, it was indeed curious: as to why Facebook went public with this breach by Pegasus. In addition, given that Whatsapp has been trying to legally compromise the privacy of individuals by forcing them to Most politicians sign-off their privacy, it would look like a case of the pot calling the kettle use feature black. However, this earlier brush with Pegasus could perhaps be the reason phones, also why Washington Post singled out India called button this time. But then again, Pegasus was : first detected in 2016, and has raised its phones, which ugly head in multiple countries globally. don’t have a pro- So clearly; India being singled out by the consortium of entities that are releasing grammable OS. information from their analysis, seems tobe motivated. However, the question—who in India authorised it—remains? To look into that matter, one should find out who got impacted in India and the possible motivation of the perpetrator to target them. Based on further updates, the targets apparently include 800 phone numbers (not yet verified) from India, including that of Rahul Gandhi, a key member of a key Opposition party, two serving ministers including the newly-appointed IT Minister Ashwini Vaishnaw, poll strategist Prashant Kishor, 40 journalists, one sitting judge and many business people. The narrative that emerges is that the Union govern- ment was targeting them. Clearly, the Indian government stands to benefit by snooping into phones of Opposition politicians and journalists. However, this narrative becomes questionable when even the name of the recently-appointed IT Minister gets involved. Why is that surprising? Because, for one, the potential value of tracking someone who was not even a minister at the time his phone was tracked, is very low. For ayoust 2,202 }ounooe 26OPINION/JAIJIT BHATTACHARYA another, as anyone who has worked closely with the government would testify, most politicians and ministers use feature phones—popularly called button phones—for their sensitive ‘communications. Feature phones do not have a programmable operating system like in a smartphone, and are hence immune from infection once they leave the factory. Having said that, it still does not take the needle of suspicious away from the government. ‘Others who could potentially gain from such widespread surveillance are key Opposition politicians themselves. We do have savvy politicians from various parts of the country such as Maharashtra, UP, ete who harbour ambitions of being the Prime Minister, and they do stand to gain from tapping into the phones of some of the targets. However, as per NSO, they sell their software only to governments, ruling out any non-government player. Or does it? Pegasus has been known to have been used by Mexican drug cartels, to target and intimidate journalists and government representatives. The spyware has likely moved into the hands of non-state actors by now. So, it could potentially also bbe Opposition politicians who are behind the surveillance. ND then we have the possi- lity of aforeign government a foreign non-state actor, ‘which launched this surveillance. There would be a million reasons why a foreign entity would be interested in doing so. However, i that is the case, why are phones of the Prime Minister, and those of key defence personnel, not compromised? We don’t know the answer, but the chance of such an event should be realistically very slim, not to mention that they typically use feature phones and use over-encrypted communica- tion systems. Lastly, itis also possible that the surveillance was done by entities, having business interests in the country and globally. These could be 26 ovniooe avoust 2,202) Who funded Forbidden Stories and Amnesty to carry Indian businesses or foreign ones. For ‘that matter, there is another unanswered question—who funded Forbidden Stories and Amnesty International to embark upon this digital forensic analysis that took months and millions of dollars, a and why? Why did they not investigate outthis probe that = Whatsapp or Tiktok to checkif there cost millions of appsare snooping on people? Why only Pegasus? Is ita coincidence that dollars, and why? Washington Post is owned by Jeff Bezos, the founder of Amazon, one of the largest global e-commerce platforms? Unfortunately, with the sketchy information available, one can only postulate multiple hypotheses, and arrive at inconclusive deductions. As one of my co-panelists on a TV show on this issue remarked—is the information sketchy or is it dodgy? Perhaps itis both. But one should not get lost in semantics, as the Pegasus case is a watershed moment in the history of our digital civilisation, where perhaps anyone can get into your phone, turn on its eamera, watch what you are doing, listen to ‘what you are saying or read what you are reading. We have surely stepped into an Orwellian society, with anyone and everyone having the ability to snoop. @ (Views expressed are personal)