by Prof Ujjwal K Chowdhury
The Hacking or Snooping Issue:
On October 30 2019, Facebook, the parent company owning Whatsapp, confirmed that Pegasus, a sophisticated snooping software developed by Israel’s NSO group, was used to target Indian lawyers, journalists, opposition political leaders, and Dalit and Adivasi rights activists ahead of 2019 general elections. Facebook is suing NSO for hacking into WhatsApp to infect phones with Pegasus. To be sure, NSO has refused to name its clients. Yet, among the documents filed by Facebook in a California court is a signed contract with Ghana’s National Communications Authority that states the software could be deployed only with written sanction from Israel’s Ministry of Defence. The NSO group has long maintained it sells its software exclusively to governments. Further, the system requires an estimated 4 weeks of testing on local networks — suggesting the company would need ready and prolonged access to local mobile and internet networks to work properly.
NSO is notorious for supplying hacking tools to governments and spy agencies. Among its known 45 buyers are countries including Saudi Arabia and the United Arab Emirates, who have used its tools to hack phones and computers of their critics. It was widely reported that Saudi dissident Jamal Khashoggi’s iPhone was hacked by his country’s intelligence agencies using Pegasus, before his killing at the Saudi’s Istanbul consulate.
The Opposition Resenting: Possible Storm Ahead:
The opposition parties have raised objections to this and it is expected to be raised vociferously in the winter session of the Parliament starting on Nov 17. Two parliamentary panels headed by Congress leaders have decided to examine the WhatsApp snooping case and will seek details from top government officials including the Home Secretary and Information & Technology Secretary on cyber-security and WhatsApp hacking in their next meeting on November 15.
This is so because the facts on the ground suggest two troubling scenarios: the first is that apparently it seems that the Indian government is the culprit behind the snooping in India. The software — which lets a trained operator hijack the microphone, camera and GPS tracker of a targeted phone, read all messages, and snoop on all calls — had been deployed to snoop on activists, lawyers, opposition leaders and public intellectuals involved in the Bhima-Koregaon case. Who other than the government in power would be interested in these people by using a very expensive software sold exclusively to governments?
As for the expenses, one example is sufficient. In December 2015, the documents show, Infralocks Development Ltd, a Ghanain subsidiary of Israel’s NSO group, signed an agreement to sell the Pegasus software to Ghana’s National Communications Authority for a fee of $8 million, along with a service contract worth $1.76 million a year, apart from several other operational costs and access. An NSO user guide, also included in Facebook’s suit, suggests that installing Pegasus is a labourious, expensive and time-consuming process. The Pegasus deployment plan described in the user guide states the entire process can take up to 15 weeks including installation, testing and deployment. Who can afford such expenses, access and terms for snooping?
The second equally troubling scenario is that a group of Indian lawyers, activists and intellectuals were spied on by a foreign government, with the knowledge and sanction of Israel’s defence ministry, and with ready and prolonged access to Indian mobile networks, which itself is a security risk and affront on the right to privacy of the Indian citizens, which had earlier been upheld by the apex court in August 2017.
Indian Government Response:
The Indian government as expected has neither confirmed nor denied its purchase and use of Pegasus. In a statement posted on Twitter Union Minister for Law & Justice, Communications, Electronics & Information Technology Ravi Shankar Prasad simply said that his government had a “well established protocol” for snooping on citizens. The Indian government rather trained its guns against Whatsapp and asked it to explain why and how the Indian citizens have been snooped on. IT ministry had asked WhatsApp for a detailed response to the allegations and on the number of Indian users affected. If we listen to Electronics and Information Technology Minister Ravi Shankar Prasad, all of this is either the fault of the Congress party, which used to bug their opponents phones or Facebook’s fault.
But the opposition is not amused. TMC MP Mohua Moitra said she would not blame WhatsApp entirely for the fiasco. Since the snooping came to light when Facebook, Whatsapp’s parent company, filed a suit in a California court against the NSO group, the company that makes Pegasus, for exploiting a vulnerability in Whatsapp’s architecture.
According to rules notified in 2018 under the Information Technology Act, ten central government agencies have the power to intercept communications. Yet the Home Ministry has refused a clear answer to an RTI request asking if the agencies under the Home Ministry had procured Pegasus. And what about agencies such as the NTRO [National Technical Research Organisation], RAW [Research and Analysis Wing] and the CBI [Central Bureau of Investigation], which are not administratively under the Home Ministry?
Risk of Outsourcing Intelligence:
While the US and western media have been talking about Russia and China, they are largely silent on Israeli agencies and, of course, the US agencies NSA-CIA, and the United Kingdom’s GCHQ. These three intelligence agencies have developed the most extensive suites of software or attack tools to penetrate computers, smart-phones and the switches and routers that are a part of the telecom infrastructure of every country and even every home.
Domestic laws in the US, permissive as they are under their so-called Global War on Terror, still have a modicum of protection on domestic surveillance; even under the FISA or Foreign Intelligence Surveillance Courts, which give American security agencies a very wide latitude.
We know from the revelations of Snowden and WikiLeaks that the US had penetrated the telecom infrastructure of every country and had a backdoor to US-manufactured equipment and software platforms through which it could install spyware.
Israeli agencies work closely with US agencies. The US cannot sell such weapons-grade cyber software or equipment to “friendly” monarchies and fascist rulers as they are barred by export-control rules. In the US, such software is recognized as a weapon, and their exports are strictly controlled. There are no such controls for the Israelis, who use a number of companies that are very closely tied to its military and spy agencies.
NSO and other such companies are essentially a US-Israeli arm: supplying software tools to spy agencies of “friendly” governments. Selling such software tools to governments provides the US and Israel with additional intelligence feeds. Countries, including India, may feel that they have “bought” this software, but it runs on “servers” that have been set up by companies which, once again, are linked to the Israel government.
All information gathered by such software is routed to Israel and American spy agencies. When governments buy this software from foreign sources they are, in effect, partnering with foreign agencies to spy on their own citizens. They are helping foreign powers shape the domestic narrative. If NTRO or RAW have indeed bought Pegasus, the narrative that such hacking can produce can be easily manipulated by Israeli or US spy agencies.
This is the risk of “outsourcing” intelligence operations and tools.
People Whose Smartphones were Hacked:
Several lawyers and activists have confirmed their phones were hacked after WhatsApp confirmed Indian users were targets of surveillance by operators using Israeli company NSO Group’s spyware Pegasus. Nihal Singh Rathod, a human rights lawyer representing several accused in the Bhima-Koregaon case, confirmed he was one of the targets. Rathod learnt he was a target when he was contacted by a researcher from the University of Toronto’s Citizen Lab on October 7, 2019. Rupali Jadhav, an anti-caste activist from Pune who is associated with the Kabir Kala Manch, shared screenshots of messages she had received from both WhatsApp and Citizen Lab. Shubhranshu Choudhary, a journalist and peace activist who has been involved in rehabilitating displaced tribal communities in Chhattisgarh, said that he received the same message from a researcher at University of Toronto’s Citizen Lab that the other targets have received. Chhattisgarh-based human rights activists Bela Bhati said that she was informed (by Citizen Lab) that the Indian government was responsible for this. Writer and academic Anand Teltumbde, who is also an accused in Bhima Koregaon case, told that he was also informed by Citizen Lab and this is a breach of the privacy of people in the highest possible degree. Dalit rights activist and lawyer Degree Prasad Chouhan, who is based in Chhattisgarh’s Raigarh district, told he was not surprised his phone had been compromised. Chouhan’s work focuses on forceful displacement and indigenous communities’ land rights. Ashish Gupta, an activist in Delhi, also said received a call from Citizen Lab and told that he was forcibly thrown out of several WhatsApp groups in July, including those he was an administrator of. Saroj Giri, an assistant professor in the Political Science department of Delhi University, said she got a message from Citizen Lab earlier this month. Shalini Gera, a human rights lawyer with Jagdalpur Legal Aid Group, and Sidhant Sibal, a TV journalist with WION news channel, said they were targeted. Sibal is the channel’s diplomatic and defence correspondent.
Later, Congress leader Priyanka Gandhi and TMC Supremo Mamata Banerjee also claimed that their phones were also apparently hacked though they did not understand the implications initially. It is said that some 140 Indians were at the receiving end of this snooping out of an estimated 1500 globally through the use of Pegasus.
According to Citizen Lab, who informed most whose phones were hacked into, their research shows that once Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, and use the GPS function to track a target’s location and movements. WhatsApp has confirmed that the Pegasus software exploited a vulnerability in its voice calling software. The vulnerability, WhatsApp has said, has since been fixed.
NSO, meanwhile, had denied the allegations and said that the sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime and NSO Group maintains the Pegasus software is only sold to government agencies around the world.
Right to Privacy Breached:
Lawyers who helped make the case in favour of recognition of the right to privacy as a constitutionally protected right in the Supreme Court in 2017 expressed dissatisfaction with the Modi government’s two official statements issued thus far, spoke about their concerns relating to the incident and sought concrete action from the government to address the problem of unlawful snooping. These Supreme Court lawyers, like Apar Gupta and Prasanna S, felt what’s “very striking” as well as “very disturbing” about the way activists, journalists and lawyers were spied upon is that, “it is no ordinary surveillance technology which has been procured but a software to hack into devices, which is not an existing legal power” that the agencies possess under current Indian law. They also mention that the government has not categorically denied the purchase of Pegasus from NSO.
Measures Needed Ahead:
Moving ahead, judicial supervision and oversight is one of the minimum standards which needs to be incorporated given that the pre-existing safeguards were made in 1996 when only landline phones were in use, and are not in step with personal data which is gathered today as India becomes a digital democratic society. Given this, there is a need for urgent legislative intervention and surveillance reform in India. There is also the need for ensuring “judicial supervision” of surveillance carried out by security agencies in India to address concerns raised by the WhatsApp snooping incident and to implement the right to privacy judgement in its true spirit.
Also, given the weak data protection regime in India and vulnerability in citizens’ privacy and also in organizational and government data eco-system, India needs data protection legislation to be enacted as well or else faces threat to its data sovereignty. Justice Srikrishna headed the committee that gave detailed recommendations on framing a data and privacy protection law. Its recommendations were submitted in 2018, but the government has dragged its feet in bringing a law to protect the privacy of citizens.
As the WhatsApp NSO issue has emerged in the open it is important to ensure that no other social media platform can be similarly used, and we need to learn how exactly the government can ensure that. It is vital that as a democracy, India remains vigilant about the risk of our freedoms being eroded by technological means. We must not, at any price, become a surveillance state like China or an Orwellian state.
Facebook-owned WhatsApp has over 1.5 billion users globally, of which India accounts for about 400 million. It was a preferred medium due to its data encryption and belief of being beyond hacking, which now lies shattered. The hacking is particularly embarrassing for WhatsApp, which has been publicising its 100% end-to-end encryption widely. They neglected to tell their users that such encryption does not help if the user’s phone is hacked. What compounds their humiliation is that the Pegasus hacking software exploited a security hole in WhatsApp’s software. Soon after it discovered the cyber-attacks in May, the company rolled out a fix, adding “new protections” to their systems and issuing updates.
Further, as a Reuters report on the victims of the WhatsApp Pegasus breach says, “…a ‘significant’ portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. If the NSO’s claims of selling only to governments are correct, either the Pegasus spyware was used by governments to hack each other, or they were victims of Israeli spying.”
To compound the danger, in 2017, NSA and CIA spyware tools were dumped by hackers on the net, where criminals can readily exploit them. This shows how dangerous such software is for everybody, not just activists. Such tools are particularly perilious for they are not the handiwork of merely a few hackers but have the resources of a state behind them.
In short, these are not hacking tools but cyber weapons. That is why governments need to sign a moratorium against developing and deploying them, just as they have for chemical and biological weapons.
The research-based piece is authored by Prof Ujjwal K Chowdhury, currently the Pro Vice Chancellor of Kolkata based Adamas University, and earlier the Dean of Symbiosis and Amity Universities. This piece is based on an extensive reading of reports published on this issue in Reuters reports, Huffington Post, Indian Express, The Wire, Newsclick, Newslaundry, BBC and Scroll, among others.