By Sujit Bhar
Every day, a little more is known about the deadly spyware Pegasus. More than 50,000 phone numbers that have been snooped upon have been released in batches by a consortium of media publications/houses, including The Washington Post, The Guardian and Forbidden Stories.
The Pegasus Project, as it is being called, is an investigation by 17 media organisations in 10 countries, coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. There is help, also, from University of Toronto’s Citizen Lab. In India, The Wire is publishing more details every day.
The question that remains to be asked is: “So, has any harm really come to any of the “victims”, and what can we do about it now?” However, before coming to the critical issue of a solution, one needs to understand the problem.
The short version of the object in focus is as follows: Pegasus is a military grade spyware, developed by a 10-year-old Israeli cybersecurity (now being called “cyberarms”) firm, the NSO Group. The spyware can be covertly installed on mobile phones (and other devices). The software is being continuously upgraded to include most versions of iOS and Android.
And the short version of the problem is that of the numbers this consortium has released, over 300 belong to Indians. This includes those of former Congress President Rahul Gandhi; former Chief Election Commissioner Ashok Lavasa; Union minister of state for Food Processing Industries and Jal Shakti Prahlad Singh Patel (who says: “I don’t think our government will do such work.”); Ashwini Vaishnaw, union minister for Railways, IT and Communications and even his wife; election strategist Prashant Kishor; Trinamool Congress MP Abhishek Banerjee; even Pravin Togadia, former international working president of the VHP. There are a host of journalists and activists on the list too.
Just a few have done forensic analyses of their phones and have reported that their phones have been “infected”, but what relevant information has been picked up from their phones, if any, is not clear. The ultimate issue is about privacy, declared a fundamental right by the Supreme Court, as well as “state-sponsored espionage”, as the Opposition has termed it. The BJP government at the centre has denied these charges, though it has not yet categorically denied its association with the Israeli firm.
The government’s counter-charge is that it will be upon the makers of such allegations to provide evidence which will hold in court. As of now, the entire situation is so nebulous that it will be difficult for a court of law to negotiate it. A PIL has already been filed before the Supreme Court by activist and advocate ML Sharma, seeking a court monitored probe into the massive snooping scandal.
However, while the prosecutor’s office in Paris has announced that it will be opening a probe into allegations by investigative news website Mediapart and two of its journalists that they had been spied on by Morocco with the Pegasus spyware, the Indian government has said it has no plans to institute any such probe. The government’s stand emanates from the fact that real evidences of criminal activity needs to be presented.
Meanwhile, even as days in the Monsoon Session of Parliament were adjourned time and again through uproars by the Opposition, the Parliamentary Standing Committee on Information Technology, headed by Congress MP Sashi Tharoor, will seek “evidence from the representatives of the Ministry of Electronics and Information Technology, Ministry of Home Affairs and Department of Telecommunications on the subject of citizens’ data security and privacy”. Opposition parties are geared up now to raise the matter at the meeting. That is where the problem has converged now, still in a rather nebulous state.
In search of a solution, one needs to realise why such software are needed by state agencies—such as the CIA, Mossad, even India’s RAW etc—in the first place. The NSO has said that it sells only to governments and that too, to fight terrorism. Considering the type of work they do, these claims by NSO can be dismissed as sheer publicity hype at best and complete lies at worst, the latter being most probable.
The Pegasus software was sold to Saudi Arabia, even at a time when Israelis weren’t allowed to even enter that Arab country, and when deposed Prime Minister Binyamin Netanyahu was just about trying to figure out a way to undo the Gordian knot of ages. It is said that spyware such as Pegasus ultimately helped the ice to melt.
Israel has not been forthcoming in allowing or instituting any investigation within the country about this espionage issue on such a huge scale. Even in the absence of Bibi, the Knesset, headed by a coalition formed by Naftali Bennett (Prime Minister) and Yair Lapid, has not moved towards resolving this issue.
NSO is not the only company that manufactures such malware, but the level of sophistication this software has reached makes it a must-have item for all authoritarian and semi-authoritarian administrations around the world. This is a position Israel, Bibi Netanyahu or not, will not be willing to give up.
Therefore, accepting that NSO are a secretive organisation, existing on the lines of secretive terror organisations, the probable way to get to it would be by following the same principles followed in closing in on terror funding networks. Right thinking agencies around the world must treat NSO as an outcast organisation and follow money trails to pin accountability on the buyers of such software. The software is expensive—on occasions, being sold for hundreds of millions of dollars—hence payment would not have been completed in one hawala or hundi transaction. The use of both these transaction methods are accepted as standard (among others) by terror funding outfits, according to a federally funded study conducted by Nikos Passas, called “Informal Value Transfer Systems, Terrorism and Money Laundering”.
For such large amounts, a section of such payments would have been routed through banks, possibly through offshore accounts. Also, since payment would have come from private company fronts of government agencies, these could be easily pinned down and sorted out. Technically, it would be absurd for a government agency to a float a tender, say, for the purchase of spyware. The funding would be covert, routed through legal-looking agencies and sourced from several ambiguous government funds.
Terror funding trails have been followed up with great success in the past. While tracing a terror outfit, the accepted norm is to follow the money. Money for buying arms, direct money transfers for personnel payments and for creating safe houses and training camps, apart from money for a completely covert electronic surveillance effort. Action in this should be similar.
Whatever the methodology adopted, a certain degree of money would be in the open. That is the starting point. For that, though, it will be necessary to have a forensic audit of the NSO Group’s accounts. This will only be possible if the company is implicated in a crime and a court allows such audit. This looks a long shot as of now, unless the US can put pressure on the current dispensation in Israel to relent. The Indian government must put its weight behind this effort, especially since Israel is a friendly country.
Incidentally, though, it cannot be assumed that this, too, will yield the expected result. No transaction of this manner will be as simple as, say, Microsoft selling its latest version of Windows 11 online. It is not clear if it can be proved that any software sold by NSO was Pegasus and not any child’s gaming software. However, in the world of high tech, there are ways to counterbalance evil. And if it was possible to pinpoint a Russian involvement in interfering in the US elections, this issue can be addressed too.
Finally, one has to be clear about the objective in this approach. We have a strange software that can hear you and look into every part of your smart phone. So what did that achieve? Has anyone been hurt? Has anybody suffered because of such alleged intrusion? Has anybody been illegally framed?
The last part is in the realm of possibility, because if the software is able to inspect every aspect of the phone remotely, it can also plant incriminating material in the phone without the knowledge of the owner.
The international media consortium, the Paris investigations and the PIL in India’s Supreme Court are good beginnings. It will now be up to well-meaning governments of the world, including India, to take this up in right earnest.