- On July 18, 2021, the Amnesty International and Indian media ‘The Wire’ – in collaboration with 15 other media organisations started revealing the names of people who were either persons of interest or forensically identified as having been targeted by clients of the NSO Group’s Pegasus spyware.
- Those on the list include heads of state, political figures, activists, students, lawyers and journalists, among others.
Understanding the Pegasus
- Pegasus was developed in 2010 by the Israeli firm, the NSO Group.
- The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
- With this spyware the hackers can hijack the phone’s microphone and camera, turning it into a real-time surveillance device. And also, it can access private data, including, contact lists, calendar events, passwords, text messages, and live voice calls from popular mobile messaging apps.
- In 2019, the social media giant WhatsApp filed a lawsuit in the US court against Israel's NSO Group, alleging that the firm was incorporating cyber-attacks on the application by infecting mobile devices with malicious software.
- Decoding "The Pegasus Project" – Investigative Journalism
- Target of this spyware include known criminals as well as human rights defenders, political opponents, lawyers, diplomats, heads of state and nearly 200 journalists from 24 countries.
- Indian ministers, government officials and opposition leaders also figure in the list of people whose phones may have been compromised by the spyware.
- Amnesty has published Forensic Methodology Report: How to catch NSO Group's Pegasus.
- Amnesty also published various tools or data from this investigation, including a Mobile Verification Toolkit (MVT) and a GitHub repository listing indicators of NSO/Pegasus compromised devices. Interestingly, the tool can also check for other malicious apps on the device as well.
Supreme Court intervention for Interception in India
- In Public Union for Civil Liberties v Union of India (1996), the Supreme Court pointed out lack of procedural safeguards in the provisions of the Telegraph Act and laid down certain guidelines for interceptions.
- Tapping is a serious invasion of an individual’s privacy.
- The court noted that authorities engaging in interception were not even maintaining adequate records and logs on interception.
- Among the guidelines issued by the court were setting up a review committee that can look into authorisations made under Section 5(2) of the Telegraph Act.
- The Supreme Court’s guidelines formed the basis of introducing Rule 419A in the Telegraph Rules in 2007 and later in the rules prescribed under the IT Act in 2009.
Spyware and National Security Threat to India
- In many ways any malware or spyware is a threat and violative to the law of the land; for example
- If there is a malware in the phone of a minister (government) and the hackers intercepted it, that is violative of the Official Secrets Act, 1923 and also it is a violation of the Information Technology Act, 2000.
- On the other hand, if the use of a spyware like Pegasus intercepted the access to a woman, it is a violation of Section 354D of the IPC (Indian Penal Code). That would be called stalking.
- It is also a violation of the Right to Privacy under article 21 of Indian Constitution for a common citizen if the spyware attacks and spies their activity.
- Cyber offensive is a necessary tool, and no stone must be left unturned to further national security. However certain reforms are needed like –
- Cyber offensive companies should be categorized as private defence contractors.
- India should have a phase-wise system to wean off from foreign technologies.
- There needs to be an urgent debate on “global moratorium” on sale of spyware.
- A code is a weapon, and buying and selling it needs to be looked at as acts of aggression.
- We need to revisit the notion of sovereignty in the digital era.
- There needs to be a regulator whose permission is needed to purchase and deploy such tools.
- The vendors should have stricter policies on ultimate use of their weapons.