A recent report by Amnesty International revealed that governments across the world have used the Pegasus spyware developed by the NSO group from Israel to conduct targeted surveillance on their own citizens. Recent reports of its use by the Indian government on journalists, activists, and political leaders raised concerns on the targeted use of this software to spy on its citizens. It is reported that around 300 people in India have been targeted, with 10 of them being already confirmed to be affected.
The report states that around 40 journalists from different media houses were targeted between 2017-2021. New revelations have estimated that more than 300 Indians have been spied on.
As published by the Citizens Lab in 2018, the NSO group's Pegasus spyware was in use in 45 countries and had been expanding since then. In 2019, journalists and human rights activists from India were arrested under Unlawful Activities (Prevention) Act under suspicious evidence. Independent forensic analysis found that the incriminating evidence was implanted using the NSO's Pegasus spyware. Human rights activist Stan Swamy who was arrested on the same case was denied bail in spite of suffering from Parkinson's disease. He recently passed away in jail.
What is Pegasus?
Pegasus is a proprietary surveillance software developed by NSO group, an Israeli technology firm that develops surveillance technology. As per NSO group's statement, this software is only sold to governments across the world.
How does it work?
This spyware has access to the device and its applications, such as turning on the microphone to record voices and camera for pictures/videos, GPS for your location, and movement tracking. All the above are executed automatically without your intervention.
Nature of the attacks
The targeted device is taken control of just by sending an SMS or WhatsApp message. This will immediately take control of the device and start downloading the Pegasus spyware. It is to be noted that we don't even need to click the link sent making it a "zero-click" attack.
Another way is to send a link which the target clicks, after which it installs Pegasus spyware without the user's consent. Once Pegasus is installed, the phone gets exploited, the device starts sending private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps as per the commands. The attacker can even turn on the phone's camera and microphone to capture the target's activities.
The attacks can be initiated by just a WhatsApp call as well. Even a missed WhatsApp call could trigger a series of events that leads to the compromising of the device. This is a clear indication that Facebook and WhatsApp's claim of end-to-end encryption and security is misleading and untrue.
Who was affected by it?
The Amnesty report published a list of targets, including former Election Commisioner, former Supreme Court Chief Justice of India (CJI), leaders of some political parties, journalists, human rights activists, lawyers, scientists, and other prominent Indian citizens.
Targeted spying is a threat to an individual being monitored his whole life by having full control against one's privacy, dignity, and freedom to express civilian and political rights. It is blatant abuse and violation of human rights.
It is being reported that the former Election Commissioner and key political opponents (including Rahul Gandhi) are among the potential targets affected by this spyware. If this is true, the spyware could be used to extract data from them, control their devices entirely, and leverage the spyware to influence and control electoral outcomes, thus disrupting and violating our democratic process.
A government engaging in unlawful surveillance of its citizens is an abuse of executive power. Usage of Pegasus spyware amounts to a criminal activity as the users' phones must be cracked and exploited. By using the Pegasus spyware against its citizens, the government is engaging in criminal activity. It is also to be noted that, NSO, a foreign entity, has complete access to the devices and data of Indian citizens, which makes it a national security threat and leaves our country vulnerable.
In 2019, former IT minister, when faced with a question on the use of Pegasus software, avoided the query by saying that there has been no unauthorized spying to the "best of my knowledge". Even now, Ashwani Vaishnaw, the current IT minister, has not categorically denied the usage of Pegasus spyware.
The complicity of tech companies
We have seen that Pegasus spyware has used WhatsApp as an entry point to the phone. The Amnesty report highlights the vulnerabilities of IOS (iPhone), Android, and Windows operating systems to the spyware. How is Pegasus able to access these software systems and take control of the device completely?
In Edward Snowden's revelations about mass surveillance, it was revealed that digital monopolies like Google, Amazon, Facebook, Apple, and Microsoft were complicit in surveilling people worldwide and giving access to their data to NSA and other foreign agencies through the PRISM program. There must be an investigation into the possible complicity of these companies with the NSO group and the Pegasus spyware.
This surveillance is possible because the software is closed and controlled by these digital monopolies. Only by adopting free and open source software we can have the possibility of a robust software devoid of any vulnerabilities. Privacy is impossible without free software which respects users' freedom and allows the software to be audited, improved, and secured by the developer community. We should move away from apps and platforms developed by data monopolies towards a free, open, and privacy-protecting software. (Link)
Serious concerns have once again raised the questions of privacy, a fundamental right in accordance with the Justice Puttaswamy judgement, and manufacturing fake evidence to incriminate human rights activists. The government must come clean about the usage of Pegasus spyware and other NSO group malware. There must be an investigation on the use and implications of the spyware. Its current usage must cease and further usage be prohibited under law.
The Election Commission must investigate the usage of Pegasus and other surveillance and spyware, taking swift action in order to protect our democratic process.
The authors Praveen Gorla is Machine Learning Research Scholar, Researcher at Free Software Movement of India(FSMI), Naveen Cherukupalle, and Yuvraj Makkena are Security Researchers at Swecha.