The Government of India has responded to a questionnaire sent by the consortium of journalists part of the Pegasus Project. It says that the questionnaire sent to it indicates that the story being crafted is “one that is not only bereft of facts but also founded in pre-conceived conclusions.”
Report on Pegasus Spyware
A consortium of 17 international journalistic organizations published an investigative report yesterday about the attempted and successful hacking of 37 smartphones belonging to journalists, government officials, and human rights activists around the world. The hacking was allegedly done using Israel-based NSO group’s Pegasus spyware. The spyware infects smartphones to enable extraction of messages, photos, and email; record calls; and secretly activate microphones, according to The Guardian.
The reporters at Forbidden Stories, a Paris-based not-for-profit media foundation, and Amnesty International have reportedly accessed a list of 50,000 phone numbers reportedly given by clients of the NSO group. Reporters were able to identify and attribute to 1,000 people spanning more than 50 countries.
The numbers belong to several Arab Royal Family Members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials, including cabinet ministers, heads of state, and prime ministers.
The consortium says that this is the beginning of a series of revelations. They will release the identities of the targets of these hacks in the coming days.
How does Pegasus work?
Pegasus attempts to intrude into a target’s phone through a spear-phishing campaign. Once a user clicks on a link that he receives on his phone through a text message or WhatsApp, or email, the link secretly installs spyware on the phone. After a successful installation, it creates a connection to its handler and transmits the desired information including messages, photos, location, and email.
However, in recent years, Pegasus has also been known to be installed using “zero-click” methods which exploit vulnerabilities that software/ phone manufacturers are yet to discover. Customers can also install the software using a wireless transceiver located near a target, according to an NSO brochure.
Authenticity of the Report
Firstly, the consortium is yet to disclose the source of the 50,000 phone numbers. The NSO group says it neither operates the systems it sells to government customers nor does it maintain access to the data of its customers’ targets.
Secondly, the report is based on Amnesty’s technology team’s forensic analysis of a small number of phones (67) whose number appeared on the list. Of all the phones analyzed, half of them (37) had traces of the Pegasus spyware. However, the presence of a number in the list doesn’t necessarily mean that it was hacked. To find any infection, only a forensic analysis of the phone would suffice.
Thirdly, Amnesty shared findings of four phones with Canada-based Citizen Lab. The Lab has confirmed that the analyzed phones showed signs of Pegasus infection. It has also peer-reviewed Amnesty’s forensic methods and found them to be sound.
With these caveats, it would be interesting to see how this story unfolds.
NSO group’s response
The NSO Group has denied the report as false claims. However, it has said it would “continue to investigate all credible claims of misuse and take appropriate action”. It also said that the list accessed by reporters could not be a list of numbers targeted by governments using Pegasus. It also remarked the 50,000 figure as exaggerated.
NSO further said that it only sells its software to military, law enforcement, and intelligence agencies after vetting their human rights records.
A Contract Violation?
According to The Guardian’s report, the Israeli minister of defense closely regulates the sale of Pegasus to countries. The NSO group can sell the software to a new country only once the Ministry grants individual export licenses to the country.
The export license is granted so that customer countries could use it only for criminal and national security investigations. However, the presence of phone numbers of people with no criminal record, activists, and journalists investigating corruption, indicates that customers are in breach of a contract, the excerpts of which NSO had published last month.
The report names the Indian government as one of the clients of the NSO group. The consortium sent a questionnaire to the government, to which it has now responded.
In its response, the government says that India is a robust democracy that is committed to ensuring the right to privacy of all its citizens as a fundamental right. It adds that it has also introduced the Personal Data Protection Bill, 2019, and the new intermediary rules to protect the personal data of individuals.
On the questionnaire, it said that the “story being crafted is one that is not only bereft of facts but also founded in pre-conceived conclusions.” It accuses the consortium of “trying to play the role of an investigator, prosecutor as well as jury.”
The government further says that the Government of India’s response to an RTI application about the use of Pegasus has been prominently reported by media earlier and is sufficient to counter any malicious claims about the alleged association between the Government of India and Pegasus.
Lastly, the government says that India already has a well-established procedure through which lawful interception of electronic communication is carried out for specific purposes. Here’s the full response.