NSO-Pegasus case: Set up an independent inquiry panel and conduct its proceedings transparently. The Pegasus spyware of the nso group can hack both iOS and Android devices by targeting vulnerabilities in the operating systems. It is capable of running in the background without the targeted user ever knowing about the hack

by Apar Gupta

The opening three words in the Preamble of India’s Constitution start with these words, “We the People…”. But given last week’s revelations on the Israeli company, NSO, and its Pegasus spyware scandal in India, many citizens are today wondering whether the line in the Constitution should read as, “We the people are under watch”.

Last week, WhatsApp sued the NSO Group, a surveillance firm, for allegedly hacking the messaging platform to spy on about 1,400 users. The targeted users included activists, journalists, and senior government officials, among others. WhatsApp alleged that the NSO Group exploited a vulnerability in its video-calling feature to conduct the cyber attacks. This, WhatsApp confirmed, has now been fixed.

Pegasus is believed to be one of the most sophisticated spyware in the world. The spyware can hack both iOS and Android devices by targeting vulnerabilities in the operating systems. It is capable of running in the background without the targeted user ever knowing about the hack. Once the spyware is installed on a device, it accesses critical and private data of users such as contacts, messages, passwords, and even live voice calls. The spyware can also remotely switch on the affected device’s camera and microphone.

This intrusion by the spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus for three reasons.

The first is in the nature of modern communications, which are done with devices that gather incredible amounts of personal data, and have sophisticated sensors. The convenience that these devices provide to us has added tremendous value to our lives and we have invited them in to our most intimate spaces of work, family, and play. Hence, the security of a device becomes one of the fundamental bedrocks of maintaining user trust as society becomes more and more digitised. The Pegasus spyware completely erodes such comfort and has left many citizens of the country wondering about practical ways to secure their devices. They are asking whether their microphones and cameras were switched on without their knowledge. And whether their most private and intimate moments were captured. Here the vague-but-repeated denials by the Government of India on the unauthorised use of spyware undermine these critical values. It makes the users of these devices fearful, self-censor their usage, and breeds an instinct of Luddism.

The second is by virtue of the interconnection of networks where a single compromised device can put the integrity of the entire network at risk. Hence, each contact and person not only in the contact address book of a person who has been infected with spyware, but even not present there but only met in person can be put under surveillance.

This is a plain fact as the Pegasus software, which could be remotely activated, even provides for a geofencing feature where the cellphone would automatically start a secret recording when the target is within the periphery of a specific geographical location. This is extremely alarming given that activists, journalists and lawyers routinely correspond and have relationships and sensitive conversations with government officials.

The final reason has to do with the specific nature of the foreign vendor, the NSO Group. As per the NSO Group’s website, “NSO products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror.” Further, it is regulated under an Israeli law that requires an export permit granted by the Isreali Defence Export Control Agency (DECA) that permits such sale only to foreign governments.

This is also confirmed by the contract between NSO and the government of Ghana that states that the DECA also oversees and approves each such agreement. The logical sequitur is that such sale of spyware is only permitted to a government agency approved by the Israeli government. Hence, if the Government of India did not procure such spyware, then who did to spy on Indian citizens?

To date, there have been three denials, by the central government (the ministry of electronics and information technology, the ministry of home affairs, and CERT-IN, a technical body that probes cyber threats). Interestingly these are not formal press statements put out through the Press Information Bureau.

Such an approach belies appreciating the injury and threats to individuals and the country. There is an urgent need to take up this issue seriously by constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.

We must all recognise that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware. This is a core part of our fundamental right to privacy.

Apar Gupta is a lawyer and the Executive Director of the Internet Freedom Foundation