Social media

The Pegasus fiasco: Privacy in peril

Print edition : December 20, 2019

Outside the NSO Group office in Tel Aviv. The company’s software was used to snoop on WhatsApp accounts worldwide. Photo: JACK GUEZ/AFP

Among those whose WhatsApp accounts were reportedly targeted were the activists Anand Teltumbde (above) and Rupali Jadhav. Photo: Mohammed Yousuf

Rupali Jadhav of Kabir Kala Manch. Photo: Special Arrangement

The targeted snooping of WhatsApp accounts in India by malicious software raises concerns about privacy, data protection and citizens’ rights.

The recent reports of targeted snooping of the WhatsApp accounts of some 1,400 individuals worldwide, including 121 in India, by a software designed by the Israeli company, NSO Group, have raised concerns about privacy, data protection and the rights of citizens in free democracies. The spyware called Pegasus is designed to be remotely installed to enable access and control of information such as calls, messages and location on mobile devices using the Android operating system, iPhones and BlackBerry phones.

With surveillance being used increasingly by governments globally to spy on the opposition and political dissidents in the garb of controlling terror-related activities, the dangers of privacy violations of individual citizens have become palpable. With no legislative oversight governing surveillance by the Indian government, the area is literally an open field with high vulnerability risks for citizens.

On November 28, while replying to a calling attention motion moved by Congress leader Digvijay Singh in the Rajya Sabha on the reported use of Pegasus, Ravi Shankar Prasad, Union Minister for Information and Technology, hedged questions from the opposition benches as to whether the National Democratic Alliance (NDA) government had a deal with NSO Group. Several opposition MPs flagged similar concerns.

Ravi Shankar Prasad said there was a “standard operating procedure” (SOP) on issues involving the security of the country and whatever the security agencies had to do for the safety and security of the country would be done with the SOP. To a direct question by Anand Sharma (Congress) on whether there had been any unauthorised use of Pegasus, he said no unauthorised interception had been done without specifically mentioning Pegasus or NSO Group.

It is intriguing that the hacking of phones was carried out in April and May and that WhatsApp informed the government about it twice, first in May and then in September. On its part, the government pleaded ignorance of receiving any such information and even dismissed the apprehensions raised by the Congress, which claimed that its leader Priyanka Gandhi’s phone may have been hacked into by the spyware.

The Parliamentary Standing Committee on Information Technology, headed by Congress MP Shashi Tharoor, discussed the issue at its meeting on November 20.

No one is taking any responsibility for the breach of privacy—neither the government, nor WhatsApp nor NSO Group.

Breach of privacy

Cybersecurity experts told Frontline that this was even more serious as it showed how easy it was for private agencies to conduct illegal surveillance with utter disregard for the rule of law and the privacy of citizens. That the government has been resistant to the idea of setting up an independent inquiry indicates that there is more to it than meets the eye.

If the government did not authorise the surveillance, then it had the moral responsibility to probe the involvement and culpability of both WhatsApp and NSO Group, with more emphasis on the latter. After all, WhatsApp also was a victim, apart from the individuals whose phones had been hacked. However, the government, instead of directing its inquiries at NSO Group, has blamed WhatsApp for not informing it about the hacking, something that the messaging company has refuted. It said that the government was informed about it as were the people whose phones were placed under targeted surveillance. WhatsApp had alerted two dozen people, including academics, activists and journalists, that their phones were under surveillance for a two-week period in May.

NSO Group, on the other hand, denied any involvement in the targeted surveillance of activists and lawyers and said that it was not responsible for the use of the technology by its customers, which were mainly licensed intelligence agencies of governments or their law enforcement agencies.

According to its website, it develops multi-platform cyber intelligence tools for government use only, but it could not disclose which government it had sold the technology to. Pegasus can “remotely” and covertly extract valuable intelligence from virtually any mobile device. It is capable of intercepting communication sent to and from a device, including communication over iMessage, Skype, Telegram, WeChat, FB Messenger and WhatsApp.

It was sometime in mid May that Facebook, which owns WhatsApp, announced and identified a vulnerability involving a WhatsApp service. It closed the vulnerability, informed law enforcement and advised users to update the WhatsApp application.

WhatsApp has sued the Israeli company in California under the statutes of the California State and the United States government. According to details accessed by the Livelaw website, the case was filed by WhatsApp Inc. and Facebook Inc. before the Northern District Court of California. It was alleged that NSO Group used WhatsApp services located in the U.S. and elsewhere to send malware to approximately 1,400 mobile phones and devices of WhatsApp users to infect their phones for conducting surveillance.

Alleging a breach of contract, the complainants said that NSO had used WhatsApp services such as signalling and relay servers without authorisation between April and May. It created WhatsApp accounts as it was unable to break the end-to-end encryption. The complainants said this was a breach of contract as WhatsApp prohibits its users from exploiting its services in an unauthorised manner and with intent to harm its users and WhatsApp services.

According to the complaint filed in the California court, one NSO Group employee alleged that Facebook had “closed our biggest remote for cellular... it’s on the news all over the world”.

As of June, Facebook had on average 1.5 billion daily active users and 2.41 billion monthly active users. Facebook is WhatsApp’s service provider in terms of both security and infrastructure. An estimated 1.5 billion people in 180 countries use WhatsApp services. India is the biggest market for the app, with more than 400 million users.

WhatsApp claims that it is an encrypted communication service where all conversations, including calls, videos, chats, group chats, images, videos, voice messages and file transfers, are encrypted during transmission to users.

Petition seeks NIA probe

Former Rashtriya Swayamsewak Sangh ideologue K.N. Govindacharya filed a petition in the Supreme Court seeking an investigation by the National Investigation Agency. The petition also demanded that first information reports (FIRs) be registered against WhatsApp, Facebook and NSO Group under relevant sections of the Information Technology (IT) Act and the Indian Penal Code (IPC). Interestingly, the petition also sought to restrain the Government of India from using Pegasus for surveillance purposes. The petition also seeks protection and enforcement of the fundamental right to privacy.

Currently there is no legislation for data protection. Section 69 of the 2000 IT Act allows any government, Central or State, to direct any of its agencies to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer source. The government’s surveillance rights are not deemed to be absolute as it can only do so after approval by the Home Secretary.

The Personal Data Protection Bill was introduced in Parliament in 2006. It has been redrafted as the Personal Data Protection Bill, 2018, which recognises the right to privacy of individuals as a fundamental right and the need to protect personal data as an essential facet of informational privacy. It also seeks to establish a Data Protection Authority. This assumes significance after the landmark nine-judge Supreme Court bench judgment in 2017 declaring privacy as a fundamental right, but it is not a comprehensive Bill, cybersecurity experts say.

Victims of surveillance

NSO Group was earlier embroiled in another controversy when it was alleged that it had aided Saudi Arabia and Mexico in spying on their citizens. In the case of Saudi Arabia, it had allegedly provided software to the Saudi government about the whereabouts of Saudi dissident and The Washington Post journalist Jamal Khashoggi, who was murdered inside the Saudi Consulate in Istanbul.

The Free Software Movement of India (FSMI), a national coalition of various regional and sectoral software movements in India, has condemned “the targeted surveillance of activists, lawyers and journalists with the Israeli Pegasus spyware”.

In a statement, the FSMI said: “The targets include over 40 politicians (earlier reported to be 24), lawyers, journalists and academics in India. Many of those targeted are involved in the Bhima Koregaon case while others are prominent critics of the government.”

It added: “As per the Telegraph Act, the Supreme Court’s judgment in the PUCL case and the current legal framework, surveillance of an individual can be done only on the basis of an order signed by the Home Secretary. Even this surveillance covers only the interception of messages and does not permit any hacking of people’s devices. The use of spyware such as Pegasus is equivalent to an illegal search and seizure of the data and information held privately by an individual on his or her device. While the Cyber & Information Security Division of the Ministry of Home Affairs has said it has no information of the purchase of Pegasus, the government is yet to declare that no department has purchased the spyware.”

FSMI demanded that the Government of India clarify whether any of its agencies had used Pegasus against anyone in the country and, if so, it must immediately take action against those responsible. The theft of personal information, it said, must be punished as per the law. It also said that a comprehensive data protection law must be passed to safeguard the rights and information of individuals.

All this has happened even as the government has drafted guidelines for intermediaries, some features of which are problematic as they give overarching powers to the government over social media. The Internet Freedom Foundation (IFF), an advocacy group on digital rights and liberties that defends online freedom in India, said the disclosures by WhatsApp raised “some extremely disturbing questions about likely illegal hacking by unknown government agencies or other actors operating in India” and suggested that there was a “flagrant disregard for the rule of law and contempt for our fundamental right to privacy”.

The IFF demanded that the government issue an official public statement providing complete information and clarify which law empowered it to install spyware. No such power existed under Indian law and the pre-existing surveillance powers under the Telegraph Act, 1885, and the IT Act, 2000, did not permit the installation of spyware or hacking mobile devices. Hacking of computer resources was a criminal offence under the IT Act, it said.

Pawan Duggal, a Supreme Court lawyer and chairman of the International Commission on Cyber Security Law, told Frontline that the incident was a wake-up call for the government, more so after the historic K.S. Puttaswamy judgment (Justice (retd) K.S. Puttaswamy vs Union of India and others) where the right to privacy was upheld as a fundamental right.

“The tool used for snooping is so expensive that it can only be purchased by the government of a country. Nothing on the Internet is safe. WhatsApp has been hacked repeatedly across the world. It says that it informed the government in May itself, but the government says it was in the form of an advisory. I think WhatsApp should have informed the government about the cybersecurity breach of each one of the 121 people identified in India as each case would constitute separate cybersecurity breaches.

The Indian government has to clarify the data breach notification dated January 4, 2017, and more teeth need to be given to it. The breach notification system has to be strengthened,” he said.

India did not have a dedicated cybersecurity law, and the IT laws were not capable of dealing with cybersecurity challenges, he added. “People need to shed their herd mentality and not download applications without reading the terms and conditions completely and save only limited information on their mobiles. Lots of confidential data are shared without properly securing it,” he said.

In the latest case, WhatsApp was not entirely free from blame as it had “failed to demonstrate what it did to prevent the breach from occurring and there was no information in the public domain as to how it complies with the IT Act”, he said.

He added that this “propaganda of end-to-end encryption” should be stopped as what was not told to people was that information “beyond encryption was capable of being hacked into”. Duggal said that it actually “tends to give a distorted picture of WhatsApp being secure”. He also said that there was a lot of explaining the government needed to do and that an investigation was the first mandatory requirement in this case.

“There has been no FIR, no investigation ordered, only lip service. This conduct does not inspire confidence. The actions show commission of offences by both NSO and WhatsApp. Both of them can be booked under the IT Act for criminal offences but then there is a lack of political will,” he said.

The proposed Data Protection Bill was only a piece of a “sub-set” legislation and did not deal with all kinds of data, according to him.

He said that the questions and challenges that have risen in the NSO-WhatsApp episode could not be dealt with adequately under the proposed legislation or even the IT Act, and if India desired to be in the league of superpowers, it needed to take steps for cybersecurity and cyber-sovereignty as well. “Such episodes puncture holes in our cyber-sovereignty. We need to customise the experience from other countries like Singapore, China, Vietnam and Australia. It is a question of our national security too,” said Duggal.

This article is closed for comments.
Please Email the Editor