Context: The Pegasus scandal is a matter of grave concern for Indian democracy.
More in the news:
- The target list includes an extensive host of public figures in India.
- In the past, similar claims were made regarding the use of Pegasus on WhatsApp by the Indian state.
- Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
- WhatsApp was one of the attack vectors used to infiltrate the mobile phones of selected targets using Pegasus.
- Other known vectors include SMS and iPhone’s iMessage service in addition to unknown vulnerabilities that a Pegasus user might exploit to install the spyware.
- WhatsApp sued the NSO Group in a federal court in San Francisco, accusing it of using WhatsApp servers in the United States and elsewhere to send malware to approximately 1,400 mobile phones and devices (Target Devices).
- For the purpose of conducting surveillance of specific WhatsApp users (Target Users).
- The NSO Group is a Tel Aviv-based cybersecurity company.
- It specialises in “surveillance technology” and claims to help governments and law enforcement agencies across the world fight crime and terrorism.
- Companies managing tech products and solutions even have bounty programmes to reward independent cybersecurity researchers for detecting flaws they may have missed themselves.
- In such an ecosystem, a cyber-offensive tool that would be lapped up by governments around the world would require the tool to trick not only the targets but also the platform through which it is delivered.
- It has built such a tool — Pegasus, the world’s most invasive spyware.
- It can find a route into a target’s device that is unknown to the developer of the device and its software, and without requiring the target to take any action such as clicking a link.
- Its first known state client (Mexico) then equipping itself with cyber-espionage tools to fight drug trafficking, went beyond the script.
- The Mexican government liked Pegasus so much it ended up equipping several of its agencies with the spyware tool.
- It is spyware, they spy on people through their phones.
- It works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
- A presumably newer version of the malware does not even require a target user to click a link.
- Once Pegasus is installed, the attacker has complete access to the target user’s phone.
- The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
- The Pegasus tool at that time exploited a software chink in Apple’s iOS to take over the device.
- Apple responded by pushing out an update to “patch” or fix the issue.
- Pegasus delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission.
- A zero-day exploit is a completely unknown vulnerability, about which even the software manufacturer is not aware, and there is, thus, no patch or fix available for it.
- In the specific cases of Apple and WhatsApp, therefore, neither company was aware of the security vulnerability, which was used to exploit the software and take over the device.
Once installed, what can Pegasus do?
- It can send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.
- The target’s phone camera and microphone can be turned on to capture all activity in the phone’s vicinity, expanding the scope of the surveillance.
- All of this takes place without the target user’s knowledge.
- Pegasus can work on BlackBerry, Android, iOS (iPhone) and Symbian-based devices.
Can Pegasus be used to target just about anyone?
- Technically, yes. But while tools such as Pegasus can be used for mass surveillance; it would seem likely that only selected individuals would be targeted.
- The NSO Group, while disputing WhatsApp’s allegations in the strongest possible terms, has said that:
- It provides the tool exclusively to licensed government intelligence and law enforcement agencies, and not just to anyone who wants it.
Indian Government Response:
- The Ministry of Information Technology (IT) and Communications, told the Lok Sabha that illegal surveillance was not possible in India, given its laws and robust institutions.
- According to it, news reports about the Pegasus software being used to illegally tap phones was an attempt to malign the Indian democracy.
- In the past, similar claims were made regarding the use of Pegasus on WhatsApp.
- Those reports had no factual basis and were denied by all parties, including in the Supreme Court.
- The Israeli company NSO, refusing the claims and pointing out factual inaccuracies.
- The IT minister cited that Section 69 of the IT Act and Section 5 of the Telegraph Act contain provisions for lawful interception of electronic communication for the purpose of national security.
- The government claims all its surveillance is authorised and justified.
- WhatsApp CEO has called on governments and companies to take steps to hold the Israeli technology firm accountable.
- WhatsApp in 2019 sued the NSO group, accusing it of using the former’s messaging service to conduct cyber-espionage on roughly 1,400 user accounts, including those of journalists and human rights activists.
- The use of cyber spy software to hack smartphones even by the government is prohibited under Indian laws.
- A significant number of Indians reportedly affected by Pegasus this time are again journalists.
- The World Press Freedom Index produced by Reporters Without Borders has ranked India 142 out of 180 countries in 2021.
- The press requires (and in democracies is afforded) greater protections on speech and privacy. Privacy and free speech are what enable good reporting.
- The government, in its purported undated and unsigned response, relied on existing provisions of law under the Indian Telegraph Act of 1885 and the Information Technology (IT) Act of 2000.
- No provision, however, allows the government to hack the phones of any individual since the hacking of computer resources, including mobile phones and apps, is a criminal offence under the IT Act.
- Surveillance itself, whether under a provision of law or without it, is a gross violation of the fundamental rights of citizens.
- It impacts the right to privacy and the exercise of freedom of speech and personal liberty under Articles 19 and 21 of the Constitution, respectively.
- Such surveillance, when carried out entirely by the executive, curtails Articles 32 and 226 of the Constitution (empowering the Supreme Court and High Courts, respectively, to issue certain writs) as it happens in secret.
- The affected person is unable to show a breach of their rights.
- This violates not only the ideals of due process and the separation of powers but also goes against the requirement of procedural safeguards as mandated in K.S. Puttaswamy (Retd) v. Union of India (2017).
- The programmes such as CMS, TCIS, NETRA, CCTNS, and so on, none of which has been authorised by any statute, and thus fall short of the 2017 K.S. Puttaswamy judgment.
- In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India’s intelligence agencies are “potentially unconstitutional”.
- Since they are not constituted under a statute passed by Parliament — the National Intelligence Agency being an exception.
- In its 2019 election manifesto, the Indian National Congress was a first for a national political party called for parliamentary oversight of intelligence agencies.
- Role of Judiciary.
- Only the judiciary can be competent to decide whether specific instances of surveillance are:
- Whether less onerous alternatives are available, and
- To balance the necessity of the government’s objectives with the rights of the impacted individuals.
- The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking in particular, is also essential;
- Because the leaked database of targeted numbers contained the phone number of a sitting Supreme Court judge, which further calls into question the independence of the judiciary in India.
Threats to democracy:
- The phones of the woman who had complained of sexual harassment against a former Chief Justice, and her family, might have been subject to this form of surveillance is chilling.
- If the shadow of Pegasus also hangs on the case, the court will be seen not just as an error-prone institution, but one whose proceedings are possibly impacted by shadowy surveillance.
- Officials of the Election Commission, and political colleagues subject to this kind of surveillance, will inspire less confidence in free and fair elections.
- It raises the question of what methods might in future be adopted to turn the course of elections.
- The national security implications of these revelations are enormous:
- The explosive growth of surveillance technology vendors is a global security and human rights problem.
- It is not primarily China, but democratic states like Israel and UK, that are selling technologies for deepening the surveillance powers of states.
- There needs to be a global compact, or at least one amongst democratic states, on regulating these technologies.
- Even if authorised (which is doubtful), the use of Pegasus poses a national security risk.
- Pegasus is not just a surveillance tool. It is a cyber-weapon being unleashed on the Indian polity.
Examples of State Surveillances:
- In 2012 in Himachal Pradesh:
- The new government raided police agencies and recovered over a lakh phone conversations of over a thousand people.
- Mainly political members, and many senior police officials, including the Director General of Police (DGP), who is legally responsible for conducting phone taps in the State.
- In 2013, India’s current Home Minister was embroiled in a controversy dubbed “Snoopgate”, with phone recordings alleged to be of him speaking to the head of an anti-terrorism unit to conduct covert surveillance on a young architect and her family members without any legal basis.
- The Gujarat government admitted the surveillance, including phone tapping, but claimed it was done on the basis of a request made to the Chief Minister by the woman’s father.
- Yet, no order signed by the State’s Home Secretary (a legal necessity for a phone tap) was ever produced.
- The Gujarat High Court shut down an inquiry into “Snoopgate” upon the request of the architect and her father, on the shocking basis that it “did not involve public interest”.
- In 2009, the United Progressive Alliance government swore in an affidavit in the Supreme Court that the CBDT had placed Niira Radia, a well-connected PR professional, under surveillance due to fears of her being a foreign spy.
- Yet, while they kept her under surveillance for 300 days, they did not prosecute her for espionage.
- There are dozens of such examples of unlawful surveillance which seem to be for political and personal gain.
- These have nothing to do with national security or organised crime.
- Yet, there are few examples of people being held legally accountable for unlawful surveillance.
- Surveillance reform is the need of the hour in India.
- Not only are existing protections weak but the proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities.
- Post-Watergate reforms:
- The legacy of the Church Committee can be seen in the fact that the Snowden revelations in 2013 did not uncover any spying on Opposition politicians, journalists, judges, and human rights defenders for partisan political ends.
- What was shocking about the Snowden revelations was the extent of NSA’s surveillance, the overreach of the powers provided under the PATRIOT Act;
- As well as the lack of sufficient checks and balances provided by the Foreign Intelligence Surveillance Court.
- The Snowden revelations led to meaningful reform of that court, and controversial domestic surveillance provisions of the PATRIOT Act expired in 2020.
- India need reforms aimed at:
- Professionalising intelligence gathering,
- Bringing intelligence agencies under parliamentary oversight,
- Making them non-partisan, and
- Ensuring that civil liberties and rule of law are protected.
- This is India’s Watergate moment, and the Supreme Court and Parliament should seize it.
About the Zero-Click attacks:
- One of the worrying aspects of the Pegasus spyware is how it has evolved from its earlier spear-phishing methods using text links or messages to zero-click attacks which do not require any action from the phone’s user.
- This has made it the most powerful spyware out there, more potent and almost impossible to detect or stop.
- Working of the Zero-click:
- A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error.
- So all awareness about how to avoid a phishing attack or which links not to click is pointless if the target is the system itself.
- Most of these attacks exploit software that receives data even before it can determine whether what is coming in is trustworthy or not, like an email client.
- The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory.
- Can Zero click be protected?
- Zero-click attacks are hard to detect given their nature and hence even harder to prevent.
- Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
- Ensure all operating systems and software are up to date so that they would have the patches for at least vulnerabilities that have been spotted.
- One way to go is to stop using apps altogether and switch to the browser for checking emails or social media, even on the phone.
More About Types of Cyber Attacks.
More about the Cybersecurity in India.