The Pegasus Spyware Scandal: A Detailed Analysis

Introduction

Pegasus which is named after the winged horse of Greek mythology, is a Trojan virus that can be inducted into any electronic gadget to collect sensitive user data sets. It is a spyware software that can be secretly introduced on cell phones and other gadgets which run on platforms like iOS and Android. This software is capable of tracking various user data from the gadget on which it is installed. It is capable of reading messages, tracking call details, collecting passwords, tracking location as well as recording audio and video from the microphone and camera of the device on which it is installed.

Who developed it?

Pegasus has been developed by the Israeli cyber security firm NSO Group. NSO (Niv Shalev and Omri) is a subsidiary of the Q Cyber Technologies group of companies and is based in Herzliya near Tel Aviv, Israel. But, contrary to this is the fact that its three founders after whom the group is named, were ex-members of Unit 8200, the Israeli Intelligence Corps unit which worked on the signal intelligence for the country. After its inception, the group was alleged to be involved in many controversies of a privacy breach and spying and selling of the user data. The Pegasus Spyware Scandal was one of the biggest of such controversies and attracted huge public attention and agitation.

What is it used for?

The developers of the Pegasus software claim that it was developed and used only for keeping a check on the criminals and terrorists but later on through various reports it was revealed that this software was used by the authoritarian governments to spy on the critics and the opponents. Many reports also claimed that the states were carrying on surveillance on the people and eminent personalities whose views differed from the ideology of the government.

How is it different from other spyware software?

Pegasus is termed as a cyber weapon by security experts. Unlike other spyware software, Pegasus can be installed on all electronic devices performing on Android and iOS platforms. Further, it can track more user data than any other spyware software. It can read private messages, record audio, and video, track location and collect passwords of the target device at the same time. Another unique thing about this software is that it can be installed on the device with just a push message sent over-the-air (OTA) without any interaction with the phone. The user would not be aware of its installation and cannot control it even if it comes to their knowledge. NSO claims that due to such diversities Pegasus is different and, in a way, better than all the similar software available in the market.

What is the Pegasus Spyware Scandal?

Pegasus, a spyware software was first developed for snooping on the criminals and terrorists by the state of Israel. But on the contrary, in recent times it was revealed that this software was being used to keep surveillance on the government’s critics and opponents. The NSO group which developed this software was alleged to be involved in various deals with the government of many countries. Under this deal, the group conducted surveillance of journalists, reporters, jurists, politicians, and other eminent personalities for the government.

Who all were targeted?

The targets of this spyware were not restricted to a single country but they were all around the world. The NSO group went against its motive of using this software for surveillance of terrorists and criminals and sold the spyware to various governments and organizations for surveillance of common citizens and government critics. Reports claim that Pegasus was used in countries like Bahrain, India, Mexico, Morocco, Palestine, Saudi Arabia, and UAE for keeping a track of critics. The ministers, politicians, opposition leaders, judges, journalists, and other famous personalities of these countries were on the radar of the Project Pegasus. These people were being targeted to bring political turmoil to the states.

What information was compromised and how was it breaching privacy?

Reports claim that much of the private data of the target device users was leaked and sold by the NSO group to various organizations. The targets were mainly politicians, activists, and government critics so every information against the government was made available to the government. This information includes much of the private and sensitive data of the users. The user’s personal and active life was fully compromised and every call and conversation was recorded.

After installation on the target device, this spyware contacts its server and executes the instructions, and sends the target device’s private data such as text messages, contacts, call recordings, passwords, sync data, location, and also control the camera and microphone of the device. This means that any call that you make from your mobile could be heard and recorded by the attacker and that too without your notice. The attackers have all the control over the device’s camera and microphone so they can activate it at any time to record the user’s private discussions and capture his pictures. The attacker at any time will be aware of the present location of the user. By getting access to the passwords of the user’s social media accounts and other accounts the attacker can get access to all kinds of private as well as sensitive data of the user and can misuse it at his wish. The owner of the device would not be able to track its installation and even can’t be traced with other software. The attacker can deactivate and uninstall this spyware at any time. In a way, this spyware is always active in the background while you are using your device. This means that the life which you consider as private and the data that you consider secret or sensitive would become public any time by the wish of the attacker.

How was it revealed?

Pegasus first came in limelight in the year 2016 after an investigation of a failed installation attempt on the iPhone of a human rights activist. This investigation revealed details about the abilities and the vulnerabilities of the spyware. This news attracted huge media coverage and was termed as “the most sophisticated smartphone attack ever” but this attack was restricted so the news got buried very easily. But in the year 2020, an intelligence report from various newspapers claimed that the NSO group sold this software to the Gulf countries for surveillance of journalists and political leaders with the support of the Israeli government. Recently in July 2021, widespread media coverage and analysis by the human rights group Amnesty International revealed that the Pegasus spyware software was still used against high-profile targets. Reports claimed that the software was used to snoop on targets all across the globe including India and much user private data was compromised by this surveillance. An independent investigation by 17 media agencies discovered more on the Project Pegasus.

India and the Pegasus Scandal

Even India, the world’s largest democracy could not defend itself against the Pegasus spyware attack. In the year 2019, the Facebook company brought a suit against NSO, for the use of Pegasus software for intercepting WhatsApp chats of journalists, activists, and bureaucrats. As the case proceeded there was an allegation even on the government for its involvement. Recently in 2021, the contact details of many ministers, opposition leaders, journalists, and other independent authorities were alleged to be found in the NSO hacking targets database of Project Pegasus.

Who all were the targets in India?

In India in recent forensic analysis of the target mobile phones revealed that there was an attempt or successful installation of the software on these phones. These were the contacts present in the database of NSO Project Pegasus. The list included contact details of many ministers, opposition leaders, journalists, jurists, eminent personalities, and government critics. The investigative journalism undertaken by 17 media organizations revealed that the list also contained contact details of politician Rahul Gandhi and five of his close aides, strategist Prashant Kishor, ex-Election Commissioner Ashok Lavasa, ex-CBI Director Alok Verma, ex-CM of Karnataka H.D. Kumaraswamy, and state’s other politicians. Journalist and founder of “The Wire”, Siddharth Varadarajan, left-wing student activist Umar Khalid, activist Stan Swamy and Rona Wilson, Union Minister for Electronics and Information Technology Ashwini Vaishnav, a close aide of Delhi CM Arvind Kejriwal, close aides of 14th Dalai Lama Tenzin Gyatso and 11 contacts of the female employee of the Supreme Court who alleged former Chief Justice of India Ranjan Gogoi of sexual harassment were some of the other persons put on surveillance among the 50,000 targets of the NSO group in India.

How is it a threat to the Right to Privacy?

Privacy is a state of being free from public attention or not being observed or disturbed by other people. The Pegasus spyware gathered personal data from the phones and other devices of the users and compromised this independence. This was a complete violation of the Right to Privacy and Right to Freedom ensured by our constitution. People’s personal lives became public. They were not aware that somebody was always listening to their every conversation and that person has all the necessary details sensitive information to bring turmoil to the user’s private as well as public life. Such attacks also violate the Information Technology (Amendment) Act 2020 which has strict provisions for dealing with any violation of the user’s Right to Privacy which was guaranteed in the case of Justice K.S. Puttaswamy (Retd) vs Union of India on 26 September 2018. In this case, the nine-judge bench of the Supreme Court of India held unanimously that “the right to privacy was a constitutionally protected right in India, as well as being incidental to other freedoms guaranteed by the Indian Constitution”.

In the world’s largest democracy, despite the presence of such strict governing laws if these attacks happen to target the freedom and privacy of the individuals then the trust of the citizens is shaken and the foundation of the democracy is destroyed. The development of a country can never be expected if the social security of the citizen is not ensured. In the present case also, the Supreme Court saw this spyware attack as an attack on privacy rights and noted that “certain limitations exist” but “any restrictions imposed must necessarily pass constitutional scrutiny”. The bench also said that “the right to privacy is directly infringed when there is surveillance or spying done on an individual, either by the State or by any external agency” and “if done by the State, the same must be justified on constitutional grounds”. So, if the government fails to keep a check on these attacks or if the government is itself involved in such surveillance, then the whole concept of a civilized society is nothing but a myth.

Supreme Court’s Stand

After this attack was reported by the media, there was increased agitation in the citizens and activists. Many people described it as a violation of their right to freedom and right to privacy. Many of the activists approached the apex court of the country to prevent the violation of their basic rights. Several writ petitions were filed in the Supreme Court of India provoking its jurisdiction under Article 32. These matters were jointly listed for hearing and the matter was heard by the bench headed by the Chief Justice of India comprising of CJI Justice N.V. Ramana, Justice Surya Kant, and Justice Hima Kohli. The matter was last heard on 27th October 2021 and the bench ordered an independent expert committee to probe into the allegations of surveillance of 50,000 people with the use of the Pegasus spyware.

Arguments by the government

The Union government who was a respondent in the case argued that the issue involved national interest and security and due to this it would be difficult for the government to put the details in a public affidavit and make it a matter of public debate. The court termed this argument as a method by the government to beat around the bush and not take a firm stand on the issue. The government also pleaded before the court to allow to appoint an expert committee to investigate the allegations and it would divulge the details to that committee of experts. The government’s request was denied and the committee was formed by the court itself.

The Judgement

The Supreme Court of India ordered a probe into this matter by an independent committee. The Court declined the plea of Respondent-Union of India for allowing to appoint an expert committee for the investigation of the allegations and commented that allowing such request would violate the judicial principle of against bias and also said that “justice must not only be done but also be seen to be done.” The court itself took the responsibility and shortlisted and chose the most renowned experts available to form the committee. The apex court formed a committee comprising of three technical members which would be supervised by retired Justice RV Raveendran. The committee was assigned with the task:

A. To enquire, investigate and determine:

i. Whether the Pegasus suite of spyware was used on phones or other devices of the citizens of India to access stored data, eavesdrop on conversations, intercept information, and/or for any other purposes not explicitly stated herein?

ii. The details of the victims and/or persons affected by such a spyware attack.

iii. What steps/actions have been taken by the Respondent Union of India after reports were published in the year 2019 about the hacking of WhatsApp accounts of Indian citizens, using the Pegasus suite of spyware.

iv. Whether any Pegasus suite of spyware was acquired by the Respondent Union of India, or any State Government, or any central or state agency for use against the citizens of India?

v. If any governmental agency has used the Pegasus suite of spyware on the citizens of this country, under what law, rule, guideline, protocol or lawful procedure was such deployment made?

vi. If any domestic entity/person has used the spyware on the citizens of this country, then is such a use authorised?

vii. Any other matter or aspect which may be connected, ancillary or incidental to the above terms of reference, which the Committee may deem fit and proper to investigate.

B. To make recommendations:

i. Regarding enactment or amendment to existing law and procedures surrounding surveillance and for securing the improved right to privacy.

ii. Regarding enhancing and improving the cyber security of the nation and its assets.

iii. To ensure prevention of invasion of citizens’ right to privacy, otherwise than in accordance with law, by State and/or non-State entities through such spyware.

iv. Regarding the establishment of a mechanism for citizens to raise grievances on suspicion of illegal surveillance of their devices.

v. Regarding the setting up of a well-equipped independent premier agency to investigate cyber security vulnerabilities, for threat assessment relating to cyberattacks, and to investigate instances of cyberattacks in the country.

vi. Regarding any adhoc arrangement that may be made by this Court as an interim measure for the protection of citizen’s rights, pending filling up of lacunae by the Parliament.

vii. On any other ancillary matter that the Committee may deem fit and proper.

The Committee was also free to adopt adequate procedures and investigations. The Union Government, State Governments, and all other authorities were directed to cooperate with the committee and provide them with all the necessary support and infrastructure. The Court directed the committee to submit its report expeditiously and list the matter after 8 weeks.

The Compelling Circumstances before the Court

The Supreme Court while ruling on this case agreed that “it is a settled position of law that in matters pertaining to national security, the scope of judicial review is limited”, but the bench said that “this does not mean that the State gets a free pass every time the spectre of ‘national security is raised. National security cannot be the bugbear that the judiciary shies away from, by virtue of its mere mentioning. Although this Court should be circumspect in encroaching upon the domain of national security, no omnibus prohibition can be called for against judicial review… The mere invocation of national security by the State does not render the Court a mute spectator”. The Court was compelled to order a probe into the allegations as the government denied information for reasons pertaining to national security. The Court also listed the other compelling circumstances it faced before passing such order:

i. Right to privacy and freedom of speech are alleged to be impacted, which needs to be examined.

ii. The entire citizenry is affected by such allegations due to the potential chilling effect.

iii. No clear stand taken by the Respondent Union of India regarding actions taken by it.

iv. Seriousness accorded to the allegations by foreign countries and involvement of foreign parties.

v. Possibility that some foreign authority, agency, or private entity is involved in placing citizens of this country under surveillance.

vi. Allegations that the Union or State Governments are party 37 to the rights’ deprivations of the citizens.

vii. Limitation under writ jurisdiction to delve into factual aspects. For instance, even the question of usage of the technology on citizens, which is the jurisdictional fact, is disputed and requires further factual examination.

The Investigation Committee and its members

The Court denied accepting the request of the Respondent Union government for allowing to appoint an expert committee for investigating the allegations and said that the committee formed by the Union government would lack trust as it cannot be believed to be bias-free. So, the Court took the initiative and formed an expert committee by independently collecting the information. The Court termed it a difficult task and also said that “in this world of conflicts, it was an extremely uphill task to find and select experts who are free from prejudices, are independent and competent”. Most renowned experts were shortlisted to be part of the committee. The Apex Court formed the Committee under retired Supreme Court Judge Justice R.V. Raveendran. The Committee consists of three technical members. Retired Justice R.V. Raveendran will be assisted by former IPS officer Mr. Alok Joshi (1976 batch) and Dr. Sundeep Oberoi (Chairman of International Organisation of Standardisation/International Electro-Technical Commission/Joint Technical Committee). Both of these members have vast experience in the field of cyber-security and technology. Further, the three-member technical committee comprises of Dr. Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, National Forensic Sciences University, Gandhinagar, Gujarat; Dr. Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala; Dr. Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay, Maharashtra. This committee has been given task to investigate all the allegations related to the Pegasus spyware attack and make appropriate recommendations for improving cyber-security in the country within 8 weeks.

Protection against these cyber attacks

When we talk about staying safe from cyber-attacks the best way is to keep a check on the unnecessary apps and usage of the phone. But this is not the case with Pegasus spyware, it is not like other spyware which can be avoided by taking care of the software. Pegasus is in a way different from similar spyware as it attacks the operating system of the device and the spyware resides in the hardware so it is next to impossible to completely remove the spyware from the device. The user cannot detect the presence of this spyware and even in case it is detected after a lab analysis there’s no way to stop the attack. Even if the user switches to archaic mobile phones with limited apps and just call functions still the risk of an attack cannot be avoided completely. At an individual level, one way is to secure oneself from Pegasus is to keep the OS and mobile apps updated. But still, we need to stop using irrelevant apps, insecure links, accessing spam calls and messages, and start using trustworthy and verified sources. We must keep on updating the apps and the operating system and conduct timely checks for any bug or malware. Another costly method is to change the devices now and then but that’s quite impossible for a common man. But, when your device faces an attack, discarding all the apps and deleting all the details, and then discarding the device and changing another device prevents other future attacks.

The government should also focus on establishing some cyber security departments in every state which should comprise experts from this field. Special training sessions can also be held by the government and the authorities to make the common citizens aware of such attacks and explain to them all preventive measures. Moreover, the government officials and the police officers should also be trained in this regard to prevent any leak of sensitive data from the government.

How to report cyber-attacks?

If you are a victim of a cyber-attack or if someone you know has faced such attack then the very step to report such attacks is to reach your nearest police station and file an FIR. You may also call the National police helpline number 100 to report the cyber-crime. The Police Headquarters in every District have special cyber cells that work on these types of cases and one can easily approach them for filing their complaint. One may also file a complaint at the National Cyber Crime Reporting Portal cybercrime.gov.in or call 155260. This portal is an initiative of the Government of India to facilitate victims/complainants to report cyber-crime complaints online. These crimes can be reported on this portal anonymously and the identity of the victim is never revealed. The victim needs to submit only the details of the case for the authorities to take necessary actions. You need to provide key information such as your name, phone number, email address, details of the incident/complaint and necessary information supporting the complaint, etc. You will further need to register yourself using your mobile number. You will then receive a One Time Password (OTP) that will be used to verify your phone number. The OTP is valid for 30 minutes. Once you successfully register your mobile number on the portal, you will be able to report the complaint. After successfully registering your complaint, you will be able to track the status of your case on this portal.

Conclusion

In the era of digitalisation, where we aspire to make every household digitally sound, we must not forget that we also need to make our population digitally aware. Being smart should never mean compromising on being secure. With all the advancements in technology we have got some responsibilities and we must fulfill them. We are required to take much more care as with the increase in connectivity in our personal life , privacy is at much risk now and any mishap can turn to be a disaster for our whole life. We need to follow all the preventive measures while using our mobile phones and other gadgets to safeguard ourselves and all around us from these cyber-attacks. If in any case, we fall prey to these attacks we must not hesitate to report such crimes to prevent others. Being informed about the latest technological developments, and other software updates also helps to a great extent. It is solely up to us to prevent our personal lives from getting exposed publicly. Diligent use of these electronic devices always ensures such protection Lastly, we must not forget the dialogue “With great power comes great responsibility” by the children’s favourite super-hero character Spider-Man (from the comic book Spider-Man by Stan Lee) as it holds much more relevance in today’s world than ever.

This article is authored by Pranshu Shandilya, student at Institute of Law, Nirma University, Ahmedabad.

References

What is Pegasus spyware?

Pegasus is spyware developed by the Israeli cyberarms firm NSO Group that can be covertly installed on mobile phones (and other devices) running mostversions of iOS and Android. The 2021 Project Pegasus revelations suggest that the current Pegasus software can exploit all recent iOS versions up to iOS 14.6. As of 2016, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps. The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent “flying through the air” to infect cell phones.

Is Pegasus more powerful than other spying software?

Yes, Pegasus can be used to hack both IOS and Android mobiles. It can also track more data as compared to other software.

What is Pegasus Software Scandal?

Pegasus Software has been expressly developed and its use is permitted for tracking criminals but in the recent times it has been claimed that the BJP government has been using this software to track the other government party members, journalists and others and spy on them.

How is the software a breach of fundamental right?

The Supreme Court has expanded Article 21 to include the Right to privacy as a fundamental right. The software collects the private details of the phone user The Supreme Court took cognizance of the matter and further formed a committee to investigate the scandal and if the privacy has been infringed.