Pegasus: Investigations worldwide hold a crucial lesson for India

That our surveillance laws are obsolete and are in need of urgent reform

ISRAEL-ESPIONAGE-POLICE-INVESTIGATION House of intrigue: An NSO Group office in Israel. The Israeli government has acknowledged that the spyware manufactured by the company may have been misused | AFP

ISRAELI PRIME MINISTER Naftali Bennett has opened a Pandora’s box with his recent decision to hold a nationwide inquiry into the illegal use of the Pegasus spyware by the police. Bennett’s move is significant because this is the first time Israel has officially acknowledged that the spyware—manufactured by the Herzliya-based NSO Group and sold to governments around the world—could have been misused.

In India, a Supreme Court-appointed committee has been examining allegations that Pegasus was used to snoop on 400 citizens. Around the world, more than 50,000 people have reportedly been unlawfully targeted with the help of the spyware.

Calls for speedy justice have been growing in countries where governments have been accused of employing Pegasus. In India, concerns include the size of the potentially vulnerable population and the decades-old surveillance laws that are ineffective in blocking invasive technologies.

Designed to fight terrorism and other serious crimes, Pegasus is not meant for use against citizens, which is why countries such as the US, France and Hungary have launched investigations into the spyware’s alleged misuses. On February 2, the Federal Bureau of Investigation in the US confirmed that it had bought “limited licence” to access Pegasus so that it could analyse the security concerns in the event of the spyware falling into wrong hands. That the FBI’s worries were not misplaced became clear on February 7, when Omer Barlev, Israel’s minister for public security, announced the setting up of a commission of inquiry to probe allegations that the police unlawfully used Pegasus to hack into smartphones of dozens of prominent activists and politicians, including former prime minister Benjamin Netanyahu’s son.

“In the past few days, there has been a lot of uproar across the entire political spectrum,” Nadav Eyal, a senior columnist at the national daily Yedioth Ahronoth, told THE WEEK. “The government has ordered a probe by a national state commission, which is the highest level of investigation in our democracy. I expect the matter will be investigated thoroughly.”

Bennett’s call for action has not only sparked a domestic furore but put law enforcement agencies across the world in the dock. Israeli police has denied all charges, but a series of exposes by the newspaper Calcalist, explaining how Pegasus was used without warrants to break into smartphones, has widened the canvas of allegations and investigations around the world. The Indian government, for its part, has said that it had no knowledge of any purchase of Pegasus by any of its agencies. But the Supreme Court-appointed independent expert committee under retired judge R.V. Raveendran has not ruled out the possibility of the spyware’s misuse.

Anand Venkatanarayanan (in pic), who deposed before the Supreme Court-appointed independent expert committee, said he found infections in four of seven devices inspected.

Anand Venkatanarayanan—strategic adviser at the Delhi-based think tank DeepStrat, who deposed before the expert committee—said he found infections in four of seven devices inspected. “So far I have analysed seven phones—two droids and five iPhones—and found four infections,” he told THE WEEK. Anand used the analogy of a murder investigation where there is irrefutable evidence that the crime has happened. “Since we are doing forensics on a dead phone, we cannot observe what really happened, or who put the toxin in the body. So we can only do deduction based on ancillary sources,” he said.

According to Anand, Pegasus is hardly a magical entity that is elusive. “It has six-plus years of malware analysis history prepared by several organisations, including Apple, Google, Citizen Labs and Amnesty Tech,” he said. Anand’s deposition, along with statements of at least six individuals before the committee, has spelt out an urgent need to update India’s surveillance and cyber laws. Assisted by members such as former Research and Analysis Wing chief Alok Joshi and cybersecurity expert Sundeep Oberoi, the expert panel is revisiting the laws to plug loopholes. In India, surveillance is governed by two laws—the Telegraph Act and the Information Technology Act. Under both the laws, committees headed by home secretaries at the Centre and in the states are mandated to clear surveillance requests from security and intelligence agencies on a case-to-case basis—that, too, for a limited period.

Former home secretary G.K. Pillai said that the laws do not stipulate that the government disclose to Parliament or the public details about the technology used for lawful surveillance. But, according to him, any misuse can be traced if the government is serious about investigating it. “If the expert panel finds traces of spyware on targeted devices, it can go back and check records to see whether clearance was given for lawful interception to any agency,” said Pillai.

If permissions were neither sought nor granted, it needs to be treated as a criminal case. “In such a case, the government can order a CBI probe,”said Pillai.

There have been many cases of illicit use of malware in the recent past. “The hacking of the nuclear plant in Kudankulam involved a malware,” said Saikat Datta, founding partner at DeepStrat. “But Pegasus is like a tsunami entering a weak house, bringing malware into personal devices, compromising everything from voice and email to financial transactions and personal photos, which is prima facie illegal under our current surveillance laws.”

If the spyware’s illegal use is established, said Anand, the expert committee’s investigation may widen to include the possible culpability of internet service providers. The IT Act forbids service providers from allowing their infrastructure to be used for hacking. “So far, we have not found any indication that network injection was used to serve malware, but it is evident that the infrastructure of internet service providers and telcos were used in the Pegasus setup and installation,” he said.

The biggest task before the expert panel would be to probe NSO Group’s role in setting up a local system integrator—an entity that specialises in fusing component systems together and ensuring that they function together—to launch the spyware infrastructure. “Typically, intelligence agencies don’t have in-house expertise and bank upon a system integrator to take care of these aspects,” said Anand. “Hence, the role of a local system integrator cannot be ruled out.” NSO Group alone is not the problem, though. There are several other companies selling similar invasive technologies that need to be regulated. “The US and some other countries have tools they develop themselves,” said Eyal. “The fact that they are very efficient makes it equally frightening.”