Greek mythology tells us Pegasus, the winged horse, emerged from the blood of the torso of Medusa, beheaded by Perseus. The hero Bellerophon eventually rode Pegasus in his exploits in slaying a number of monsters like the Chimera. Bellerophon fell off the horse when he tried to ride Pegasus up to Mount Olympus to join the Gods. Our Pegasus is no hero but a slayer of democracy, and the right to dissent. Forbidden Stories, a non-profit NGO tracks the story. Shalev Hulio and Omri Lavie together started a company, MediaAnd, which folded in the 2008 recession. With the Apple iPhone, rapid expansion of the applications of the handset, and the development of encryption, the company got a new lease of life; with surveillance and information gathering. Niv Carmi, a former Mossad agent, joined them; NSO (Niv, Shalev, Omri) was born, and Pegasus emerged. Originally intended to tackle drug trafficking and crime, their first client in 2017, the Mexican government, used it as a spyware tool against political opponents. NSO evolved as a leader in the spy-tech industry.
In India, we have a 28.22% risk of encountering PC malware in the form of malicious links in emails and SMSs, relying on the victim to click on the link or message, permitting access to the phone by malware. Pegasus achieves this merely with a missed call or WhatsApp message which does not require any action by the victim. Hence the description “zero click” infections. Forbidden Stories, Amnesty International, Washington Post, and 16 other global media partners accessed and published reports from leaked data, of 50,000 names; journalists, opposition members, activists’ and even people holding high office, across 50 countries (Macron and 14 heads of State included) whose phones were targeted for surveillance.
Hundreds of Indian phone numbers appeared on a target list, including Rahul Gandhi, election official Ashok Lavasa, and M. Hari Menon, the local head of the Gates Foundation. Journalists, activists, opposition politicians, senior officials, business executives, public health experts, Tibetan exiles and foreign diplomats were also listed. The use of the spyware appears to have gone well beyond NSO’s stated objectives of combating terrorism and crime. Forensic analyses performed on 22 Indian smartphones, from the list, showed that 10 were targeted with Pegasus, seven of them successfully. Five of the phones infiltrated in India belonged to journalists and one to a high-profile opposition political adviser. This is believed to represent the tip of the iceberg, raising concerns about the erosion of civil liberties. Amnesty used its’ International Mobile Verification Toolkit to confirm that Pegasus was active on Sushant Singh’s phone, a journalist who reported extensively on the controversial French fighter jets deal.
This spyware is a disturbing invasion of privacy, reminiscent of an Orwellian nightmare. It can capture keystrokes, intercept communications, track the device using GPS, control both front and back cameras and microphones, use environmental sound recording, meeting alerts, call alerts from specific numbers, and content alerts (when specific words are used). The program has a self-destruct feature that is activated when there is a risk of exposure, or when the phone enters the USA. It is designed not to infect any phone operating in the US. A limited defence is possible, according to security experts. Links and messages only from known and trusted contacts, should be opened. The device must be updated with any relevant patches and upgrades. Avoid responding to notifications for new versions; checking instead with the manufacturer’s notifications directly. Use pin, finger or face locking to secure the device, limiting access. Avoid public and free Wi-Fi services (including hotels), or use VPN when accessing sensitive information on such networks. The US NSA recommends a simple security measure of regularly turning the phone off and on again, and rebooting at least once a week.
The Indian Data Protection Act is yet to see the light of day despite the SC declaring privacy to be a fundamental right. Privacy, as Pratap Bhanu Mehta puts it, is “not about a wish to hide, but about having a space of one’s own, where our thoughts are not the instruments of someone else’s purposes”. In response to the national uproar, the governments stock reply has been that there was no “unauthorised” surveillance. So, was there “authorised” surveillance? If so, how much did the Pegasus program cost? If not, who conducted the surveillance? Our PM visited Israel in 2017; that year, National Security Council Secretariat overshot its budget from Rs 33 crores to Rs 81 crores. In 2018 the expenditure skyrocketed to Rs 333 crores. Makes sense when you consider that the Pegasus program costs $65,000.00 for accessing a single mobile phone. I doubt any private enterprise has the financial muscle to engage in such an adventure.
Amid Opposition’s demand for a judicial probe, a Parliamentary Standing Committee, headed by Shashi Tharoor, attempted to examine the matter. Officials of the Union Home Ministry were summoned on July 28 for their views; they responded with a contemptuous, synchronised boycott. The Opposition is demanding a discussion on “the manner in which they have desecrated the fabric of the country’s democracy”. Multiple petitions have been filed in the SC seeking an SIT probe on the grounds that the targeted hacking of phones is an act of cyber terrorism and “seriously compromises” the effective exercise of the fundamental right to free speech under Article 19(1)(a); a criminal offence under Section 66 (computer related offences), 66B (punishment for dishonestly receiving stolen computer resource or communication device), 66E (punishment for violation of privacy) and 66F (punishment for cyberterrorism) of the IT Act.
Bellerophon fell off Pegasus attempting to scale Mount Olympus. Let us hope this web of deceit not only gets unsaddled but trampled to extinction.
(The writer is a founder member of VHAG)