Is the Modi government really spying on journalists and opposition leaders through Pegasus?

300 high-profile Indians out of a list of 50,000 people worldwide have been subjected to targeted hacking and tapping of their phones using the ‘Pegasus spyware’. On the target list was Congress’ Rahul Gandhi, Political analyst Prashant Kishore, Mamata Banerjee’s nephew Abhishek Banerjee, former Election Commissioner Ashok Lavasa (that ruled that PM Modi had violated the MCC during the 2019 election commission). Also, there were 40 Journalists from various Media houses including Rohini Singh, Swati Chaturvedi (that criticize the ruling govt), Supreme Court Judge, and opposition leaders.

The French media Forbidden stories and Amnesty International shared the leaked list with ‘The Wire’ in India and 15 other news organizations across the world including The Guardian, The Washington Post, Le Monde, Suddeutsche Zeitung as part of the Pegasus project.

But what really is Pegasus? How does it operate? Who uses the software? And why has it earned the reputation of being behind the most sophisticated spyware attacks? According to The Citizen Lab, in this way, Pegasus can be used to gather a vast amount of victim information: “Passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.” According to this report, “Pegasus could even listen to encrypted audio streams and read encrypted messages”. NSO does not openly name who buys its software. But its website does say that its products are used and bought exclusively “by government intelligence and law enforcement agencies to fight crime and terror”. 

“Pegasus is modular malware. After scanning the target’s device, it installs the necessary modules to read the user’s messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on, and so forth. Basically, it can spy on every aspect of the target’s life,” cybersecurity company Kaspersky noted. Pegasus infections can also be achieved via so-called “zero-click” attacks that do not require any interaction from the phone’s owner. It means that your phone could still be hacked even if you’re careful not to click on those malicious links. Most of these attacks exploit vulnerabilities in an operating system that the phone’s manufacturer may not yet know about and so has not been able to fix. An example of such an attack was revealed by WhatsApp in May 2019 when the spyware targeted a vulnerability in its VoIP stack. Simply by placing a WhatsApp call to a target device, Pegasus could be installed on the phone, irrespective of whether the target answered the call or not.

In November 2019, Lok Sabha MP from the DMK, Dayanidhi Maran, asked on the floor of the House if the government taps WhatsApp calls and messages and whether the government uses Pegasus for this purpose. A written response provided by then Minister of State for Home Affairs, Kishan Reddy, did not directly address queries about tapping or Pegasus. “Section 69 of the Information Technology Act, 2000 empowers the Central Government or a State Government to intercept, monitor or decrypt…any information generated…or stored in any computer resource,” the response said, adding that it was for reasons including sovereignty and security of the country. “Section 5 of the Indian Telegraph Act, 1885 empowers lawful interception of messages on the occurrence of public emergency or in the interest of public safety,” the response added.

The response also listed the 10 agencies that can intercept messages under the law and a Standard Operating Procedure (SOP). Such agencies allowed to intercept messages include the Intelligence Bureau, Enforcement Directorate, Cabinet Secretariat (RAW), and Commissioner of Police, Delhi.

The Government of India responded that they are not spying on anyone illegally and they have got nothing to do with Pegasus. The response further said that “there is no blanket permission to any agency for interception or monitoring or decryption and that permission from competent authority is required, as per the due process of law and rules, in each case”. While, on the other hand, NSO claims that only governments can buy its software, private parties cannot buy the software.

This clearly points finger towards the Government and the names of those under surveillance have a definite pattern that threatens power.

Categories: News, News Update