Years after First Alerts, Pegasus Pushback Begins
Can legal and technical barriers safeguard our privacy?
“The entire Opposition is united. 1. Have a discussion on Pegasus snooping issue in presence of the Prime Minister or Home Minister. 2. Announce a Supreme Court-monitored inquiry into the scandal,” tweeted Congress whip in the Rajya Sabha Jairam Ramesh on Tuesday.
Earlier that day West Bengal CM Mamata Banerjee met PM Narendra Modi at his residence, telling reporters after that she supported a judicial probe into allegations that Indian government agencies are using Israeli malware to hijack citizens’ phones.
On Monday journalists Narasimhan Ram and Shashi Kumar moved the Supreme Court to investigate. “It has an obvious chilling effect on expression by threatening invasion into the most core and private aspects of a person’s life,” their petition reportedly says.
It asks the government to come clean on whether it purchased the malware from the NSO Group and used it against Indians. “It seems that the legal regime for surveillance under Section 5(2) of the Indian Telegraph Act, 1885, was completely bypassed in the matter.”
A petition filed last week by Rajya Sabha MP John Brittas of the CPI-M is also with the court. “If snooping is done by some foreign agency, it is an act of external aggression, which also needs to be dealt with in a serious manner,” it reportedly says.
Commentators have also alleged violations of the Information Technology Act.
Advocate and digital rights expert Vrinda Bhandari said in an interview that “Pegasus is really is about taking control of your phone. Section 69 of the IT Act, in my reading, does not permit this kind of privacy invasion.. It infects the device and hijacks its basic functioning.. That is very different from what is legally permissible”.
Governments around the world are facing tough questions in the wake of Pegasus. Ministers in Hungary, Morocco and Rwanda have categorically denied the allegations, questioning the motives behind the leak, or whatabouting the NATO intelligence agencies.
French president Emmanuel Macron, whose name figures in the alleged list of targets, called for the allegations to be probed. After complaints by French and Moroccan journalists the public prosecutor in Paris will investigate charges including “violation of privacy, illegal use of data and illegally selling spyware.”
The Israeli government has launched an investigation by its own ministers into possible misuse of the hacking tool, for which it repeatedly granted export licences to the NSO Group.
In an interview with The Citizen Karnika Seth, an expert in data privacy law, said that “in the EU a citizen can approach courts to seek redressal, including compensation and imposition of punishment and penalty,” in cases of data misuse or theft.
There is also a supervisory authority, the European Data Protection Supervisor, specifically to investigate such cases.
“The EDPS office can be approached in case of violations or personal data breach when the data was processed by EU institutions,” said Seth.
In India, after the recent round of allegations former Supreme Court judge B.N Srikrishna told the press that as privacy is a fundamental right guaranteed by Article 21 of the Constitution, people could approach the courts for constitutional redress, even without a data protection law.
The draft Personal Data Protection Bill that emerged from the Srikrishna Committee’s report has been under parliamentary review for over two years. The bill would permit the Union government to exempt any of its agencies from its purview.
“Most of the surveillance that is done in this country is without the warrant of law.. Parliament has to by law prescribe how to deal with it,” Srikrishna said when the report was published.
There is also a growing need to understand the technical barriers that can be placed to tackle such spyware attacks in future.
Sandeep Shukla, professor of computer science at IIT Kanpur and joint director of its cybersecurity centre, told The Citizen that “companies like NSO and Candiru in Israel, The Edge group in UAE, Gamma Group, Darkmatter etc, with deep pockets, also do their own R&D for finding zero-day vulnerabilities, and weaponise and sell them.”
He explained that a zero-day vulnerability is one discovered by unethical hackers who do not disclose it to the software creators and give them time to fix it before making it public. Instead these “black hat hackers” sell details of the vulnerability to the highest bidders, which are often companies like NSO or government intelligence operators.
Details of similar vulnerabilities or backdoors that have been built into online encryption processes and hardware including smartphones by the US National Security Agency working in collusion with private businesses were leaked by intelligence analyst Edward Snowden in 2013.
Snowden emphasised in a recent interview that we only have the NSO Group’s word that it is selling to governments alone.
“What the Pegasus Project has revealed is a sector where their only product are infection vectors. They’re not security products, they’re not providing any kind of protection.”
“I think saying that they only sell this to government doesn’t make that better, when you look at who the targets are that have just been revealed.”
“What we see now are people creating an industry to hack those phones, and go beyond the level of spying that already previously we knew existed. And now they’re actually taking control of that phone, fully, and turning it against the people who bought and paid for it, but no longer truly own it,” he said.
“That is a knowing, intentional, wilful attack on critical infrastructure that every one of us rely on.”
Not only can such software easily infect our devices, it is also very hard to trace.
The US-based NGO Amnesty International has released tools it says can trace such infections, including an app called iVerify and a Telegram bot, which could in theory tell if your device had been attacked.
Sandeep Shukla told The Citizen that while he hadn’t been able to check the specific Amnesty tools, and tools are a good start, no tool can guarantee detection of all possible ways to infiltrate a device.
“The modus operandi of different malware and delivery mechanisms is different. Some may not even need to open a backdoor immediately, and do it at the opportune moment.”
As our dependence on cyber technologies grows, without effective oversight companies could start selling such spyware tech for profit at ever lower prices.
And if criminalisation pushes such activities underground there is still the dark web, where interested people with the right resources could procure the technology.
Making prevention difficult, such malware is designed to find and exploit just one single vulnerability.
“The antivirus companies will try to adapt - and will try to also monitor network traffic originating and terminating at your device - and will use artificial intelligence or machine learning (AI/ML) to get indications of compromise. So expect some changes,” said Shukla.
“That will raise the bar somewhat for the attackers, but it will not go away.”
“Pegasus itself could be used on all who have the right version of iOS or WhatsApp, depending on which vector is used.
“It was not used on all, because monitoring millions of people’s data on the console of the command center would be difficult. But with AI/ML, even that may be possible.”