Manas Dasgupta
NEW DELHI, July 19: Opening day of the monsoon session of Parliament on Monday witnessed turmoil in both the Houses over the alleged spyware issue with the government vehemently denying any illegal surveillance of the journalists, politicians and activists.
Information Technology minister Ashwini Vaishnaw told the Lok Sabha that no illegal surveillance was possible in India, given its laws and robust technological framework. He alleged that the news of a software Pegasus, developed by an Israeli company NSO for snooping on the adversaries, was being used by the government to illegally tap phones was “an attempt to malign the Indian democracy.”
The story published by The Wire about alleged snooping on activists, journalists, Opposition leaders using Pegasus was raised by several political leaders. The Congress demanded an independent investigation.
As per the report, the telephone numbers of some 40 Indian journalists figure in a “leaked list of potential targets for surveillance” and forensic tests were said to have “confirmed that some of them were successfully snooped upon by an unidentified agency using Pegasus software, the news website reported on Sunday night.
Indian ministers, government officials and opposition leaders also figure in the list of people whose phones may have been compromised by the spyware, The Wire, which conducted the investigation along with international partners, claimed.
The leaked telephone numbers included correspondents and writers from the Hindustan Times, The Hindu, India Today, Indian Express and Network18. Vijaita Singh, who works for The Hindu’s national bureau, also figures in the list, which includes journalists like Shishir Gupta, Siddharth Vardarajan, M.K. Venu, Sushant Singh, Rohini Singh, Muzamil Jaleel, Ritika Chopra and Swati Chaturvedi.
Seventeen international media groups, including The Guardian and The Washington Post, led the investigation into how Pegasus was used to allegedly extract messages and information from the phones of journalists, politicians and activists.
Responding suo motu to allegations that the Indian government could be using Pegasus spyware, Vaishnaw called the story “sensational” and seeming to be “an attempt to malign Indian democracy and its well established institutions.” Vaishnaw also said the reports appearing a day before the Monsoon session of parliament cannot be a coincidence.
Amid a loud day in the Lok Sabha, with opposition leaders shouting slogans, Vaishnaw said, “I rise to make a statement on reported use of spyware Pegasus to compromise phone data of some persons. A highly sensational story was published by a web portal yesterday night. Many over the top allegations have been made around this story. The press reports have appeared a day before the Monsoon session of parliament. This cannot be a coincidence.” The reports are part of a global collaborative investigative project, anchored in India by The Wire, a digital news platform.
Vaishnaw said in the past too, similar claims were made regarding the use of Pegasus. “Those reports had no factual basis and were categorically denied by all parties including in the Supreme Court. Press reports of 18 July 2021 also seem to be an attempt to malign the Indian democracy and its well established institutions,” he said.
The basis of this report is that there is a consortium which has got access to a leaked data base of some 50,000 phone numbers. The allegation is that individuals linked to these phone numbers were being spied upon. However the report says that the presence of phone numbers in the data does not reveal whether a device was infected by Pegasus or subject to an attempted hack. Without subjecting the phone to this technical analysis, it is not possible to conclusively state whether it is an attempted hack or was successfully compromised. The report itself clarifies that the presence of a number in the list does not amount to snooping,” he said.
In his address to the house on the issue, Vaishnaw also quoted from the NSO’s defence on the issue, denying the allegations. “I highlight, sir, that NSO has also said the list of countries shown using Pegasus is incorrect. Many countries mentioned are not even our clients. It also said that most of its clients are western countries. It is evident that NSO has also clearly rubbished the claims in the report,” he said.
Vaishnaw said that India had established protocols when it comes to surveillance which were robust and had “stood the test of time.” “India’s established protocols when it comes to surveillance. I am sure my friends in opposition who have been in government for years are very well aware of these protocols. Since they have governed the country they would also be aware that any form of illegal surveillance is not possible with the checks and balances with our laws and robust institutions. In India there is a well-established procedure through which lawful interception of electronic communication is carried out for the purpose of national security particularly on the occurrence of any public emergency or in the interest of public safety by agencies at the centre and the state. The requests for these lawful interceptions for electronic communications are made as per the relevant rules as per section 5(2) of the Indian Telegraph Act, 1885 and section 69 of the IT Act, 2000. Each case of interception is approved by the competent authority. These powers are also available to the competent authorities to the state governments,” he said.
Vaishnaw added, “There is a very well established oversight mechanism in the form of a review committee headed by the Union Cabinet secretary. In case of a state government, this committee is headed by the Chief Secretary concerned. The law also provides an adjudication process for those people who are adversely affected by any such incident. The procedure therefore ensures that any interception or monitoring is done as per due process of law.”
Vaishnaw said it “emerges” that there was no “substance behind this sensationalism.” “In conclusion, I humbly submit that the publisher of the report states that it cannot say that if the numbers in the published list were under surveillance. Second, the company whose technology was allegedly used has denied these claims outrightly. And the time tested procedures of our country are well established to ensure that unauthorized surveillance cannot occur. When we look at this issue through the prism of logic, it clearly emerges that there is no substance whatsoever behind this sensationalism,” Vaishnaw said.
One of the worrying aspects of the Pegasus spyware is how it has evolved from its earlier spear-phishing methods using text links or messages to ‘zero-click’ attacks which do not require any action from the phone’s user. This had made what was without a doubt the most powerful spyware out there, more potent and almost impossible to detect or stop.
The Guardian quoted Claudio Guarnieri, who runs Amnesty International’s Berlin-based Security Lab, as saying that once a phone was infiltrated, Pegasus had “more control” over it than the owner. This is because in an iPhone, for instance, the spyware gains “root-level privileges”. After this it can view everything from contact lists to messages and internet browsing history and send the same to the attacker.
A zero-click attack helps spyware gain control over a device without human interaction or human error. So all awareness about how to avoid a phishing attack or which links not to click are pointless if the target is the system itself. Most of these attacks exploit software which receive data even before it can determine whether what is coming in is trustworthy or not, like an email client.
Zero-click attacks are hard to detect given their nature and hence even harder to prevent. Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
One of the things users can do is to ensure all operating systems and software are up to date so that they would have the patches for at least vulnerabilities that have been spotted. Also, it would make sense to not sideload any app and to download only via Google Play or Apple’s App Store.
