New Delhi: On Saturday, the Union government responded to a questionnaire sent by the consortium of journalists part of the Pegasus Project. The ministry of electronics and information technology (MeitY), under freshly appointed minister Ashwini Vaishnav, said that the questions posed have already been answered.
“Considering the fact that answers to the queries posed have already been in the public domain for a long time, it also indicates poorly conducted research and lack of due diligence by the esteemed media organisations involved,” the response read.
It pointed to a right to information (RTI) response of the government of India about the use of the Pegasus spyware. That response, according to MeitY, is “sufficient” to deny claims of any “association” between the government of India and Pegasus.
Ironically, the RTI response being referred to is from October 2019, where the Union Ministry of Home Affairs did not deny purchasing Pegasus spyware or even that it was considering purchasing Pegasus.
Instead, the information officer had said, “In this regard, it is informed that no such information is available with the CPIO [Central Public Information Officer].”
The questions asked by RTI applicant Saurav Das had been direct:
1) Has the government of India purchased NSO Group’s Pegasus?
2) Has there even been a proposal to purchase it?
3) Is the government considering purchasing Pegasus?
Das himself has spoken out against the government response, saying the part that refers to the RTI he filed is untrue. “The RTI response to me neither confirmed nor denied the use of Pegasus,” he said.
Hey! Para 5 of the Govt’s statement is so wrong & misleading. It refers to an RTI application, which I had filed. Govt claims it is “sufficient” to counter d allegations of links bw govt & #Pegasus.
FALSE. The RTI response to me neither confirmed nor denied the use of Pegasus. https://t.co/SxeZDbwrUJ
— Saurav Das (@OfficialSauravD) July 18, 2021
Here’s the reply they gave me and claim “sufficiently counters” all the allegations in today’s expose.
The answering officer simply washes off his hands and plays safe. Pretty sad that this is the standard of defence from the @PIBHomeAffairs @GoI_MeitY pic.twitter.com/p2JDm0Xlr2
— Saurav Das (@OfficialSauravD) July 18, 2021
The government’s note to the Pegasus Project’s media partners also says, “Government agencies have a well established protocol for interception, which includes sanction and supervision from highly ranked officials in Central and state governments, for clear stated reasons only in national interest.”
It states several times that the government has not indulged in any “unauthorised interception”. Experts believe that hacking, which is what the Pegasus spyware does, would very much qualify as “unauthorised interception” or hacking as per Information Technology Act, 2000. But the letter to the consortium of journalists of the Pegasus Project does not contain an outright denial from the government of India regarding the purchase and use of Pegasus.
At a time when the WhatsApp Pegasus hack story broke, the then minister for MeitY, Ravi Shankar Prasad, had also not denied that the Modi government had purchased and used Pegasus. Parliamentarians had also repeatedly asked Prasad if the government had purchased Pegasus. Prasad did not deny or confirm this at the time.
Referring to reports of the 2019 WhatsApp hack, MeitY said in its response that these have been denied by all parties involved, including WhatsApp, in the Supreme Court. The ministry may be referring to a comment made by Kapil Sibal when he represented WhatsApp in court and denied that it was hacked.
However, Sibal was evidently misinformed as WhatsApp is suing NSO in a US court over hacking attempts.
The Pegasus Project has also done due diligence in verifying that some of the numbers that appear in the records show traces of infection by Pegasus. The consortium has been able to establish the existence of infections on several phones that were part of the database. In all, 67 phones that were part of the leaked records were forensically examined by the technology team at Amnesty International. Twenty three of these showed traces of a successful Pegasus infection, while another 14 displayed signs of attempted infection.
For Indian phone numbers that appear in the records, the Pegasus Project was able to conduct forensic analysis on 22 phones in total. Of these, 13 were iPhones and nine were Androids. As many as seven iPhones showed evidence of successful infection by Pegasus, while in another two there were traces of attempted infection, taking the total of targeted iPhones up to 9.
For the Android phones, there were signs of attempted infection in one via a malicious SMS link. The forensics reports for the other eight were inconclusive, which doesn’t rule out the possibility of infection. But because Androids do not maintain logs of activity the way iPhones do, finding traces of Pegasus activity becomes nearly impossible.
Based on the forensic analysis by AI, which has been peer reviewed by Citizen Lab, there is no doubt that phones in India have been hacked using Pegasus. NSO has repeatedly said it only sells Pegasus to “vetted governments”.
The full response by the Ministry of Electronics and Information Technology to questions posed by the ‘Pegasus Project’ media consortium:
India is a robust democracy that is committed to ensuring the right to privacy to all its citizens as a fundamental right. In furtherance of this commitment, it has also introduced the Personal Data Protection Bill, 2019 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, to protect the personal data of individuals and to empower users of social media platforms.
The commitment to free speech as a fundamental right is the cornerstone of India’s democratic system. We have always strived to attain an informed citizenry with an emphasis on a culture of open dialogue.
However, the questionnaire sent to the Government of India indicates that the story being crafted is one that is not only bereft of facts but also founded in pre-conceived conclusions. It seems you are trying to play the role of an investigator, prosecutor as well as jury.
Considering the fact that answers to the queries posed have already been in public domain for a long time, it also indicates poorly conducted research and lack of due diligence by the esteemed media organisations involved.
Government of India’s response to a Right to Information application about the use of Pegasus has been prominently reported by media and is in itself sufficient to counter any malicious claims about the alleged association between the Government of India and Pegasus.
India’s Minister of Electronics & IT has also spoken in detail, including in the Parliament, that there has been no unauthorised interception by Government agencies. It is important to note that Government agencies have a well established protocol for interception, which includes sanction and supervision from highly ranked officials in central & state governments, for clear stated reasons only in national interest.
The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.
In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian State. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
This news report, thus, also appears to be a similar fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.
In India there is a well established procedure through which lawful interception of electronic communication is carried out in order for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States. The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act ,1885 and section 69 of the Information Technology (Amendment) Act, 2000.
Each case of interception, monitoring, and decryption is approved by the competent authority i.e. the Union Home Secretary. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
There is an established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of state governments, such cases are reviewed by a committee headed by the Chief Secretary concerned.
The procedure therefore ensures that any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.