Listen to this article:
The technical committee set up by the Supreme Court to examine allegations about the use of Pegasus spyware in India has reached two conclusions that are hard to reconcile. On the one hand, the panel has found the definite presence of malware on five handsets which it examined. On the other, it says it cannot conclude categorically that this malware is Pegasus. All of this against the suspicious backdrop of the Narendra Modi government’s continuing refusal to confirm or deny its use of the Israeli-made spyware.
Since the committee’s report has not been made public and may likely never be, the reasons for its diffidence in concluding that Pegasus was used are not known. Pegasus’s own specs are not in the public domain: there are no files in a patent office somewhere that can be used as a reference point. Nor will NSO Group – the secretive Israeli company which produces and sells Pegasus – be willing to provide any verifiable metrics. In the absence of official certification, expert organisations like Citizen Lab and Amnesty International’s Security Lab have developed methods to detect the presence of Pegasus based on various forensic elements on an infected device as well as the use of infection vectors and servers that are associated with NSO Group.
Chief Justice N.V. Ramana himself acknowledged this expertise last October when he noted – in his written judgment ordering an inquiry – that the petitioners who had approached the Supreme Court with complaints about Pegasus had “brought on record certain materials that cannot be brushed aside, such as the reports of reputed organizations like Citizen Lab and affidavits of experts” (emphasis added). By contrast, none of the experts in the Supreme Court’s panel had any prior experience of working on Pegasus.
Just as Citizen Lab and Amnesty’s forensic findings are in the public domain, it is essential that the technical committee’s findings also be made public. It is easy enough to redact the report to protect the privacy of the five individuals whose phones were shown to contain malware. If, as is likely, the five already figure in the list of Pegasus infections that The Wire published in 2021, all five would probably favour the report being made public. Either way, any attempt to prevent review of the technical findings by independent experts – including Citizen Lab and Amnesty’s Security Lab – will raise suspicions that the committee’s members are not confident about the robustness of their conclusions. Especially when they say they do not have enough information to conclude definitively that Pegasus was used.
Indeed, what is striking about the technical committee’s report – or rather the broad summary the CJI provided in court – is the tentativeness of its core finding. We need to remind ourselves that the intelligence agencies of France and Belgium, as well as the European Commission and a United Kingdom court have all examined phones which were first reported by the Pegasus Project media consortium as infected – and confirmed those findings. Why India alone should be an outlier is not clear.
Of course, the most significant part of Thursday’s hearing in the Supreme Court was CJI Ramana’s observation that the government refused to cooperate with the work of the committee.
The CJI added that the government was taking the same stand as it had taken before – which was a polite way of saying that such a stand was untenable. In their judgment of October 27, 2021, Justices Ramana, Surya Kant and Hima Kohli had said the invocation of “national security” as a reason for not cooperating with the court was not acceptable. “Such a course of action taken by the Respondent Union of India, especially in proceedings of the present nature which touches upon the fundamental rights of the citizens of the country, cannot be accepted,” they said, adding, “The mere invocation of national security by the State does not render the Court a mute spectator.”
The court must now follow through with the logic of its 2021 judgment. The government, when asked, refused to confirm or deny that it had acquired and used Pegasus. The technical committee found malware in five phones but cannot say if this is or isn’t Pegasus. If the court is interested in getting to the bottom of the matter, there are two simple steps it must take.
First, let Citizen Lab and other reputed organisations like Amnesty peer review the report and methodology used by the court’s technical committee. It is possible that when independent, global expertise – especially of the sort CJI Ramana himself acknowledged – weighs in, a more conclusive finding either way is possible. The global experts might well go further than the committee and say definitively that the malware is not Pegasus. Or they might reiterate what they have already said – based on their examination of those devices or their peer review of the methodology involved. Indeed, Amnesty International provided a detailed explanation of the methods it used in response to queries put to it by the committee. If the committee finds that Amnesty’s methodology is not enough to conclusively detect Pegasus, then this is tantamount to saying Pegasus has not been found anywhere else either – a conclusion that would fly in the face of findings by Western intelligence agencies.
Second, the court has to insist that the government file a definitive affidavit and that this be accompanied by individual affidavits from 10 current and former officials in which they state on oath whether they are aware or unaware of the purchase and use of Pegasus in India. These are Union home minister Amit Shah; national security adviser Ajit Doval; Samant Goel and Anil Dhasmana of the Research and Analysis Wing; Tapan Deka, Arvind Kumar and Rajiv Jain of the Intelligence Bureau; former home secretaries Rajiv Mehrishi and Ajay Kumar Bhalla, as well as P.K. Sinha and Rajiv Gauba, former and current cabinet secretaries, respectively.
All or part of the process of acquiring and deploying Pegasus would have to have been routed through these men. If they have no knowledge of the targeting of individuals named by the Pegasus project and are not involved in the use of spyware against them in any way, they should have no objection to stating this in a legally binding affidavit.
With these simple steps, the Supreme Court can go a long way towards establishing the truth.