New Delhi: In hindsight, it was only fitting that a story about surveillance and spyware in India should have begun with more than a touch of cloak and dagger.
Sometime in the middle of March, Sandhya Ravishankar, a reporter who had done a series of stories for The Wire on the sand mining mafia in Tamil Nadu, and who I knew and trusted, called me with a single question: “Do you have an iPhone?”
When I said yes, she said she wanted to fly up from Chennai right away to meet me and my fellow founding editor at The Wire, M.K. Venu. She said she couldn’t say anything about the purpose of the meeting but I guessed from her reticence that it was about something important.
On the appointed day, she came home and promptly asked that we switch off our telephones and place them in another room. Then, via a secure video link, she connected me to Sandrine Rigaud and Phineas Rueckert, two editors from the French media non-profit, Forbidden Stories, who explained that based on records they had accessed, they had good reason to believe our smartphones might be infected with the deadly spyware, Pegasus.
As journalists in the government’s cross-hairs, we had assumed our phones were tapped and were exercising the usual precautions: using WhatsApp, Signal or Facetime instead of the cellular network whenever we were working on sensitive stories. So, the thought that our instruments themselves had been hacked into and compromised was alarming. It was flattering to know someone out there was taking such an unhealthy interest in our work. But we hoped this was just a false alarm.
This is because Pegasus is truly deadly. Developed and sold by the Israeli spyware firm NSO Group, it allows the government agency which deploys it to effectively take remote control of a smartphone and all its contents and functions. All messages, even encrypted ones, become visible. And the microphone and camera can be remotely activated to record and relay private conversations and meetings.
Sandrine asked if we would agree to have our phones forensically examined, which we did after first understanding what the process would involve. My current iPhone turned out clean but the test showed that the instrument I had used till March 2020 was infected. Venu’s test was initially inconclusive but a second test confirmed the presence of Pegasus, including signs of very recent intrusions.
The information Forbidden Stories had seen, said Sandrine, indicated that many more Indian numbers might have been compromised and she asked whether The Wire would be interested in joining hands to work on an international collaborative investigation into the use of spyware against journalists and others in different countries.
She mentioned that they were in touch with a few other media platforms in France, the US and Britain. I don’t recall if any names were shared that day but we knew the work of Forbidden Stories, founded by the award-winning documentary maker Laurent Richard, and readily agreed.
Sandrine and Phineas guided me on how I could set up a secure form of communication, which I did. Forbidden Stories’ media partners have all agreed not to reveal anything about the communication side of our collaboration – why make it easier for anybody to spy on us? – but all I can say is that the methods we followed worked excellently.
A meeting in Paris amidst the COVID-19 second wave
That this extraordinary collaboration between Forbidden Stories, Amnesty International and 16 media organisations – stretching from the US and Mexico in the west to France, Britain, Germany and Hungary, and then Lebanon, Israel and India in the east – took place in the midst of a global pandemic makes it all the more remarkable.
A meeting of journalists from all the media partners was planned in Paris for April and later postponed to May. The Wire’s business and tech editor, Anuj Srivas, was meant to travel to France for this but could not because he got COVID-19. And then there was the French ban on visitors from ‘red zone’ countries, which meant no one else from India could go either. However, The Wire‘s Kabir Agarwal, who is currently based in Europe, was there to represent us, while I was able to join remotely, in a secure fashion, for some of the discussions. That is where we learned about the nature of the leaked database and the ambitious, even daunting, scope of the project.
The media consortium – which comprised Le Monde, The Guardian, Aristegui Noticias, The Washington Post, Die Zeit, Suddeutsche Zeitung, Knack, RadioFrance, Proceso, Le Soir, Haaretz, OCCRP, Daraj, The Wire and Direkt, besides Forbidden Stories – had many seasoned journalists who had been covering NSO Group and tracking the use of Pegasus around the world for years.
But the task facing us as reporters was this: identify as many of the 50,000 numbers on the database as we could, and then investigate the ‘why’ and ‘whodunit’ part of the story. And do this against a ticking clock, since every inch of progress made would increase the risk of a leak.
Forbidden Stories’ own team had made a decent head start in identifying some of the journalists and others on the list. That is how they reached out to The Wire. But there was a lot of work to do and the deadline we collectively set at the May meeting was tight.
India’s home minister, Amit Shah, would later claim that the Pegasus Project chose July 18 as the day to begin publishing stories because the aim was to disrupt both the opening day of the monsoon session of parliament and the Modi government’s great plans to make India a developed country. He called us “disruptors and obstructers”. This claim is laughable, given that the government decided to pick July 19 as the opening of the monsoon session only at the end of June. In any case, the leaked database pertains not just to India but to France, Morocco, Mexico, the UAE and the idea that the Pegasus Project was aimed solely at Modi is clearly preposterous.
Searching for needles in the haystack
The Wire assembled a small team and, in tandem with Forbidden Stories and our other media partners, started slowly populating the database with names.
As we identified the names and faces linked to these India numbers, it became clear that a lot of reporting would be required to validate and tell the story. This is when we roped in our diplomatic editor, Devirupa Mitra, whose name was also on the leaked database as a probable Pegasus target, as well as deputy editor Sukanya Shantha, who had extensively reported on the Elgar Parishad activists, national affairs editor Sangeeta Barooah Pisharoty, whose knowledge of northeast India is formidable, and political editor Ajoy Ashirwad Mahaprashasta. For some of the reporting, for example, in Jammu and Kashmir, we roped in trusted stringers like Jehangir Ali.
We were also fortunate enough, in the ‘India arm’ of the project, to be able to draw on Joanna Slater, who was the Washington Post’s bureau chief in Delhi, and her colleague Niha Masih, besides Michael Safi of the Guardian and Julien Bouissou of Le Monde, who had both been posted in India earlier and were able to work crucial elements of the investigation. Together with Rueckert at Forbidden Stories, who helped coordinate the effort, this team made quick progress.
Collectively, we approached the list using a variety of means.
TrueCaller and CallApp sometimes provided vital clues but could also mislead. Internet searches and WhatsApp user profiles provided further breadcrumbs. Our own phone directories, and the directories of other ‘well networked’ individuals, proved to be valuable sources. A lot of good old-fashioned reporting was also involved in filling the blanks and cross-checking numbers for which we were somewhat certain. The telephone number of someone who became a key person in one of our stories, Venkatesh, who is the personal secretary of former Karnataka chief minister Siddaramaiah, only got confirmed when Kabir Agarwal trawled through a bunch of PDFs in Kannada on the Karnataka assembly website.
There was always the ‘last resort’ option of simply calling the number and explaining to the person at the other end who we were and why we were calling but we chose to leave that approach to the very end, for obvious reasons. Maintaining secrecy was paramount, and given what we knew about the nature of the list, there was always a risk that the unknown person at the other end of the phone might run to the government, or social media.
By the time we approached our deadline of July 18, we had managed to verify more than 300 of the India (i.e.+91) numbers on the database. This was, of course, still a little less than one-third of the numbers we had started with but many of the unverified numbers were either no longer working or turned out to be dead-ends. Of course, The Wire’s reporters are still working the list.
Apart from establishing a secure means of communicating among ourselves, a challenge we overcame but about which we will say nothing more, there was the complex task of deciding whom among the verified targets we should reach out to for conducting a forensic examination of their phones. There was an obvious risk here: ensuring the confidentiality of the project was paramount, but the more individual targets we notified, the greater was the danger of word leaking out.
Locking down the evidence
Amnesty International’s technical assistance was an essential part of the project, a key ‘fact checking’ element that we hoped would help us move from a list of probable surveillance targets to a list of those with confirmed Pegasus infections.
There was an additional technical hurdle: Unlike iPhones, Android instruments, which run on Google’s proprietary operating system, do not retain the kind of extensive logs Amnesty’s forensic tools need to identify Pegasus. And many of the Indians on the list had Androids. Quite a few potential victims had also changed instruments between the time they appeared on our list and when we approached them. And many did not have access to the earlier instrument any more.
The Wire’s reporters finally approached around 40-50 of the roughly 300 people we identified and were able to conduct forensics on about 21-22 phones. Of these, 7 phones retained evidence of an actual Pegasus infection (despite some attempts by the Pegasus operator to remotely delete some elements) and another three showed signs of an attempted infection. This was a 50% strike rate, and provided important validation for the project. Apart from my phone, the phones of M.K. Venu and three other journalists – Sushant Singh, Paranjoy Guha Thakurta and S.N.M. Abdi – were among the seven infected instruments, as was the iPhone of opposition political strategist, Prashant Kishor. The phones of two Kashmiri activists, (the late) S.A.R. Geelani and Bilal Lone, also showed signs of actual or attempted infections. Forensic tests established attempted infections on the phones of two journalists, Vijaita Singh of The Hindu and Smita Sharma.
At the 11th hour, a big discovery
We had left Prashant Kishor till late because we weren’t sure he would agree to forensics and because we felt word might leak. I met him in the lobby of a hotel on July 12 and explained what we were doing. He readily agreed to have his phone examined so I drove him straight to Joanna Slater’s home. She had mastered the process of uploading phone backups on to Amnesty’s server and there was no time to lose. The results came back two hours later: Fully infected. There were traces of Pegasus not just for the dates our database had indicated but from April 2021 onwards too. The next day, we were able to identify the numbers of Mamata Banerjee’s nephew and his secretary in the database.
We realised instantly the political significance of our discovery: this was India’s Watergate moment. Someone in government had decided to eavesdrop on the political advisor of Narendra Modi’s political rival in West Bengal in the midst of an election. And we had proof that they had done so.
Meanwhile, our partners – especially Le Monde, the Guardian and the Washington Post – worked till the very end to verify key numbers, especially the ones the project believed were used by President Macron of France and his 14 ministers, Imran Khan and Cyril Ramaphosa. In some cases, there was no option but to make that 11th hour telephone call. That was how the number of Italy’s former prime minister, Romano Prodi got confirmed. He answered, but declined to comment.
Triangulating our findings
The final stage of the project involved contacting NSO Group, which sells Pegasus, and the governments involved to seek their response.
Though we knew from their responses to our questions that the NSO Group and the Modi government denied the authenticity of the leaked database and our findings, the Pegasus Project media consortium had reason to be confident about the work it had done.
Apart from the results of Amnesty’s forensics, The Wire and its partners had three additional sources of validation.
First was the overlap with what WhatsApp had itself independently found and disclosed back in 2019. The fact that some of the names on our database had already gone public about being notified by WhatsApp in 2019 that their phones had been targeted by Pegasus (during a 12-day window that stretched from April 29, 2019 to May 10, 2019) or were able to share this information now gave us additional confirmation about the robustness of our data.
There was also a second level of fact-check that the project was able to rely on: A total of 37 phones forensically examined by us worldwide showed traces of Pegasus, 10 of which were in India, and the time stamps Pegasus left on the phones appeared to be correlated, in many cases, to the timestamps our database contained alongside their associated telephone numbers.
Third, Amnesty’s tech lab submitted its forensic analysis to peer review by Citizen Lab, an independent entity associated with the University of Toronto that is not a part of the Pegasus Project but which was instrumental in the discovery of the WhatsApp infections in 2019. Citizen Lab came back with the same results. Since the publication of our stories, these forensic findings in at least two cases have been revalidated by the French authorities.
Big on #pegasusproject:@Mediapart journalists’ phones were tested by France’s national cybersecurity authorities (ANSSI) and their conclusion was same as that of Amnesty’s.
(first time a govt agency confirmed Amnesty’s technical findings)https://t.co/FWFANF1FA8
— Devirupa Mitra (@DevirupaM) July 29, 2021
In addition, the selection of more than one number associated with several persons of interest was proof that their appearance on the database was not the result of some innocuous, random selection.
The former Supreme Court staffer has more than 10 numbers linked to her and her family members in the database. We identified them because Ajoy Ashirwad Mahaprashasta had reported her story in 2019 and had saved her husband’s number on his phone. Jal Shakti minister Praful Singh Patel had 18 numbers. IT minister Ashwini Vaishnaw had two. Former CBI chief Alok Verma had eight. Rahul Gandhi had nine numbers, including five personal friends. This means they were not merely persons of interest but probable targets of Pegasus, though our inability to conduct forensics on these phones means there is no conclusive evidence of an infection.
How do we know the Modi government is responsible?
On July 18, The Wire, in collaboration with its media partners, began revealing the names of people who were either persons of interest – i.e. were probable/ potential targets – or were forensically confirmed as having been targeted by clients of the NSO Group’s Pegasus spyware.
The publication of specific stories followed a schedule that had been collectively agreed upon, and involved harmonising the differing interests and time zones of each of the media partners – not always an easy task!
Since the story broke, it has become clear that the official use of military grade spyware has gone out of control and has been deployed to target individuals for political and other reasons that have no connection to a national security threat or public order emergency – the two conditions under which surveillance in India may be lawfully authorised.
The government’s stout denials raise the obvious question – Why does The Wire assume that the NSO client which infected the phones of Prashant Kishor and others, and selected so many individuals for probable surveillance, is an Indian government agency? There are five reasons why such an assumption makes sense.
First, NSO says it only sells Pegasus to “vetted governments”, it does not deny selling Pegasus to India and the Modi government does not deny using it.
Second, the range of individuals selected in India – from journalists to political opponents, ministers, businessmen and human rights defenders to a dissident Election Commissioner and a young woman who alleged she had been sexually harassed by a sitting chief justice of India – makes it obvious that they were all targets of an Indian government agency. No foreign agency could possibly be interested in all of these individuals.
Third, the same government client/clients’ list includes foreign diplomatic numbers and several hundred from Pakistan, including Imran Khan.
Fourth, though the leaked database goes back earlier, the numbers selected by this particular government start in mid-2017, after a key visit NSA Ajit Doval and Prime Minister Narendra Modi paid to Israel in March and July of that year. That is presumably when the deal to use Pegasus was likely formalised.
Fifth, based on what Bill Marczak of Citizen Lab told The Wire for the Pegasus Project, it is apparent that both the Research and Analysis Wing (R&AW) and Intelligence Bureau (IB) are using Pegasus. “We use a variety of scanning techniques, including DNS Cache Probing,” he said, “to monitor NSO Group’s infrastructure and see where its customers are spying. One Indian customer, active since 2017, spies in India and abroad. A second customer, active since at least 2020, spies solely inside India.”
Decoding the Modi government’s response
Pegasus involves hacking – a criminal offence under India’s Information Technology Act – and no lawful authorisation for hacking is permitted by statute.
This is why the Modi government has tied itself in knots over the Pegasus Project exposé. It cannot acknowledge using Pegasus, because that would be tantamount to admitting that it broke the law, and it certainly cannot admit to targeting journalists, opposition political leaders like Rahul Gandhi and Mamata Banerjee’s nephew, besides its own ministers and the former Supreme Court staffer who had complained of sexual harassment.
At the same time, unlike the French government and even Israel, the Modi government cannot even accept or acknowledge that specific individuals in India have indeed been targeted with Pegasus – even when there is forensic evidence. This is because it will then have to explain its failure to do what other governments like France and the United States have already done: Demand that NSO Group tell it which foreign agency or government has used its spyware to conduct intrusive surveillance in India.
The only reason it has not rushed to demand an explanation from Israel or NSO is because it already knows who has done the targeting.
Where will matters go now?
The West Bengal government has now set up a formal judicial commission of inquiry into the Pegasus Project revelations headed by a former judge of the Supreme Court, Justice Madan B. Lokur and former Calcutta high court judge, Justice Jyotirmay Bhattacharya. Petitions have also been filed in the Supreme Court, including by former Hindu editor N. Ram and Sashi Kumar of the Asian College of Journalism, demanding a formal, court-supervised investigation. On Friday, Chief Justice N.V. Ramana said the matter would be listed for next week.
The reason the revelations have triggered such a strong response from the opposition, the media and civil society is because the use of spyware in the manner in which the leaked database indicates represents an assault on not just individual privacy but the very foundations of democracy. The revelations tell us that the Modi government is prepared to use any and every means to undermine its critics and opponents, including by spying on their electoral strategy and campaign.
If unchecked, this is an abuse of power that will affect the rights of every citizen.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.