A Test for Pegasus – and Indian Democracy

The first alarm bell rang in India in 2019, with WhatsApp's lawsuit against the NSO Group, didn't lead to questions being asked. We should not allow this to slip away either.

Listen to this article:

This saga started with 50,000 cell phone numbers in a database received by Forbidden Stories and Amnesty Technology Lab. They approached media in 16 countries to verify names and, if possible, send system ‘images’ of suspect phones to be tested for Pegasus. (Amnesty Lab has explained its forensics here).

Normally, and quite understandably, most citizens would hesitate to subject themselves to such a test, like I was. But for a larger cause, my colleague Siddharth Varadarajan and I sent digital images of our phones to be tested. The rest, as they say, is history. It appears that media personnel must bear an unusually heavy burden, now that authoritarian governments think they can silence them. High technology has made high surveillance possible.

But now, we have a window of opportunity, as rights groups arm themselves to detect surveillance, understand it and check it. Governments cannot continue to snoop, without pushback. We must urge other citizens in the list, across countries, to help in this process and volunteer to have their phones checked. Actually, testing for Pegasus was a small fraction of the process of scanning for illegal surveillance. This process needs to expanded for more people on the leaked list; a process that can only happen if people allow their data to be analysed. And at some stage, it must even become a universal practice, a development that Amnesty International hopes will happen with the release of its mobile verification toolkit.

Also read: Leaked Snoop List Suggests Surveillance May Have Played Role in Toppling of Karnataka Govt in 2019

Forbidden Stories, the Paris-based non-profit news platform, also contacted partner media across countries via secure communication platforms, to mitigate risks for investigative journalists across borders. It is important for citizens to familiarise themselves with the processes followed by Amnesty Technology Lab and Toronto-based Citizen Lab, whose efforts have helped to expose the privacy breach. Perhaps this exercise must become an ongoing one, since governments around the world remain in denial about the illegal use of Pegasus-like spyware.

The Israeli NSO Group has publicly and repeatedly said it sells Pegasus spyware only to “vetted governments” and expects them to use it for specific national security and criminal investigations. This makes it even more important to shine the light on transgressions that some governments are committing, deviously imposing blanket surveillance on some of its citizens. Why are constitutional authorities, judges and journalists being selected as possible candidates for surveillance? NSO maintains that it only supplies software to governments, and has no role in operations. With the leaked list of phone numbers, it is very legitimate to ask: what exactly is the ‘division of labour’ between NSO and governments that buy its spyware? (See here for more on the forensics The Wire did in India.)

Also read: Pegasus Project: Edward Snowden Calls For a Global Moratorium on Spyware Trade

We knew this was coming. The Ministry of Electronics and Information Technology and WhatsApp had a conversation in 2019, when a Pegasus security breach was first confirmed by WhatsApp. WhatsApp said that it notified the government about 121 compromised phones. The government first tried to duck, saying that WhatsApp had not informed it about a privacy breach targeting Indian activists, lawyers and journalists. WhatsApp categorically stated that it had alerted the government twice, in May and in September, 2019. Responding to a notice from the IT Ministry, WhatsApp attached both the vulnerability notes it filed in May and its letter of September. The government eventually confirmed that it did receive the September intimation from WhatsApp about Pegasus targeting 121 Indians. Stubbornly, The Indian Express reported, the ministry claimed the letter was “still too vague” to be alarming.

The first alarm bell rang in India on October 31, 2019, but eventually, nothing happened. There was no probe, and the government sat tight, hoping perhaps that it would blow over. In fact, it went on to draft very aggressive and restrictive IT Intermediary Guidelines in December 2019, covering social media platforms, to fully control the digital conversation.

This is where we stand after two years, and there’s more information to be unveiled.

When governments pretend they know nothing about illegal hacking on such a massive scale, they hack democracy. We must be the antivirus that prevents it. We must keep speaking. and make ourselves heard. To be silent is to be complicit, to consent to this violation of democracy itself. It is a crime against the nation, committed by the state.

Read The Wire’s coverage as part of the Pegasus Project here.