Pegasus: why the unsanctioned use, misuse and abuse of this spyware must stop

Your innocuous smartphone can become your worst enemy if it has a brush with Pegasus. You don’t have to click a deceptive link or respond to a bait-message. The Pegasus spyware has the ability to remotely penetrate your phone, take control of the device and access your messages, emails, photos and videos through a zero-click approach, meaning you don’t have to do a thing. Pegasus can invisibly infect your phone without you ever knowing about it.

Pegasus is a malware that infiltrates and infects Android and iPhone devices. It can access your calendar and spy on you during your meetings. The spyware also has the ability to switch on your cameras and your microphones and record you even when you are not using your device. What’s worse, Pegasus can successfully break the protective barriers and invade the so-called safer encryption driven apps like Whatsapp, Signal or telegram.

The massive data leak related to the NSO Group that owns Pegasus exposed by the Paris based nonprofit media organisation Forbidden Stories puts to shame governments of at least 10 nations including India that are being accused of allegedly using Pegasus to spy on their journalists. The Pegasus expose is not just limited to snooping on journalists, the data leak suggests that human rights defenders, judges, lawyers, bureaucrats, diplomats, heads of state, presidents, prime ministers and their family members have been victims or were potential targets of such extensive surveillance.

In India, several names of people have emerged who were potential targets of the NSO clients. From Congress leader Rahul Gandhi, former Election Commissioner Ashok Lavasa to sitting Union ministers in the Modi cabinet; from the founding editors of The Wire Sidharth Varadararajan and M.K Venu to journalists like Vijaita Singh from The Hindu, Sandeep Unnithan from the India Today and J Gopikrishnan of The Pioneer, many Indian names have figured in the data leak and the consortium of journalists have promised to make public more names in the days to come.

The Pegasus Project and the massive data leak is soon spiralling into a global scandal. The story has huge implications and ramifications for the world’s journalism fraternity yet pro-government media mouthpieces in India have gone on to brazenly parrot the government’s views and call the report exaggerated and based on conjectures.

Let’s dispassionately take a look at both sides. The media organisations that are supporting the Indian government are basing their arguments mostly on the following statement from the original expose. For instance, The Guardian, which is also part of the media entities that worked on The Pegasus Project states: “The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. However, the consortium believes the data is indicative of the potential targets of NSO’s government clients identified in advance of possible surveillance attempts.”

The consortium of journalists that worked on The Pegasus Project has accused the governments of spying because the NSO Group has made it amply clear that it sells its Pegasus software only to vetted sovereign governments. In such a scenario, if their spyware is being so widely misused, there are only 2 possibilities:

• NSO Group secretly sold the malware to private entities in violation of their own code.
• Governments actually bought the software to spy on their “people of interest”.

Let’s assume that the government did no wrongdoing and the first case scenario was true. What is then worrying is the response of the government to such a global expose. Why would any government that is not responsible for unsanctioned spying be caught on the backfoot and in a self defense mode when they must actually be outraged at the company and by this time be in active talks with the Israeli government to rein in their notorious company (NSO Group) that perhaps was outlandishly dishing out malicious spyware to private entities which is possibly endangering the privacy of many Indians. Instead, our government has been blaming the media organisations for crafting a story bereft of facts with preconceived conclusions. It’s not as much the government’s involvement but the government’s response to the story that really raises suspicion..

Journalists glean through 50,000 numbers to piece together the story

The data related to over 50,000 phone numbers of potential targets and victims of Pegasus first fell into the hands of Forbidden Stories, a reputed media organisation whose stated mission is to publish the unpublished works of journalists who faced threat or died in the line of duty. For instance, when renowned Maltese investigative journalist Daphne Caruana Galizia was murdered when she was about to expose a corruption deal involving the government of Malta, Forbidden Stories flagged off The Daphne Project - a collaborative cross border investigative journalism project - to continue the work of Daphne.

When it came to Pegasus, Forbidden stories and their co-partner for the project Amnesty International decided to team up with 80 journalists and 16 other media organisations across the world including the Indian news website The Wire to make sense of the numbers and get some of these mobile devices forensically examined.

Such collaborative cross continental investigative journalism initiatives have always proven to be effective, be it the Panama Papers case or the Fincen Files expose, working in partnership helps media tackle complex stories with enormous amounts of data spread across multiple countries. The stories usually are fool proof because multiple journalists across news organisations have the opportunity to collectively take editorial calls, vet and cross verify the story numerous times before breaking the first report. In other words, journalists act as checks and balances for each other on stories of global importance.

The 80 odd journalists who worked on The Pegasus Project found that 180 journalists were selected as potential targets from 20 countries including India by 10 nations that were NSO clients. The 10 nations mentioned in the report were Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates (UAE). What is disquieting is how governments both autocratic (Bahrain, Morocco and Saudi Arabia) and democratic (India and Mexico) have been accused of using the Israeli firm’s military grade spyware to snoop on journalists and others.

To verify if the numbers mentioned on the leaked list were actually infiltrated using the spyware, the investigative journalists used a random sample of 67 cell phones and got it forensically scrutinised by Amnesty International’s Security Lab for Pegasus footprints. According to the report, Amnesty's cyber division found Pegasus footprints in 37 devices. The report mentions that the study was later verified by the Canadian research facility Citizen Lab at the University of Toronto.

So why do companies like NSO Group operate with impunity?

For many years, companies like the NSO Group have been conducting their business by claiming that they help governments prevent and investigate terrorism and crime to save lives around the world. NSO, particularly claims that their product Pegasus only supports governments and their respective police authorities and secret services in the fight against terrorism and serious crime but on the other hand the leaked data shows that data collected by the NSO is being used by many of its “so-called” government clients to muzzle the media and spy on political opponents and cling onto power.

NSO on its part has consistently maintained that they do not operate the systems they sell to government clients and they do not have access to the data of its clients targets. Even if it were true, it does not make them less culpable especially when their software is being used by their clients to subvert democratic processes..

NSO’s response to The Pegasus Project by Forbidden Stories

The Pegasus Project also reveals the large-scale misuse of such data by states like Saudi Arabia, Morocco, Kazakhstan, Azerbaijan, Bahrain, Hungary and the UAE. These spyware companies have close ties with governments across the world and this by and large means that they are more or less protected from legal and financial implications for their actions. In a one-off case, one such spyware company was recently taken to task for selling its spyware to Libya for hunting down opponents of deposed dictator Muammar Gaddafi. But these instances of action against such spyware companies are few and far between.

Why the Pegasus expose is concerning

Amongst other cases of surveillance, the Pegasus data leak also shows how the spyware was used to snoop on many journalists in Azerbaijan. The only two remaining independent media outlets of the country were also put under highly intrusive surveillance.

Moreover the governments of these nations have been spending millions of dollars of the taxpayer’s money to pay-off companies like NSO Group that are indirectly assisting their respective clients to spy on their opponents and hold onto power.

Pegasus - when used on a journalist’s device - completely compromises the contacts and sources of the journalist. There are past instances where many such sources were later victimised by security agencies of the government for turning whistleblower.

When used on a judge’s device, it endangers the judicial process. The latest leaks expose the fact that the spyware was routinely used to target judges and constitutional heads.

When used on political opponents, democracy is subverted and the entire election machinery is imperilled. The news of the spyware being used for corporate and political espionage is dangerous for the financial and political health of any nation.

The Israeli government has over the years been emboldening the growth of their indigenous cyber security industry that networks with big corporations and governments across the world. Companies like NSO Group and Candiru have the complete backing and blessing of the Isreali government and it is believed that their advancement directly gives an edge to Israel's security and intelligence apparatus..

Jamal Khashoggi (right) and his fiance Hatice Cengiz (left)

The allegations of abuse of Pegasus by governments to attack dissidents is not just limited to a matter of breach of privacy alone. The news reports of the consortium of journalists that released The Pegasus Project state that the malware has been used by many governments to harass critics, blackmail dissenters and in many cases kill or silence detractors.

In the case of the barbarous assassination of Washington Post columnist Jamal Khashoggi in 2018, Forbidden Stories found that the NSO Group spyware was installed on his fiance Hatice Cengiz’s phone just four days after the murder.

Khashoggi’s son’s phone was selected as a target by an NSO client which the latest report reveals could be the UAE government. Reports suggest that friends, colleagues and family members of Khashoggi were zeroed in as potential targets for surveillance by the governments of Saudi Arabia and the UAE.

The NSO Group has denied that its software was associated with the killing of Khashoggi but how would the NSO Group know especially when they claim that they do not operate the systems they sell to government clients and they maintain that they do not have access to the government clients “target data”.

Khadija Ismayilova, Azerbaijani investigative journalist and radio host

There are numerous instances of many journalists being victimised across the world through use of such malicious spyware. Khadija Ismayilova, an Azerbaijani journalist was one of them.

She was targeted by her government for flagging off investigations into the ruling family. Clandestinely, cameras were installed in her home and she was filmed when she was having sex, was accused of provoking a man to attempt suicide, was charged with tax fraud and sentenced to seven years in prison. Khadija was released after one and a half years and a travel ban was placed on her.

In their latest report, Amnesty International and Forbidden Stories have reported that Khadija’s phone was also infected with Pegasus for almost 3 years.

So was Moroccan Journalist Hicham Mansouri’s phone. Mansouri too was stripped naked by armed intelligence agents when he was with his female friend in his bedroom and was arrested for adultery, which is a crime in Morocco.

Similarly, in 2017, Mexican journalist Cecilio Pineda was shot dead immediately after he recorded his final broadcast on collusion between the government and the drug cartel. It has now been revealed that even Pineda’s phone was selected as a target by an NSO client.

Back home, the leaks in India reveal that no one has been spared. Not even constitutional authorities or even some of the Modi government’s ministers. Even as the IT Minister Ashwini Vaishnav outrightly denied the claims made in the expose, it was quite ironic that a few hours later he found out that his phone too figured as a potential target in the leaked document.

Pegasus not just hacks phones, it subverts democracies, makes autocratic regimes stronger and authoritarian regimes sturdier. In such cases, belling the cat may not be too pragmatic especially if the protagonists are institutions themselves. But the seriousness of the situation warrants immediate action. Inaction is no longer an option. .

Prema Sridevi is an Indian investigative journalist and Editor in Chief of The Probe. In a career spanning 20 years, Sridevi has worked with some of the top news brands in India and she specialises in stories related to accountability, transparency, corruption, misuse of public office, terrorism, internal security to name a few.