More Questions Than Answers In Pegasus Whodunnit

On July 18, the world erupted with news coming in that 50,000 phones globally were being snooped into. The technology used to snoop into these phones is allegedly a spyware called Pegasus, that has been created by an Israeli company called NSO. This is a company that was sold to a private equity firm called Francisco Ventures, and then bought back by the founders in 2019. The name of the spyware, Pegasus, in itself explains what it does – it stands for a winged trojan horse that “flies” into your phone, “over the air”. It essentially implies that without your knowledge, the spyware embeds itself into your phone. And it does so “over the air” as a mobile phone is essentially a wireless device.

The first question that comes up is whether this is at all technically possible. The answer is that it is certainly in the realm of possibility. If the systems of an Iranian nuclear centrifuge could be hacked, even though they were not connected to the internet in any way, a connected mobile phone can certainly be hacked, if enough resources are allocated to do so.

Given that this is not the first time that Pegasus or any other spyware has been detected in mobile phones, why is this incident creating such a furore? For the records, Pegasus was first detected in 2016, and it was already a very sophisticated spyware, infecting both Android phones and iPhones. So why is the Sunday expose such a big deal?

ALSO READ: Politicians, Journalists, Activists…Pegasus Spares None, Hears Them All

The reason for the global uproar on Pegasus is three folds. One, the extent of reach that Pegasus has had, has rarely been seen before. Second, the targets of Pegasus have been the who’s who of the world, including Presidents and Prime Ministers as well as cabinet ministers and well-known journalists. It is also believed that the state-sponsored murder of Jamal Khashoggi was enabled through Pegasus. And third, which is the most critical issue, is that NSO sells Pegasus only to governments. Hence, if we now stitch up the three points, the obvious story that comes out is that a government or multiple governments, have been snooping on others or on their own heads of states and ministers as well as on journalists at an unparalled scale. This is certainly ominous. It is a threat to civil liberties, privacy and freedom of expression, besides being an extremely powerful weapon to convert democracies into virtual autocracies.

ALSO READ: ‘If You Believe Your Phone’s Not Been Hacked, You’re Living In A Fool’s Paradise’

And that is the reason why there has been a global outrage at the discovery of this spyware infecting thousands of phones.

Therefore, the immediate question that comes in is, who did it? Unfortunately, with the gigabytes of writeups online on the issue, since the news first broke out in a select set of newspapers globally, the actual information available is still very sketchy. If we go by Washington Post, which had the privilege of being in the select club of 17 media organisations that received information from the so-called “Project Pegasus” which actually carried out the probe into the spyware’s influence, and was led by the Paris-based media nonprofit organisation Forbidden Stories and Amnesty International­—Pegasus is confirmed to have infected 37 phones, out of the targeted 50,000. Curiously, Washington Post singles out India and states that out of the 37 phones that are confirmed to have been hit by Pegasus, 10 are in India. Almost as a footnote, it also mentions that another 5 are in Hungary. It does not reveal where the balance 22 phones are from, neither does it reveal names of the 37 people whose phones are confirmed to have been hacked. Washington Post also makes the context sinister, as it starts the report by stating upfront that the spyware has been detected in phones in countries “known to engage in surveillance of their citizens and also known to have been clients of NSO Group.”

ALSO READ: Opinion: As Pegasus Flies In, It’s Time To Rethink Our Cyber Laws

Therefore, Washington Post also appears to build a narrative that India is a “known villain” that engages in surveillance of its own citizens, and that it is a client of NSO, the maker of Pegasus. It is important to look at this convoluted narrative in order to understand the “whodunnit” aspect of the issue. To run a government and to maintain internal and external security, surveillance of suspected people inside the boundaries of a country has been practiced for thousands of years. There is no known government that does not surveil select suspects. It is surprising that Washington Post singles out India, and choses to put out data for only India (Hungary being a footnote in the larger context), while staying silent on the antecedents of the rest of the compromised phones. More importantly, if NSO keeps its client list confidential, how did Washington Post or any other entity get access to their client list, in order to make the claim that certain governments are known to be clients of NSO? Did they hack into NSO’s systems? What spyware did they use to carry out their operation? Or are these claims baseless?

Expectedly, there has been a spirited defence of the government from both the newly-appointed Union Ministers of IT and Home Affairs. One of their defences has been that the timing of the release of the report, just before the start of the monsoon session of Parliament, is suspect, and meant to affect India’s democratic processes. Even though this seems to be a valid point, it is worthwhile to note that a country of the size and complexity of India, always has some important event or the other going on. A few months ago, it was the season of state elections. A few months later, there will be more state elections, and so on. So, any time that a politically slanted report is released, will coincide with some political process or the other.

But why has Washington Post singled out India in releasing its data? Perhaps it could be because another version of Pegasus was detected in India in 2019, one that infected phones through Whatsapp. Facebook, the owners of Whatsapp, had proactively declared this compromise in Whatsapp’s security and helped pinpoint journalists whose phones were compromised. Even though this appears to be a proactive step from Facebook, given its past record of hiding security breaches, or perhaps actively participating in data breaches, as was evident from the Cambridge Analytica case, it was indeed curious as to why Facebook went public with this breach by Pegasus. In addition, given that Whatsapp has been trying to legally compromise the privacy of individuals by forcing them to sign-off their privacy, it would look like a case of the pot calling the kettle black. However, this earlier brush with Pegasus could perhaps be the reason why Washington Post singled out India this time. But then again, Pegasus was first detected in 2016, and has raised its ugly head in multiple countries globally. So clearly, India being singled out by the consortium of entities that are releasing information from their analysis, seems to be motivated.

However, the question­—who in India authorised it—remains? To look into that matter, one should find out who got impacted in India and the possible motivation of the perpetrator to target them. Based on further updates, the targets apparently include 300 phone numbers (not yet verified) from India, including that of Rahul Gandhi, a key member of a key Opposition party, two serving ministers including the newly-appointed IT Minister Ashwini Vaishnaw, poll strategist Prashant Kishor, 40 journalists, one sitting judge and many business people. The narrative that emerges is that the Union government was targeting them. Clearly, the Indian government stands to benefit by snooping into phones of Opposition politicians and journalists. However, this narrative becomes questionable when even the name of the recently-appointed IT Minister gets involved. Why is that surprising? Because, for one, the potential value of tracking someone who was not even a minister at the time his phone was tracked, is very low. For another, as anyone who has worked closely with the government would testify, most politicians and ministers use feature phones—popularly called button phones—for their sensitive communications. Feature phones do not have a programmable operating system like in a smartphone, and are hence immune from infection once they leave the factory. Having said that, it still does not take the needle of suspicious away from the government.

Others who could potentially gain from such widespread surveillance are key Opposition politicians themselves. We do have savvy politicians from various parts of the country such as Maharashtra, UP, etc who harbour ambitions of being the Prime Minister, and they do stand to gain from tapping into the phones of some of the targets. However, as per NSO, they sell their software only to governments, ruling out any non-government player. Or does it? Pegasus has been known to have been used by Mexican drug cartels to target and intimidate journalists and government representatives. The spyware has likely moved into the hands of non-state actors by now. So, it could potentially also be Opposition politicians who are behind the surveillance.

And then we have the possibility of a foreign government or a foreign non-state actor, which launched this surveillance. There would be a million reasons why a foreign entity would be interested in doing so. However, if that is the case, why are phones of the Prime Minister, and those of key defence personnel, not compromised? We don’t know the answer, but the chance of such an event should be realistically very slim, not to mention that they typically use feature phones and use over-encrypted communication systems.

Lastly, it is also possible that the surveillance was done by entities having business interests in the country and globally. These could be Indian businesses or foreign ones. For that matter, there is another unanswered question—who funded Forbidden Stories and Amnesty International to embark upon this digital forensic analysis that took months and millions of dollars, and why? Why did they not investigate Whatsapp or Tiktok to check if these apps are snooping on people? Why only Pegasus? Is it a coincidence that Washington Post is owned by Jeff Bezos, the founder of Amazon, one of the largest global e-commerce platforms?

Unfortunately, with the sketchy information available, one can only postulate multiple hypotheses, and arrive at inconclusive deductions. As one of my co-panelists on a TV show on this issue remarked­—is the information sketchy or is it dodgy? Perhaps it is both. But one should not get lost in semantics, as the Pegasus case is a watershed moment in the history of our digital civilisation, where perhaps anyone can get into your phone, turn on its camera, watch what you are doing, listen to what you are saying or read what you are reading. We have surely stepped into an Orwellian society, with anyone and everyone having the ability to snoop.    

(This appeared in the print edition as "The Pegasus Whodunnit")

(Views expressed are personal)

The author is President, Centre for Digital Economy Policy Research