Data breach over Pegasus snooping reported months ago
In March this year many Indian journalists and public servants, whose phone numbers alleged to have been tapped by spyware Pegasus, had received phone calls from various international agencies requesting to participate in a ‘digital forensic analysis’.
The sole intention of the analysis was to examine their personal mobile phones to assess how frequent is data breach in India and the level of awareness among Indians on data breach.
Many expressed willingness to participate in the process. Directions were given on the methods to be followed for the study. Upon completion of the analysis, the results confirmed breaching of data in the mobile phones of many who participated in the study. However, they were clueless on who snooped on their mobiles and for what, until it was revealed now through the recent media reports.
“Someone from Forbidden Stories, a Paris-based media organisation, had called me in March for the analysis. After the analysis, I was informed that my phone had been compromised. I asked them curiously, Who? For What? The answer was a question,” said Paranjoy Guha Thakurta, an Indian journalist.
The organiser of the analysis had asked Paranjoy about the kind of stories in which he was working on. “I was doing a story on the assets of the late Dhirubhai Ambani and also a story associated with a book on the privacy issues associated with Facebook and Whatsapp in India. They pointed fingers at my stories as the possible cause of the snooping,” added Paranjoy.
However, the million-dollar question had remained unanswered on who initiated the data breach and for what. “I was thinking of the possible hackers on my phone until the recent revelation of Pegasus' role in the massive data breach. This has to be probed transparently and the culprits must be brought before the legal platform. As per the policy of NSO, which owns Pegasus, only sovereign governments can buy the spyware. It points fingers on the government. The government must clarify whether they had snooped on its own citizens or not,” added Paranjoy.
The government of India denied the allegation over its involvement in the Pegasus snooping and also termed it baseless and false. The French government declared a probe on the revelation of snooping on its citizens. By taking inspiration from France, the India government should also be willing for a probe instead of merely claiming innocence.
How does Pegasus work?
Pegaus is a spyware and a malicious software that can be installed on a device without the knowledge of the end user. It steals sensitive information and internet usage data and transmits the stolen data to external users. There are millions of spywares available across the globe. Many of them require the permission of the end user, Pegasus does not need the permission or click to invade a device. It begins with a trap link to a smartphone that persuades the user to tap and activate it. Even without any input by the user it gets activated like the most sophisticated “zero-click” hacks.
Who owns Pegasus?
Pegasus is owned by NSO Group Technologies in Israel and it was founded by Niv Carmi, Omri Lavie and Shalev Hulio. NSO stands for Niv, Shalev and Omri. It was founded with an intention to create technology that helps government agencies prevent and investigate terrorism and crime to save the lives of millions across the world. Even Though, NSO was formed with a noble intention, it was allegedly involved in various crimes around the world. The last one among the series was the murder of Jamal Khashoggi, a Saudi-based journalist, whose phone was tapped allegedly by NSO on behalf of Saudi administration.
Peri Maheswar, former president and publisher of the Outlook group and founder of Careers360 magazine, explains the most frequently asked questions associated with Pegasus data breach.
1 Q. How did this expose come about?
A. Forbidden Stories, an online website and Amnesty International had access to a leak of phone numbers of NSO clients selected for surveillance. NSO makes the Pegasus software.
2 Q. Was the Pegasus investigation targeted against India?
A. No. The investigation was done by 17 media agencies and panned across 45 countries.
3 Q. Can anyone buy Pegasus software?
A. No. Only sovereign governments can buy the software. Private parties cannot buy the software.
4 Q. Did the government of India confirm that they bought the software?
A. No. They did not confirm. Interestingly, they did not deny buying the software too despite specific questions.
5 Q. Did government confirm any such surveillance?
A. The Government of India has said that there has been 'no unauthorised' surveillance. This is seen as a confirmation of authorised surveillance.
6 Q. How many journalists' numbers were under surveillance?
A. It is 180 in all, of which 49 are Indians.
7 Q. Which countries were found to be using it against journalists, activists and opposition leaders?
A. The countries are: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, United Arab Emirates (UAE) and of course INDIA. We are in good company.
8 Q.Who all were targeted in India?
A. 49 Indian journalists, three opposition leaders, two ministers and even one sitting SC Judge were targeted.
9 Q. How sure is it that they were snooped on?
A. Amnesty International’s Security Lab, in partnership with Forbidden Stories, was able to perform forensics analysis on the phones of more than a dozen of these journalists – and 67 phones in total – revealing successful infections. They were later peer reviewed by a Canadian tech company which specialises on Pegasus. Both confirmed the infections.
10 Q. Is it possible that the government of India did not buy the software and it may be the act by other organisations within India?
A. No. Only governments can buy the software. And the names of those under surveillance have a definite pattern that threatens power.