Kochi: The use of Pegasus, a malicious software developed by Israeli company NSO group, in a manner without any transparency or keeping any record of it against politicians, journalists and other civil society members, is deeply troubling, said noted journalist Siddharth Varadarajan while deposing before the Supreme Court-appointed expert panel to probe the alleged snooping.
“The Wire, of which I am a founding Editor, was a member of an international media consortium known as the 'Pegasus Project'. We were fully involved in the investigation into the use of Pegasus in India,” he said.
While trying to convince the seriousness of using malware against citizens, he highlighted the need to have a legal framework in the acquisition and deployment of such spyware. “Had the acquisition and deployment of Pegasus been limited to espionage or any terror-related activity under the backing of a legal framework, there would not have been any reporting. Follow lawfully prescribed procedures even if it is to fight terrorism or organised crime. Lack of laws to govern its acquisition and deployment raises concerns,” added Siddharth Varadarajan.
He also reiterated the significance of finding out who bought Pegasus in India and for what. " We should have the complete picture. Only then we can go for remedial measures."
The reports on Pegasus snooping came out in July last year in The Washington Post, The Guardian, The Wire and other media. It was alleged that the phone numbers of over 300 Indians, including two serving Cabinet ministers, three opposition leaders, a constitutional authority, government officials, scientists and about 40 journalists, were observed or tapped.
Siddharth Varadarajan was asked several questions by the experts in the panel on the studies held to confirm Pegasus snooping, safety measures to be taken against such spyware in future and also his knowledge on the matter.
Amnesty International's security lab performed an in-depth forensic analysis on 15 devices of Indian citizens and uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware. The report was later peer-reviewed by Toronto-based Citizen Lab confirming the study results, he told the panel.
The Supreme Court appointed an expert panel to probe the Pegasus row in October last year.
Prominent journalists including N Ram and Shashi Kumar have also deposed before the panel.
Siddharth Varadarajan failed to answer a few questions when the panel entered into some technicalities of the issue.
One among the questions was: If an instrument is found to have been infected, is there any assured or guaranteed way to identify that it is infected with Pegasus or any other malware like Pegasus? Has anything been developed to find it out?
To this question, Siddharth Varadarajan said, “I refer you to the work that was done by Amnesty International and the peer review process that Citizen Lab did for us. Suspicious malware was found on the devices. As per the methodology followed and experience, the team from AI and Citizen Lab was very clear that it was Pegasus. So I urge you to invite Citizen Lab and Amnesty International to have a word with them for getting a clear picture of the processes they followed for confirming it.”
Another member of the panel asked Siddharth Varadarajan how this database came into existence? Since he was part of the investigation, the expert conveyed to him the difficulty in understanding that there has been a consolidated list prepared in some quarter; either in the NSO or some other part. The database has 50,000 numbers mentioned in it. It raises many questions. Whether the agency that was doing the interception was sharing the information with NSO? Was NSO collating it in one place, he asked.
To this, Varadarajan, replied, “The database was accessed by Forbidden Stories and shared with us. It came from a source that had access to certain aspects of the workings of NSO or Pegasus. We can only speculate as to why all of this information was present in one place. NSO appears to have some sort of visibility to the use of Pegasus by its clients. Why it chose to collate and keep the data in one place is not something I cannot answer.”
He also said that many of the Indian numbers were identified by WhatsApp in 2019 as being the targets of the Pegasus attack in India. The government of India acknowledged the reality that Pegasus was targeting Indian numbers.
The experts in the panel later raised a concern that Amnesty International or Citizen Lab have not yet expressed willingness to cooperate with the investigation despite sending emails months ago and reminders too.
The experts in the panel also sought help from Siddharth Varadarajan for getting in touch with AI and Citizen Lab for aid in the probe.