Pegasus - India's Watergate?

Pegasus is a type of malicious software or malware classified as a spyware. It is designed to gain access to devices, without the knowledge of users, and gather personal information and relay it back to whoever it is that is using the software to spy.

Pegasus has been developed by the Israeli firm NSO Group that was set up in 2010. The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link. Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.

How does it work?
  • Pegasus, in the very basic form, can infect devices that are connected to the internet. Some updated versions can also infect phones even without the victim clicking on any links or messages.
  • Most spyware and stalkerware apps disguise themselves as anti-theft applications that can be used to track stolen or lost devices. 
  • While viruses and malware can be detected by anti-virus software, spyware & stalkerware apps disguise themselves as useful and send out stolen data to central servers without the knowledge of users.
  • The software can, based on instructions from a remote server, automatically turn on the camera and the microphone and look into chats, access the calendar and read SMS-es and emails.
Pegasus is compromising
  • Upon installation, Pegasus contacts the attacker’s command and control (C&C) servers to receive and execute instructions and send back the target’s private data. This data can include passwords, contact lists, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps).
  • The attacker can control the phone’s camera and microphone, and use the GPS function to track a target.
  • To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server.
  • The spyware can evade forensic analysis and avoid detection by anti-virus software. Also, the attacker can remove and deactivate the spyware, when and if necessary.
Earlier Controversy
  • Researchers discovered the earliest version of Pegasus in 2016. This version infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
  • In 2019, WhatsApp blamed the NSO Group for exploiting a vulnerability in its video-calling feature which secretly transmitted malicious code in an effort to infect the victim’s phone with spyware without the person even having to answer the call.
  • In 2020, a report showed government operatives used Pegasus to hack phones of employees at Al Jazeera and Al Araby.
Pegasus Attacks in India
  • Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm. Indian ministers, government officials and opposition leaders also figure in the list.
  • In India, several opposition leaders including Rahul Gandhi were on the leaked potential targets’ list.
  • Smartphones of Politicians, Journalists were hacked for gathering confidential information.
  • This is the first time in the history of this country that all pillars of our democracy — judiciary, parliamentarians, media, executives and ministers — have been spied upon.
  • The Indian government has denied any wrong doing or carrying out any unauthorized surveillance. However, the government has not confirmed or denied whether it has purchased or deployed Pegasus spyware.
Legislations on Surveillance The laws authorizing interception and monitoring of communications are:
  • Section 92 of the Criminal Procedure Code (CrPC)
  • Rule 419A of the Telegraph Rules, and
  • The rules under Sections 69 and 69B of the IT Act

Watergate scandal

The Watergate scandal was a political scandal that occurred in the United States in the 1970s as a result of the June 17, 1972, break-in at the Democratic National Committee headquarters at the Watergate office complex in Washington, D.C., and the Nixon administration's attempted cover-up of its involvement. The scandal eventually led to the resignation of Richard Nixon, the President of the United States, on August 9, 1974 — the only resignation of a U.S. President to date. The scandal also resulted in the indictment, trial, conviction, and incarceration of forty-three persons, dozens of whom were Nixon's top administration officials. The affair began with the arrest of five men for breaking and entering into the Democratic National Committee headquarters at the Watergate complex on June 17, 1972. The Federal Bureau of Investigation connected cash found on the burglars to a slush fund used by the Committee for the Re-Election of the President, the official organization of Nixon's campaign. In July 1973, as evidence mounted against the president's staff, including testimony provided by former staff members in an investigation conducted by the Senate Watergate Committee, it was revealed that President Nixon had a tape-recording system in his offices and he had recorded many conversations. Recordings from these tapes implicated the president, revealing he had attempted to cover up the questionable goings-on that had taken place after the break-in. After a protracted series of bitter court battles, the U.S. Supreme Court unanimously ruled that the president had to hand over the tapes to government investigators; he ultimately complied.
Conducting Surveillance A limited number of agencies are provided powers to intercept and monitor.
  • In 2014, the Ministry of Home Affairs told Parliament that nine central agencies and the DGPs of all States and Delhi were empowered to conduct interception under the Indian Telegraph Act.
  • In 2018, 9 central agencies and 1 State agency were authorised to conduct intercepts under Section 69 of the IT Act.
  • The Intelligence Organisations Act, which restricts the civil liberties of intelligence agency employees, only lists four agencies. However, the RTI Act lists 22 agencies as “intelligence and security organisations established by the central government” that are exempt from the RTI Act.
K.S. Puttaswamy judgment, 2017 regarding Surveillance
  • The K.S. Puttaswamy judgment, 2017, made it clear that any invasion of privacy could only be justified if it satisfied three tests:
    1. The restriction must be by law;
    2. It must be necessary (only if other means are not available) and proportionate (only as much as needed);
    3. It must promote a legitimate state interest (e.g., national security).
  • The judgement held that privacy concerns in this day and age of technology can arise from both the state as well as non-state entities. As such, a claim of violation of privacy lies against both of them.
  • The Court also held that informational privacy in the age of the internet is not an absolute right and when an individual exercises his right to control over his data, it may lead to the violation of his privacy to a considerable extent.
  • It was also laid down that the ambit of Article 21 is ever-expanding due to the agreement over the years among the Supreme Court judges. A plethora of rights have been added to Article 21 as a result.
  • The court stated that Right to Privacy is an inherent and integral part of Part III of the Constitution that guarantees fundamental rights. The conflict in this area mainly arises between an individual’s right to privacy and the legitimate aim of the government to implement its policies. Thus, we need to maintain a balance while doing the same.
Past recommendations regarding Surveillance
  • In 2010, then Vice-President called for a legislative basis for India’s agencies and the creation of a standing committee of Parliament on intelligence to ensure that they remain accountable and respectful of civil liberties.
  • The Cabinet Secretary in a note on surveillance in 2011 held that the Central Board of Direct Taxes having interception powers was a continuing violation of a 1975 Supreme Court judgment on the Telegraph Act.
  • In 2013, the Ministry of Defence-funded think-tank published a report which recommended that the intelligence agencies in India must be provided a legal framework for their existence and functioning; their functioning must be under Parliamentary oversight and scrutiny.
  • In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India’s intelligence agencies are “potentially unconstitutional”. This is because they are not constituted under a statute passed by Parliament — the National Investigation Agency being an exception.
Major Concerns
  • Scale of usage: The allegations here are not new. What is new is the scale of the targeting of innocent people that’s allegedly taking place. Nearly 200 reporters from 21 countries have their phone numbers on this list. 
  • Attack on Dissidents: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
  • Violation of Fundamental Rights: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy and the exercise of freedom of speech (Article 19) and personal liberty (A-21).
  • Endangers Safety of journalists: In the absence of privacy, the safety of journalists, especially those whose work criticises the government, and the personal safety of their sources is jeopardised.
  • Declining Press Freedom: World Press Freedom Index produced by Reporters Without Borders has ranked India 142 out of 180 countries in 2021 (India’s ranked 133 in 2016)
  • Leads to Self-Censorship: The perceived danger, founded on reasonable suspicion that surveillance may happen, itself impacts their ability to express, receive and discuss such ideas.
  • Dangers of Mass Surveillance: As spyware becomes more affordable and interception becomes more efficient, there will no longer be a need to target specific individuals. Everyone will be potentially subject to state-sponsored mass surveillance.
  • Weak Legislative Protection: The proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities.
Initiatives taken in India:
    • Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
    • National Cyber security Coordination Centre (NCCC): In 2017, the NCCC was developed to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.
    • Cyber Swachhta Kendra: In 2017, this platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
    • Indian Cyber Crime Coordination Centre (I4C): I4C was recently inaugurated by the government.
      • National Cyber Crime Reporting Portal has also been launched pan India.
    • Computer Emergency Response Team - India (CERT-IN): It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
    • Legislation:
      • Information Technology Act, 2000.
      • Personal Data Protection Bill, 2019.
Global Mechanisms:
    • International Telecommunication Union (ITU): It is a specialized agency within the United Nations which plays a leading role in the standardization and development of telecommunications and cyber security issues.
    • Budapest Convention on Cybercrime: It is an international treaty that seeks to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It came into force on 1st July 2004. India is not a signatory to this convention.
Road ahead The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking in particular, is essential. Only the judiciary can be competent to decide whether specific instances of surveillance are proportionate, whether less onerous alternatives are available, and to balance the necessity of the government’s Security objectives with the rights of the impacted individuals.


POSTED ON 07-08-2021 BY ADMIN
Next previous