- Possibly one of the biggest stories in that broke in cyberspace recently has been WhatsApp’s reports that 1,400 of its users were hacked by Pegasus, a spyware tool from Israeli firm NSO Group.
- A significant number of these Indian users include journalists, academics, human rights and Dalit activists.
- Further, the timing of such surveillance — late April to mid-May — rakes up another set of worries about the motive behind the hack.
- All spyware do what the name suggests — they spy on people through their phones.
- Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
- A presumably newer version of the malware does not even require a target user to click a link.
- Once Pegasus is installed, the attacker has complete access to the target user’s phone.
- The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
Method of working
- A Pegasus operator must convince a target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone.
- This automatically installs Pegasus without the user’s knowledge or permission.
- Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control and send back the target’s private data, including passwords, contact lists, events, text messages, and live voice calls from popular mobile messaging apps.
- The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.
Why is Pegasus dangerous?
- What makes Pegasus really dangerous is that it spares no aspect of a person’s identity. It makes older techniques of spying seem relatively harmless.
- What can’t it do would be an easier question to answer. Once on a phone, the spyware has the run of the place.
- It can intercept every call and SMS, read every email and monitor each messaging app.
- Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
- The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.
Concerns over Snooping
The pertinent questions are, who is behind this surveillance and hacking incident; and has this intrusion of privacy reached a level that has not been fathomed by the legal and technical communities?
Stretching this further, is this a vulnerability ignored by WhatsApp’s management?
Perpetrators behind the attack
- The other angle to this whole episode is the role of the perpetrators behind the hack.
- With access to technology increasing, networks can be intruded from any part of the world provided the encryption can be broken.
- The offering of products such as Pegasus and their misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands.
- The role of non-state actors with support from rogue nations or even criminal syndicates is also not out of question.
Security and privacy breach
- Clearly, the potential revelations are worrying a large section of social media users about the confidentiality and integrity of the networks, which is the basis of trust for most users.
- At the same time, the NSO Group’s claim about only working with specific security agencies across the world brings to the fore questions about the role of such agencies.
Government under question
- Some in India have been quick to jump the gun and blame the government and its ‘snooping’ networks.
- But, that is definitely not proven to be the situation yet, and both the MeitY and Ministry of Home Affairs have clearly said they played no role.
Snooping: an offence in India
- Any form of online interception, monitoring and decryption are well defined as per the provisions of the Information Technology Act 2008 (IT Act) and the concomitant rules.
- These provisions clearly list the 10 agencies that can undertake such actions and the procedures for them, the competent authority who can order such an action being the Union Home Secretary.
- Even such authorised surveillance actions have to be reviewed by a committee, headed by the Cabinet Secretary, which meets at least once in two months.
- Likewise for States, the respective Home Secretary is the competent authority and the Chief Secretary heads the review committee.
- No such authorizations have been given by any of the competent authorities for the monitoring of the affected individuals in India for the period in reference.
Whom to blame, then?
- This is a clear case of willful hacking whose proportions entail it to be seen as a cyber terrorism attempt; it calls for application of Section 66 (F) of the IT Act to deal with the perpetrators.
- To date, there have been three denials, by the central government (the ministry of electronics and information technology, the ministry of home affairs, and CERT-IN, a technical body that probes cyber threats).
- The issue has brought to the fore the fear around the possibility of how emerging network access technology could also beat secured encryption, which remains the fundamental basis of user trust and hitherto privacy.
No national security without individual privacy!
We must all recognise that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware. This is a core part of our fundamental right to privacy.
- This intrusion by the spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.
- The security of a device becomes one of the fundamental bedrocks of maintaining user trust as society becomes more and more digitized.
- Such an approach belies appreciating the injury and threats to individuals and the country.
- There is an urgent need to take up this issue seriously by constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
- The alleged spying on Opposition leaders and activists in India reminds one of the illegal espionage in the Watergate scandal.
- Given that NSO claims it only sells to governments and the fact that it is mostly critics of the ruling dispensation who have been targeted, some people have alleged that it is the Indian government that was behind the snooping.
- In response, the Union minister of IT Minister alleged that the former Indian government had spied on the then chief of the Indian Army as well as the Union Finance Minister.
A note of caution
- Social media providers must stop chest-thumping, start investing in attribution solutions and be honest with users about the risks involved in their products.
- Such software must be strictly controlled and legal provisions must be inked, so that providers of such technologies are deterred.
- Needless to say, a relook at laws, technology and ethics is needed, preferably sooner than later.
- In the digital age, companies will emerge and operate in the grey areas of the intersection between technology and security to make a profit.
- But national security must not be used as a shield by either governments or private players to justify the violation of fundamental rights.
- It is incumbent on Parliament, the judiciary and Facebook, the company that owns WhatsApp, to plug the breach of privacy and nail those responsible for it.
- Indian government must leverage its relationship with Israel to hold NSO to account.
- Since this attack involves users from a quite a few countries, there is a greater need for global cooperation to a concerted and coordinated investigation.
- The government has made it clear that it holds a sovereign right over the data of its citizens. The idea of data sovereignty must include a citizen’s right to privacy.
- It must punish anyone found guilty of unlawfully violating the privacy of Indian citizens.