Pegasus Spyware; Cyber Security Concern

Pratyaksha Rani
Article By Pratyaksha Rani | 4th Year Law student at SRM University, Delhi, NCR

INTRODUCTION

Pegasus is the software which is used to spy on people through their mobile phones. It is also considered as a malicious software or malware. It became popular from the year 2016. This software was formed by an Israel Tech Firm NSO Group. NSO stands for Niv, Shalev and Omri and it works for cyber research and cyber security and develops technology which prevent as well as investigate terror & crime. It was founded in the year 2010. The motive behind the formation of Pegasus is to spy on those people who are a threat to the nation and with the help of this software the government can prevent any terrorist activity for the welfare of the nation. Pegasus is considered to be the ultimate spyware for both android as well as iOS. Recently on June 30, 2021 the NSO Group has published a report regarding the transparency and responsibility with respect to Pegasus. In that report they stated that they provide the licenses for the Pegasus software only to the verified and authorized state agencies and not to the private agencies/individuals after the approval from the Israeli Ministry of Defense for the sole purpose of national security and law enforcement investigations and opposed its use for mass surveillance.

The major concerns behind Pegasus spyware were;

  • The detection of Pegasus spyware is impossible i.e.The person whose phone got Pegasus spyware was completely clueless about it.
  • It can affect both android and iOS devices which means there is no escape because millions of people over the globe use either of them.
  • It will take complete access to the phone which shows how dangerous it could be for the person whose phone was attacked with the Pegasus.

How it works- Every software had some kinds of error or faults in its operating system like a bug which is considered as a zero day vulnerability and the Pegasus spyware first find the bug or the weakness in the software of the operating system and then enter the device either through;

  • The one click method i.e., getting the access of the device by sending a link on the device and if the person click that link the device will open the doors for that hackers commonly known as phishing or,
  • The zero click method i.e., The attacker can get all the access to someone’s phone only through a missed call or a single message, the method of clicking the link by the users won’t be required.

And the same can be done by rooting in android devices and jailbreaking in iOS devices as it removes all the security controls of the device and finally gets complete access to the system. Mostly the cyber attacks were either done through phishing or distributed denial of services (DDoS) but in the case of Pegasus spyware the attacker had modified their techniques with the zero click tech.

After getting the complete access of the phone without the knowledge of its owner, the hackers can get all the information data stored in that device including photos, mails, chats etc except that the hackers can also turn on the audio or camera of the device and record the person through their phone.

Self Destruction Function- Pegasus spyware has a self destruction mechanism. It can get destructed in the following situations;

  • When the motive is achieved.
  • In the risk of exposure.
  • If the Pegasus does not communicate with its server from the affected device for 60 days/ customized time period.
  • NSO Groups were not allowed to attack any American mobile phones so if the person whose phone was under surveillance visited the US then also it got self-destructed.

 

Cost of Pegasus Spyware- According to various reports the estimated cost of Pegasus spyware had been released also the reports showed that the cost of Pegasus spyware is not uniform and it varies a lot. According to the documents submitted before the US court the price to establish Pegasus spyware is $ 8 million and an annual consideration amount is $ 176000 to the NSO Group in the year 2015-16, other media reports shows that Mexico has paid $ 32 million to spy 500 devices and Panama has paid $ 13.4 million to spy 150 devices also the New York Times report (2016) showed that the NSO Group had charged $ 650,000 plus 17% of total amount to spy 10 iOS devices.

PROJECT PEGASUS

Recently, the news regarding Pegasus spyware has spread all over the world and became a huge concern of cyber security as well as right to privacy. Although Pegasus spyware was in the media earlier, this project Pegasus had made it a global concern.

It is an international collaborative investigation project by 17 news organizations all over the world along with Paris based nonprofit forbidden stories and Amnesty International. The Wire was the Indian partner in this project. The list of 50,000 phone numbers was released from this investigation. This list includes the Head of states, activists, journalists etc from the countries like, Azerbaijan, Bahrain, Mexico, Hungary, Morocco, India, UAE, Kazakhstan and few others. Forensic tests were also done on 37 mobile phones in which 10 were Indians with regard to the project Pegasus.

According to the report of the wire over 300 Indian phone numbers were found on the list of project Pegasus which includes ministers, members of oppositions, journalists, judicial members etc. Name of few potential targets from India were; Rahul Gandhi along with his 5 close associates, Prashant Kishore, Abhishek Banerjee nephew of Mamta Banerjee, Prahlad Singh Patel (current minister of state for jal shakti), Praveen Togadia, Former CJI Ranjan Gogoi and many others except them phone number of 40 journalists were also mentioned in the list.

After the release of this investigation NSO Groups had also released certain reports;

  • Report related to the transparency and responsibility released on June 30, 2021 on the official NSO Group. It was the first report issued by the NSO Group regarding the disclosure of their essential facts and insight. They mentioned that they don’t sell their software to any private entities or individuals, they only sell their software to the governmental agencies after the approval. Also they had developed this Pegasus not for mass surveillance.
  • Then the second report issued by the NSO Group was on July 18, 2021. This report states that all the accusations made by forbidden stories were false and the reports made by them were completely made up of wrong assumptions and uncorroborated theories. They also made a statement in their report that they deny all the false allegations by forbidden stories and mentioned that they were not associated with the Jamal Khashoggi murder. Further, they mentioned that they only sell their software to the vetted government for the sole purpose of preventing terrorism in the nation.
  • Recently, on July 21, 2021 NSO Group had again issued a report stating that they will not respond to any media inquiries also they stated that the list issued by the project Pegasus is not a list of targeted potentials of Pegasus and any claim related to such list will be false. Further, states that their company doesn’t operate the system but they have the information for investigation.

INDIAN LEGAL PROVISIONS FOR SURVEILLANCE

There are two primary legislations which provide the provisions for legal interception of mobile phones through the Indian government.

 

  • The Telegraph Act, 1885

This act deals with the interception of phone calls. Section 5(2) of this act provides the provision that mentions certain situations under which the central & state government can conduct the surveillance i.e., in case of ‘Public Emergency’ or in the interest of ‘Public Safety’. But there are certain grounds available for such surveillance which can be also considered as the reasonable restriction;

  • When there is threat to the sovereignty and integrity of the India
  • For the security of the state
  • For the friendly relationship with foreign states
  • If there is a threat on law & orders or in the interest of public order
  • For immediate incitement of the commission of an offence.

On these grounds and conditions the Indian government is permitted to intercept mobile phones. Although the act has also provided certain safeguards provisions with respect to protecting the fundamental rights to free speech for every journalist.

Case: People’s Union for Civil Liberty Case[1]https://www.nsogroup.com/news/

In this case the provisions of Telegraph Act, 1885 were challenged, and the Supreme Court had stated the importance of the right to individual’s privacy. It was held in this case that government surveillance can threaten the privacy of an individual person. This case further declared the right to privacy as a fundamental right[2]https://m.thewire.in/article/government/project-pegasus-journalists-ministers-activists-phones-spying/amp.

Further, in the year 2007 the Rule 491 had been included in the Telegraph Rules which states that any order related to the interception of any mobile phone need to come from the Home Secretary and also mention the establishment of a review committee to review an order issued by the home secretary.

 

  • The Information Technology Act, 2000

This act deals with the surveillance of all kinds of electronic communication. Sec 69 of the act provides the provisions in the favor of Indian government with respect to any electronic surveillance in the country. It states about the interception, monitoring of digital information for the purpose of investigation of an offence. These provisions don’t mention any grounds related to public safety or emergency.

VIOLATION OF HUMAN RIGHTS & LIBERTY

The mass surveillance through Pegasus spyware has become very controversial issues especially after Project Pegasus. The list issued by the Project Pegasus mentions the names of potential targets including opposition leaders, journalists, judicial members, Human rights activists etc. The potential targets were mainly those persons whose fundamental rights related to speech and privacy needs to be protected but such surveillance is definitely an infringement of those rights. Except that the following fundamental rights were violated through the malware;

Article 19 of the Indian Constitution- Article 19 provides certain rights to the citizens which includes 6 freedoms to enjoy various liberties;

  1. Freedom of speech and expression
  2. Right to assemble peaceably & without arms
  3. Right to form association or union
  4. Right to move freely all over the territory of India
  5. Right to reside and settle in any place within the territory of India
  6. Right to practise any profession or to carry on any occupation, trade or business

This Article 19 considered the backbone of part-III of the Indian Constitution. Although the article is not absolute because it provides rights to the state to impose reasonable restrictions on the grounds of; Sovereignty & integrity of India, Security of the state, Friendly relationship with the foreign state, public order, Decency/Morality, Contempt of Court, Defamation, Incitement of an offence. Thus this article provides every citizen freedom to enjoy their rights and any form of surveillance upon the citizens of India is violating their freedom/rights conferred under this Article.

 

Freedom of speech and expression- This freedom itself includes few rights of a citizen like they can receive any information, they can express their views or ideas and they can also keep any communication as a secret and if the government without reasonable cause conducts any surveillance upon the citizen then it leads to the violation of the same.

 

Freedom of Press- This freedom is provided to the press reporters, journalists, news publishers and the peoples who else are related to press so that they can express their views or ideas and to avoid the doctrine of the chilling effect. This freedom of press is included under Article 19 of the constitution because Article 19 has been influenced from the U.S Constitution 1st amendment that states ‘Freedom of Speech or of Press’. Also freedom of press is a species of freedom of speech and expression and its rights were also included under the provision of Article 19 of the Constitution[3]https://www.thequint.com/amp/story/news/law/pegasus-spyware-decoding-whatsapps-legal-battle-against-nso.

 

Article 21 of the Indian Constitution- The Article states that ‘No one shall be deprived of life and personal liberty, except according to the procedure established by law’. The scope of world life is very wide. It includes several rights like right to education, right to health, right to privacy etc.

 

Right to Privacy- The provisions with respect to privacy were dealt u/a 21 of the constitution. Right to privacy can include the aspects like protection of bodily integrity, personal autonomy, protection from unreasonable state surveillance, dignity, confidentiality etc. Now there are several international treaties, conventions which mentions the provisions related to the protection of human privacy such as; Article 12 of the Universal Declaration of Human Rights, 1948, Article 17 of the International Covenant on Civil and Political Rights (ICCPR), 1966, Article 7 & Article 8 of the Charter of Fundamental Rights of the European Union, 2012. The report showing mass surveillance against the politicians, journalists, and others is a violation of their privacy as the right to life is not a mere animal existence, if there is any form of unauthorized disturbance it will lead to the violation of privacy[4]https://www.hindustantimes.com/india-news/petition-in-sc-for-court-monitored-probe-into-pegasus-scandal-101626954659447-amp.html.

Case; K.S Puttaswamy vs. Union of India[5]https://amp.scroll.in/article/1000754/pegasus-spyware-how-does-it-work-and-how-can-you-tell-if-your-phone-is-at-risk

It was stated in this case that the breach of individual’s privacy can only be done on the following grounds; First the state must be sanctioned by law, there should be test of necessity & proportionality, there must be some legitimate state aim for such actions and there should be a procedural guarantees against the abuse of such power. It was this case which mentioned where clearly the right to privacy is integral to the right to life conferred u/a 21.

 

Facebook vs. NSO Group

In the year 2019 WhatsApp has lodged a suit against NSO Groups for infecting 1400 whatsApp user’s devices with Pegasus spyware in which 100 devices belong to the politicians, journalist, Human Rights defenders, lawyers etc before the California Court. Facebook had alleged the NSO group for developing the Pegasus spyware which is a threat to data privacy and human lives. WhatsApp had filed the case under US Computer Fraud and Abuse Act (CFAA) which was enacted[6]https://www.livelaw.in/top-stories/supreme-court-pegasus-snooping-rowsenior-n-ram-sashi-kumar-probe-in-to-pegasus-snooping-row-178198 to prevent intentional access of a computer without authorization or in excess of authorization, The California Comprehensive Data Access and Fraud Act and u/s 502 of the California Penal Code for the breach of contract & trespass. Sec 502[7]https://www.hindustantimes.com/india-news/petition-in-sc-for-court-monitored-probe-into-pegasus-scandal-101626954659447-amp.html deals with the provisions related to unauthorized computer access. Further, WhatsApp had demanded compensation for the violation of data privacy and breach of contract between WhatsApp and its user’s. On 2 March 2020 the court had issued a default notice against NSO Group for its nonappearance before the court.

NSO Groups Arguments; In the matter of default notice NSO had argued that WhatsApp didn’t serve the adequate notice and presented a false statement before court for the same. NSO had further denied all the allegations made by the whatsapp and considered them as baseless allegations. They claim that their company only develops the technologies for the welfare of the society/nation and which are helpful for the nation to fight against terrorism. And further they asked the court to dismiss the case on the grounds of ‘Sovereign Immunity’.

In reply to the NSO argument Whatsapp had made a statement that NSO Group works as a third party entity and not as a state agency so, it cannot claim the sovereign immunity under this case.

The California Court dismissed the NSO claim for Sovereign immunity and ruled the case in favour of WhatsApp[8].

NSO Group had challenged the ruling before the US 9th Circuit Appellate Court; the case is still pending in the court.

Recently in December 2020 Microsoft as well as Google has joined Facebook in the suit against NSO for the cyber attack. Organisations like Internet Association, GitHub and Linkedin also became a part of the suit.

INDIAN LEGISLATIVE APPROACH ON PEGASUS SPYWARE

Numbers of statements were made by the Indian minister’s in the matter of mass surveillance through the malware.

Indian government had filed an RTI reply in 2019 stating that there is no such information received to the cyber and information security division of the home ministry. Although they had neither confirmed nor denied the facts that they had used the malware. Further if we see the response of Indian government over the Pegasus spyware then they clearly declined any unauthorized/unlawful surveillance.

Till now three petitions has been filed in the Supreme Court of India against the Pegasus spyware;

  • The petition filed by the Adv. Manohar Lal Sharma before the Supreme Court for the Special Investigation Team (SIT) in the matter of usage of Pegasus spyware by the government to spy on journalists, opposition leaders and other peoples. The petition mentioned that usage of such malware raises a question upon the risk related to national security and hence it became a matter of grave concern and it’s a threat to the Indian democracy, judiciary & security and also the violation of right to privacy.
  • Another petition was filed by the Rajya Sabha MP John Brittas before the Supreme Court for the appointment of a Special Investigation Team (SIT) against the mass surveillance report. The petition mentioned that Pegasus spyware is abuse of state surveillance power as it involves the violation of Fundamental rights to privacy.
  • On July 27, 2021 N. Ram and Sashi Kumar had filed a petition before the Supreme Court for an independent inquiry by the Supreme Court sitting or retired judges against the mass surveillance done through Pegasus. Also the petitioner had asked the government to disclose that they had a license for Pegasus spyware and they had used the same for any kind of surveillance upon the peoples.

 

In July 2017, a committee was established to examine the issues related to data protection in India headed by Justice B. N. Srikrishna and in 2018 the committee had submitted a report as well as a draft ‘Personal Data Protection Bill, 2018’ before the ministry of electronics and IT. Further in the year 2019 the objects and reason behind this bill has been introduced. This bill will provide various provisions related to data protection and privacy. However, this Personal Data Protection Bill is still pending in the parliament.

 

CONCLUSION

We are living in a fully technology based era in which everybody is connected to the technologies and the most common among them is mobile phones. Taking a reference from the current COVID-19 pandemic everything from education to working is done through these technologies like mobile phones, laptops etc. According to GSMA real-time intelligence data almost 5.27 billion people were using mobile phones all over the world which can be estimated as 67.03% of the world’s population. Looking into the statistics we can assume that why Pegasus spyware had become a global concern as well as a political controversy.

No doubt state surveillance for national security is of utmost priority for a country but surveillance for spying on someone for reasons other than nations security is a violation of constitutional rights and an infringement of data privacy.

List issued through the 17 news organizations under Project Pegasus which includes the names of politicians, journalists, activists etc although it was not confirmed that they were the potential targets of Pegasus spyware but certainly it marked a question upon the democracy of the country. Another thing is that there is an urgent need for certain strong data privacy laws to protect data security.

This article was written by Pratyaksha Rani, a 4th Year Law student at SRM University, Delhi, NCR. She may be reached at ranipratyaksha@gmail.com. The views and opinions expressed in the article are those of the author. They do not purport to reflect the views and opinions of Hello Counsel.

Share With Others

Kindly CLICK HERE, call our helpline at (+91) 98-712-712-05, or e-mail us at hellocounsel@gmail.com if you wish to talk to a lawyer or are facing any other Legal Issue and want to have Legal Consultations with the empaneled Lawyers at Hello Counsel.

Need A Lawyer? We Can Get You One.

Fill This Form If You Wish To Hire A Lawyer
Know More

Find A Lawyer

Fill This Form If You Wish To Retain A Lawyer
Know More

Retain A Lawyer

Like us? Leave us a review.

References

References
1 https://www.nsogroup.com/news/
2 https://m.thewire.in/article/government/project-pegasus-journalists-ministers-activists-phones-spying/amp
3 https://www.thequint.com/amp/story/news/law/pegasus-spyware-decoding-whatsapps-legal-battle-against-nso
4, 7 https://www.hindustantimes.com/india-news/petition-in-sc-for-court-monitored-probe-into-pegasus-scandal-101626954659447-amp.html
5 https://amp.scroll.in/article/1000754/pegasus-spyware-how-does-it-work-and-how-can-you-tell-if-your-phone-is-at-risk
6 https://www.livelaw.in/top-stories/supreme-court-pegasus-snooping-rowsenior-n-ram-sashi-kumar-probe-in-to-pegasus-snooping-row-178198

Leave a Reply

Your email address will not be published. Required fields are marked *