At the heart of this legal battle is NSO Group, the developer of Pegasus, a spyware tool of notorious capability. Pegasus has been repeatedly linked to state-sponsored surveillance campaigns targeting journalists, human rights activists, political dissidents, and even heads of state across the globe, transforming smartphones into pocket-sized spies. The U.S. court’s decision to hold NSO Group liable for its actions and impose substantial damages signifies a potential turning point. The sheer size of the penalty, combined with its status as the first U.S. jury verdict against a commercial spyware company, signals a shift in the landscape of accountability. NSO Group’s defence has often leaned on the argument that it sells only to sovereign governments, thereby attempting to deflect responsibility for how its tools are used. However, this verdict pierces that veil, holding the technology provider directly accountable for facilitating illegal acts. This suggests that the creators of such potent surveillance tools may no longer be able to easily evade responsibility for the abuse their products enable.

This article will dissect the Meta vs. NSO Group judgment, explore its implications for the shadowy spyware industry, and critically examine what this U.S. legal precedent means for India. The U.S. ruling, therefore, is not just a foreign legal development but a significant event with potential repercussions for India’s ongoing struggle for digital rights and accountability.

The verdict rings out: Meta’s gruelling six-year battle and NSO’s defeat

The culmination of a nearly six-year legal confrontation saw a U.S. federal jury in the Northern District of California order NSO Group to pay Meta Platforms approximately $167.7 million. This sum comprised $444,719 in compensatory damages, covering Meta’s costs in responding to the attack, and a colossal $167,254,000 in punitive damages, designed to punish NSO Group for its conduct and deter future wrongdoing.

This damages trial followed a crucial summary judgment by U.S. District Judge Phyllis J. Hamilton on December 20, 2024. In that earlier ruling, Judge Hamilton found NSO Group liable for violating the U.S. Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and for breaching WhatsApp’s terms of service. The case centred on NSO Group’s 2019 cyberattack, which exploited a vulnerability in WhatsApp’s audio calling feature. This flaw allowed NSO to covertly install its Pegasus spyware on the mobile devices of more than 1,400 WhatsApp users across the globe, including journalists, human rights activists, political dissidents, and diplomats.

Throughout the litigation, NSO Group employed a multi-pronged defence strategy, which was systematically dismantled by the U.S. courts. A cornerstone of NSO’s defence was the claim of foreign sovereign immunity, arguing that because it sells its spyware exclusively to government agencies, it should be shielded from lawsuits as an agent of those foreign states. This argument was consistently rejected by U.S. courts, culminating in the U.S. Supreme Court declining to hear NSO’s appeal on the matter. This series of rejections was pivotal, establishing that NSO Group, despite its governmental clientele, could indeed be sued in U.S. courts, particularly as evidence emerged that NSO utilized U.S.-based servers for its operations. NSO had long contended that U.S. courts lacked jurisdiction over its foreign operations targeting foreign victims, a claim significantly undermined by these rulings.

Furthermore, the NSO Group attempted to distance itself from the actual deployment of Pegasus, asserting that its government clients operate the spyware independently. However, court documents and trial testimony painted a different picture. Evidence, including sworn depositions from NSO employees, revealed the company’s direct involvement in the spyware’s installation and data extraction processes. Some employees even admitted to using WhatsApp to install spyware and continuing these activities even after Meta had filed the lawsuit. This direct operational role contradicted NSO’s narrative of being a passive technology provider.

The company also faced criticism and sanctions for its conduct during the discovery phase of the lawsuit, including its failure to produce the Pegasus source code as ordered by the court. In arguing against damages, NSO contended that Meta had suffered no actual financial loss, suggesting that employee salaries for remediation efforts would have been paid regardless of the attack and that WhatsApp’s servers were not physically damaged. The jury, however, sided with Meta, awarding the full amount of compensatory damages requested.

The crumbling of the “sovereign agent” facade is perhaps one of the most significant outcomes of this litigation. Spyware companies have historically hidden behind the argument that they merely sell tools to governments, thereby deflecting responsibility for any misuse. This verdict, by establishing NSO’s direct actions in deploying spyware and by piercing the sovereign immunity claim, creates a powerful precedent. It suggests that the creators of these potent surveillance tools can be held accountable in jurisdictions like the United States, especially if their actions involve U.S. infrastructure or violate U.S. laws. This development considerably increases the legal exposure for such companies on a global scale.

The composition of the damages award is also telling. The overwhelming proportion of punitive damages ($167.25 million) compared to compensatory damages ($444,719) indicates that the jury found NSO Group acted with “malice, oppression or fraud,” as noted in the court’s findings. Compensatory damages are intended to cover actual losses incurred by the plaintiff. Punitive damages, on the other hand, are designed to punish the defendant for egregious conduct and to deter similar behaviour in the future. The jury’s decision to award such substantial punitive damages sends an unequivocal message that NSO’s conduct was not merely illegal but profoundly reprehensible. This financial blow is aimed squarely at NSO Group and, by extension, the broader spyware industry, signalling that such activities will incur severe financial penalties that go far beyond merely covering the victim’s direct costs. This could make the business model of such companies, some of which, like NSO, are already reported to be under financial strain, far riskier and less tenable.

Pegasus unveiled: The “ghost” in the machine and its modus operandi

Pegasus is not just any spyware; it is a highly sophisticated tool engineered to infiltrate both iOS and Android devices, the dominant mobile operating systems globally. Its notoriety stems significantly from its “zero-click” exploit capabilities. This means Pegasus can be surreptitiously installed on a target’s device without requiring any action from the user – no need to click a malicious link, open an infected attachment, or even answer a call. The spyware can be delivered silently, for instance, through a missed WhatsApp call or a specially crafted message that doesn’t even need to be opened by the recipient.

Once installed, Pegasus effectively hands over complete control of the compromised device to the attacker. It can access a vast trove of personal and sensitive information, including encrypted messages (either by intercepting them before encryption on the sending device or by reading them after decryption on the receiving device), emails, photos, videos, call logs, contact lists, GPS location data, and stored passwords. Furthermore, Pegasus can remotely and covertly activate the device’s microphone and camera, turning the phone into a live surveillance device, all without the owner’s knowledge or consent. During the U.S. trial, NSO Group executives themselves conceded that Pegasus is capable of vacuuming up “every kind of user data on the phone”.

NSO Group has consistently maintained a specific narrative about its business model. The company claims that its flagship product, Pegasus, is sold exclusively to vetted government security and law enforcement agencies. The stated purpose, according to NSO, is to aid these agencies in legitimate activities such as conducting rescue operations and combating serious criminals, including terrorists, money launderers, and drug traffickers.

However, this official line stands in stark contrast to the findings of numerous independent investigations conducted by organizations like the University of Toronto’s Citizen Lab, Amnesty International, and various international media consortia, including the Pegasus Project. These investigations have meticulously documented the widespread use of Pegasus against unintended targets: journalists attempting to hold power accountable, human rights activists defending fundamental freedoms, lawyers representing sensitive clients, political opponents challenging incumbent regimes, and even heads of state. The trial also revealed that NSO Group invests heavily in its offensive capabilities, with executives admitting to spending tens of millions of dollars annually to develop sophisticated malware installation methods. The price tag for such capabilities is correspondingly high; for instance, NSO reportedly charged European government customers up to $7 million for the ability to hack just 15 devices, with additional costs for targeting devices internationally.

The glaring disparity between NSO Group’s stated purpose for Pegasus and the documented reality of its deployment against civil society effectively exposes the fallacy of the “dual-use” argument often employed for such powerful technologies. NSO’s defence consistently hinges on the supposed legitimacy of its clients and the intended use of Pegasus against “serious crime and terrorism.” However, the evidence presented during the trial, coupled with a vast body of independent research, points to a persistent pattern of abuse. This discrepancy suggests one or a combination of possibilities: NSO’s vetting processes for its government clients are woefully inadequate, its contractual controls designed to prevent misuse are ineffective or unenforced, or the company is wilfully blind to, if not complicit in, the misuse of its spyware by these clients. The argument that such tools have both legitimate and illegitimate uses – the “dual-use” defence – often crumbles when the technology in question is as inherently invasive as Pegasus and the oversight mechanisms are minimal or absent.

Moreover, the very existence, development, and marketing of a tool like Pegasus, capable of achieving total and covert compromise of a personal device, indicates a dangerous global trend towards the normalization of extreme surveillance capabilities. The fact that NSO Group could successfully develop and sell such a product to numerous governments worldwide suggests a significant global appetite for these intrusive powers. The technical sophistication of Pegasus, particularly its zero-click infection vectors, means that traditional cybersecurity defences employed by average users are often rendered useless. This creates an environment where the reasonable expectation of digital privacy is severely eroded, potentially casting a chilling effect on free speech, association, and dissent, even for individuals who are not directly targeted but fear they could be.

Turning point for spyware accountability?

The verdict against NSO Group is a landmark precedent in the fight against the unregulated proliferation of commercial spyware. It is the first U.S. jury verdict against a commercial spyware company and, significantly, the first U.S. verdict against NSO Group itself. The financial award also represents the largest reported verdict in a civil case brought under either the Computer Fraud and Abuse Act (CFAA) or the California Comprehensive Computer Data Access and Fraud Act (CDAFA).

The judgment is anticipated to have a significant impact on the broader spyware industry. Meta, in its statement following the verdict, emphasised that the ruling acts as a “critical deterrent to this malicious industry”. The success of Meta’s lawsuit may embolden other victims of spyware, whether individuals or corporations, to seek legal recourse against spyware vendors. Furthermore, the ruling could make it considerably harder for spyware companies to hide behind “plausible deniability” regarding the use of their products. This, coupled with the substantial financial penalty, is likely to lead to increased legal and financial risks for the industry, potentially affecting investment, operational strategies, and the overall viability of businesses built on selling such intrusive technologies.

This legal victory also serves to empower technology platforms in their efforts to protect their users and systems. It validates the legal strategy employed by tech companies like Meta, which utilized anti-hacking statutes such as the CFAA to hold spyware developers accountable for exploiting their platforms. Demonstrating a commitment beyond mere financial compensation, Meta has announced its intention to donate the damages recovered from NSO Group to digital rights organizations that are actively working to combat surveillance abuses and protect vulnerable users. This action is part of a growing trend where major technology companies, including Apple, which has also filed its own lawsuit against NSO Group, are taking a more proactive and aggressive stance in combating the commercial surveillance industry through both legal challenges and technical countermeasures.

The outcome of the Meta vs. NSO case signals a potential shift in the power dynamics that have characterized the surveillance technology landscape. For years, spyware firms like NSO Group operated largely in the shadows, their actions difficult to definitively prove and their legal standing often ambiguous due to claims of sovereign immunity and client confidentiality. Technology platforms, whose services were exploited as vectors for spyware delivery, were often in a reactive posture. This verdict, however, building upon the crucial judicial rejection of NSO’s sovereign immunity claims, empowers these platforms. They can now more confidently leverage their considerable legal and technical resources to proactively protect their ecosystems, thereby making it more costly and legally perilous for spyware vendors to target mainstream communication platforms.

The case also inadvertently highlights the role of the U.S. legal system as a, perhaps reluctant, enforcer of global digital rights. This is also a consequence of the geographical concentration of major technology company headquarters and critical internet infrastructure, including servers, within the United States. When global communication platforms, many of which are U.S.-based, find their terms of service violated or their U.S.-located servers accessed without authorization for the purpose of deploying spyware, it provides a jurisdictional hook for legal action within the American judicial system. While the outcome in the Meta vs. NSO case is viewed positively by digital rights advocates, it does raise broader questions about the sustainability and global desirability of relying predominantly on one nation’s courts to address what inherently international issues of spyware abuse are. This underscores the pressing need for enhanced international cooperation and the development of stronger, harmonized national laws elsewhere to combat this menace effectively.

Finally, the substantial financial penalty imposed on NSO Group, particularly the massive punitive damages award, underscores the potential of economic deterrence as a key weapon against the spyware industry. NSO Group has been reported to be facing significant financial difficulties, including being placed on a U.S. government blacklist that restricts its access to American technology and markets. A judgment of nearly $168 million could indeed be a fatal blow to an already struggling entity. This suggests that economic pressure, exerted through sanctions, large civil penalties, and divestment campaigns, might be one of the most effective tools to curb the proliferation of commercial spyware, especially since ethical appeals or reliance on the discretion of client governments have, to date, proven largely insufficient.

The Indian Connection: Pegasus shadows loom large over democracy

The NSO Group’s activities, as detailed in the U.S. court proceedings and prior investigations, have a significant and alarming Indian connection. Court documents related to the Meta lawsuit revealed that India was the second-most targeted country in the 2019 WhatsApp hacking campaign, with over 100 Indian users identified as victims. The list of those targeted in India reportedly included journalists, human rights activists, lawyers, and politicians, mirroring the global pattern of Pegasus deployment against civil society figures rather than solely against criminals and terrorists as NSO Group claims.

These findings were amplified by the Pegasus Project revelations in 2021. This collaborative investigative effort by international media organizations, based on a leaked list of potential surveillance targets, indicated that around 300 phone numbers in India were of interest to NSO’s clients. The Indian list controversially  included serving ministers, prominent opposition leaders such as Rahul Gandhi, political strategists like Prashant Kishor, numerous journalists including Siddharth Varadarajan of The Wire, activists such as Umar Khalid, a former Election Commissioner, Ashok Lavasa, who had flagged poll code violations by the Prime Minister, and even sitting Supreme Court judges.

Amnesty International’s Security Lab has conducted forensic investigations that further substantiate these concerns. Their findings confirmed repeated targeting of Indian journalists. Siddharth Varadarajan, for instance, was found to have been targeted with Pegasus in 2018 and then again in October 2023. Another journalist, Anand Mangnale, South Asia Editor at The Organised Crime and Corruption Reporting Project (OCCRP), was targeted in August 2023 with a sophisticated zero-click exploit delivered via iMessage while he was reportedly working on a story about alleged stock manipulation by a large Indian conglomerate.

In response to the widespread outcry following the Pegasus Project revelations, the Supreme Court of India intervened in October 2021. Recognising the gravity of the allegations, the Court constituted an independent technical committee, headed by retired Supreme Court Justice R.V. Raveendran, to investigate the claims of Pegasus surveillance.  This committee submitted its report in a sealed cover to the Supreme Court in August 2022. Out of the 29 phones analysed by the Technical Committee, just five showed signs of malware — and even in those cases, there was no clear evidence linking it to Pegasus, as per the three-part report presented to the Court by the Justice R.V. Raveendran committee. Crucially, the CJI NV Ramana (as he was then) also made a significant observation: the Indian government “did not cooperate” with the technical committee’s investigation.

The full contents of the technical committee’s report remain sealed and have not been made public.

The Indian government’s official stance on the Pegasus allegations has been one of consistent denial of any unauthorised interception by its agencies. Statements from the Ministry of Electronics and Information Technology (MeitY), including those made by Union Minister Ashwini Vaishnaw, have dismissed the reports as attempts to “malign Indian democracy and its well-established institutions”. The government has asserted that existing legal frameworks, such as the Indian Telegraph Act and the Information Technology Act, provide sufficient checks and balances against illegal surveillance. However, MeitY, through CERT-In (Indian Computer Emergency Response Team), was reportedly informed by WhatsApp about the Pegasus breach affecting Indian users as early as September 2019, raising questions about the timeliness and transparency of the government’s subsequent public responses.

More often than not, the government has invoked “national security” as a reason to avoid confirming or denying the procurement or use of Pegasus spyware. During Supreme Court hearings, the Solicitor General of India argued that “terrorists cannot claim privacy rights.” This sentiment was, to some extent, echoed by one of the judges who remarked, “What is wrong if the country is using spyware?… Using against whom is the question?”. These statements have fuelled concerns among civil liberties advocates that the national security argument is being used to shield potentially unlawful surveillance activities from scrutiny.

The Indian government’s persistent invocation of “national security” to sidestep transparency regarding Pegasus use, particularly its documented non-cooperation with the Supreme Court-appointed technical committee, presents a stark contrast to the detailed evidence and rigorous judicial scrutiny observed in the U.S. legal proceedings against NSO Group. While national security is undeniably a legitimate concern for any state, its deployment as a blanket justification to prevent any meaningful disclosure about the use of highly invasive spyware against a wide range of citizens—including journalists, opposition figures, and potentially even members of the judiciary—raises profound questions about democratic accountability and the potential for abuse of power. The U.S. verdict, which meticulously details the illegal hacking mechanisms employed by NSO, makes the Indian government’s opaque and defensive stance increasingly difficult to sustain, as the spyware tool itself has now been judicially recognized in a foreign court as problematic and its vendor held liable for its misuse.

The repeated and continued targeting of journalists in India, as confirmed by forensic analysis even after the initial Pegasus revelations and the Supreme Court’s intervention, suggests a brazen and deeply concerning attempt to suppress dissent and investigative journalism. When journalists investigating sensitive matters, such as allegations of financial misconduct by powerful entities, find themselves under state-sponsored surveillance, it sends a potent chilling message to the entire media community. This transcends individual privacy violations; it constitutes an assault on the freedom of the press, a cornerstone of any functioning democracy. The persistence of such targeting implies that the perpetrators feel a disturbing sense of impunity within the domestic Indian context.

The situation also presents a tale of two judiciaries and, by extension, two executive approaches. The proactive stance of the U.S. judiciary in holding NSO Group accountable, significantly aided by a well-resourced corporate plaintiff like Meta, contrasts sharply with the Indian Supreme Court’s current position. The Indian Court appears to be treading a cautious path, attempting to balance national security claims against individual queries about surveillance, a task made more challenging by the executive branch’s non-cooperation. While the U.S. case benefited from Meta’s considerable resources and clear legal standing as an aggrieved party whose platform was abused, in India, the petitioners are often individuals, under-resourced rights groups, or journalists. The Indian Supreme Court’s cautious handling of the sealed technical committee report and the government’s steadfast refusal to cooperate highlight systemic challenges in achieving accountability domestically. The fact that MeitY was reportedly informed of the WhatsApp breach affecting Indian users as far back as September 2019, yet the government’s public narrative and actions did not appear to reflect this urgency or information, further underscores this accountability deficit. The U.S. verdict might provide Indian petitioners with stronger international legal and moral backing, but overcoming domestic institutional hurdles remains a formidable challenge.

VI. Echoes in Delhi: How the US verdict resonates in India’s Pegasus saga

The U.S. District Court’s comprehensive findings against NSO Group and the subsequent multi-million dollar damages award are poised to have significant reverberations in India, where the Pegasus spyware controversy continues to simmer. The U.S. court’s meticulous detailing of NSO’s illegal activities and the intrusive nature of Pegasus spyware provide substantial evidentiary and moral support for petitioners currently before the Indian Supreme Court. Indeed, during hearings in April 2025, Senior Advocate Kapil Sibal, representing one of the petitioners, explicitly cited the U.S. judgment, highlighting the court’s observation that India was among the countries where WhatsApp users were targeted by Pegasus. The detailed revelations from the U.S. trial concerning NSO Group’s operational methods and its direct involvement in deploying the spyware can be leveraged to counter claims that the spyware’s use is solely determined by client governments without NSO’s active participation or knowledge.

This international legal precedent is likely to fuel fresh and more vociferous demands for transparency and accountability from the Indian government. Opposition parties, such as the Congress party which has already called for Supreme Court-monitored probes based on U.S. court revelations , along with civil society organizations; and various digital rights advocates, are expected to intensify their calls for the Indian government to: first, unequivocally state whether it procured and deployed Pegasus spyware; second, consent to a truly independent and transparent investigation into the allegations; and third, make the Supreme Court-appointed technical committee’s full report public, allowing for informed public debate and scrutiny.

The U.S. judgment also presents a formidable challenge to the broad “national security” argument frequently invoked by the Indian government to justify opacity surrounding the use of Pegasus. By laying bare the illicit hacking mechanisms of Pegasus and its deployment against ordinary citizens such as journalists and activists, the U.S. court’s findings weaken the credibility of using an all-encompassing national security pretext to shield such surveillance from any form of oversight in India. If the tool’s mode of operation is deemed illegal by a U.S. court when used against similar profiles of individuals, its alleged use in India under a vague and unsubstantiated national security rationale becomes increasingly questionable and harder to defend both domestically and internationally.

Ultimately, the U.S. verdict indirectly places India’s own democratic institutions—particularly its judiciary and parliamentary oversight mechanisms—under a critical test. If a foreign court, driven by a corporate plaintiff, can achieve a significant degree of accountability against the NSO Group, the question inevitably arises: why are Indian institutions apparently struggling to achieve similar accountability regarding the use of Pegasus within India’s borders? This focuses uncomfortable attention on the independence, efficacy, and resilience of these institutions when confronted with executive power and sweeping claims of national security. The Indian Supreme Court’s next steps in the Pegasus matter, with hearings scheduled for July 30, 2025, will be very closely watched in this context.

Conclusion

The broader struggle against illicit surveillance and the misuse of powerful espionage technologies is far from over. It requires sustained, multifaceted efforts from technology companies committed to protecting their users, from a vigilant and courageous civil society, from international bodies striving to establish global norms, and, most crucially, from national governments willing to uphold the rule of law and safeguard fundamental human rights in the increasingly complex digital age. The path to effectively reining in the global spyware menace is undoubtedly long and arduous, but the Meta-NSO verdict offers a crucial milestone, a tangible victory for a future where digital technologies empower rather than oppress.

(The author is part of the legal research team of the organisation)

Related:

Pegasus case: SC appointed Committee says GoI not cooperating

Pegasus scandal: Did GoI engage in an elaborate cover-up?

State can’t get free pass every time spectre of “national security” is raised: SC in Pegasus case

The post US court slams spyware giant NSO with $168M Fine: a reckoning for Pegasus and implications for India appeared first on SabrangIndia.

An online discussion titled “India’s Deep State: Is Any Citizen Safe?” that analysed “Implications of Pegasus Project, targeted surveillance, violation of privacy by Indian Gov’t” organised by Network of Women in Media, India (NWMI) and SabrangIndia, brought together domain experts and journalists to examine the veritable can of worms opened in wake of shocking disclosures in the Pegasus spyware scandal.

Brief background of the Pegasus Project

Investigations into the ‘Pegasus Project’ began four months ago, when non-profit French organisation Forbidden Stories, that supports investigative journalism, suspected that Indian journalists’ phones were targeted. They got in touch with MK Venu and Sidharth Varadarajan, founding editors of The Wire. They were among the Indian whose phones were said to be infected with the Pegasus spyware.

The Wire joined the global investigations that came to be known as the Pegasus Project which was launched by the Forbidden Stories and Amnesty International. The list of Indian ‘targets’ of the Pegasus malware that Forbidden Stories had uncovered in India, was shared with The Wire. The ongoing investigation, and forensic analysis has so far confirmed that 10 phones of journalists have been ‘fully infected’, said Venu.

Many on the list gave their phones for testing, many more are yet to do so. Fear still reigns supreme on the minds of many of those who are on the ‘list’ of those who may have been subjected to surveillance. The vulnerability runs deep, as the total number of those whose phones may be infected is higher than those disclosed so far.  

The global ‘Pegasus Project’ investigation by Forbidden Stories and Amnesty International has revealed how the citizens “deemed by their governments to be a threat” as well as their families and associates have been subjected to surveillance. Also on the list interestingly are ministers, jurists and even regular citizens. The government’s official statement has been a denial and accusing the news investigations as an attempt ‘to malign Indian democracy and its well-established institutions.’ India so far seems far from initiating an official investigation, even though West Bengal Chief Minister Mamata Banerjee has set up an enquiry committee helmed by Justice (retd) MB Lokur and Justice (retd) Jyotirmay Bhattacharya to probe the Pegasus attack.

Shocking revelations, pertinent questions

“Prashant Kishore’s phone was fully infected,” said Venu who was one of the key speakers at the online discussion organized on Monday July 26, 2021, adding that the investigation was ongoing. There is a “shocking list of army guys, a BSF general who was a part of a border system management team, a CBI director,” he added, highlighting that it was “odd that the Government was in a denial mode”. As the government has so far denied having anything to do with the Pegasus malware, and has said it has not bought it, according to Venu it has “painted itself into a corner”. 

The Indian targets, as multiple reports continue revealing names, include independent journalists, leading human rights activists, student leaders, scientists, professors, lawyers, politicians and prominent dissidents. Pegasus malware that enables remote surveillance of all models of mobile phones is sold by the Israeli-based NSO Group, “avowedly only to authorised governments, to combat terror and crime,” recalled Geeta Seshu founding co-editor of the Free Speech Collective and senior NWMI member. “We know the NSO clients were select, verified, authorised states and state agencies, including Azerbaijan, Hungary, Bahrain, Morocco, Saudi Arabia, Togo, Rwanda, Mexico and of course India,”’ said Seshu. She added that in India, the tool was used “not to combat terror or crime, but to conduct surveillance of well-known journalists, human rights activists, prominent dissenters, families of political prisoners, members of the ruling BJP, and even their house help. The tool was used to monitor the life of a woman and her family, after her complaint of sexual harassment against then chief justice Ranjan Gogoi.” Seshu asserted that over the last decade India had moved “inexorably towards becoming a surveillance state” adding that there still was no proper data protection law.

“France, Hungary, Israel, Mexico have announced enquiry. The Govt (of India) is now under pressure. It is a global issue,” said Venu, adding that “WhatsApp was also infected by Pegasus in 2019.” 

Out of the 20-21 phones of Indian journalists tested, Venu said, “10 were found to be fully infected. That amounts to a 50 percent strike-rate. As [Edward] Snowden had said that 50 percent was a significant strike rate.”

However, the official denial of any government involvement has led to another crucial question. According to Venu, as many “editorials pointed out that if the spyware was not actioned by the govt then all the more reason to investigate. It is a cyber attack by a foreign power.” Many journalists who are on the Pegasus list, may go to court.  

According to Mishi Choudhary, technology lawyer and civil liberties activist, who is the Legal Director of the New York based Software Freedom Law Centre there are “at least 500 software companies that sell spyware to oppressive regimes, worldwide”. However, even though India is witnessing a massive cyber-attack against civilians, she said the denials are coming from the government itself. Choudhary added that the civilians attacked by the malware “are those who incarnate democracy,” yet in India it is seen as “somewhat legal” as “everything in the name of digital India is online. This is a malicious software installed on devices that are now the life and blood of everything. You can’t get ration, covid vaccine without apps.”

Spyware and the Bhima Koregaon Case

Noted lawyer, human rights activist Mihir Desai connected the dots on how such surveillance, data mining, has in fact “reached planting evidence as we saw in Bhima Koregaon case.” He said the “challenge to surveillance is based on the right to privacy” and emphasised, “Law does not allow planting of evidence. In the Bhima Koregaon case, the Arsenal report mentioned that malware could have been easily detected.” Desai recalled that now “no one knows if their phone is hacked. It is real-time tapping,” and that the weak Data Protection Bill is still pending in Parliament.

“We know mobile systems are not secure. We are perhaps the only democracy that has no judiciary oversight on surveillance,” added Choudhary revealing that according to 2014 information, “around 7,500 phones were tapped every month” in India. That was the last year such information was shared. “There were three surveillance projects started under [Congress led] UPA. It doesn’t matter which party is in power, there is a desire to control,” she said, adding that a case was filed in Delhi High Court and letters written to the standing committee on IT, in 2019, however there is no news of any report on that yet. “World over moratoriums are being imposed. Face recognition is recognised as dangerous. But India marches on,” said Choudhary, adding that “surveillance is putting society as a whole in danger.”

Privacy related litigation, oversight and accountability

Apar Gupta, lawyer and Executive Director of the Internet Freedom Foundation (IFF), who has filed several petitions in the Supreme Court on Internet-related policy issues that impinge on citizens’ rights said claims by NSO that Pegasus is used to survey legitimate criminal cases has no ground. “Pegasus goes far above ‘tapping or listening’. It’s not a passive attack but a malware attack,” said Gupta adding that in his legal opinion “Pegasus is a cyber weapon” that requires multiple clearances. 

Claims by NSO group do not stand to muster, said Gupta, adding that it was in 2019 when the first tranche of disclosures was made by Financial Times reportage, that several activists were notified by WhatsApp that their phones were intercepted. They had also deposed before the IT standing committee. The then [IT] minister Ravi Shankar Prasad had not given any clear answers, instead saying in Parliament that if anyone had a complaint, they could register a criminal case. 

Gupta recalled the primary justification by NSO in the Whatsapp Facebook case against it in a California court after the 2019 leak. Whatsapp had then claimed that there was “unauthorised access” to its systems that then undermined it. Gupta read out the Pegasus product description that is an exhibit in the California case that detailed how the ‘product’ [Pegasus] is only sold to governments and state agencies.

NSO had thus claimed “sovereign impunity”, as it only entered contracts with governments. Gupta then showcased an 8 million USD consideration in a contract between NSO and the government of Ghana, and detailed that the software itself is complex and requires “physical presence” of trained experts to be installed in the first place. WhatsApp had in 2019, submitted that NSO is a third-party entity and not a “state agency” and had no claim to sovereign immunity. According to news reports, the California court ruled in favour of WhatsApp in July 2020, and the NSO’s claim to sovereign immunity was dismissed. NSO has challenged this ruling and the case is pending. 

Gupta informed that there has been a subsequent filing by “seven international digital rights organisations” including the IFF, on behalf of victims who have suffered such surveillance.

“Absence of judicial oversight makes it more dangerous,” said human right defender, journalist and SabrangIndia co-founder Teesta Setalvad. She also pointed out how the matter could take a more sisnister direction. “The National Population Register (NPR) rules give power to officials at taluka levels to declare a person ‘non-citizen’”, explained Setalvad highlighting how bureaucratic powers are used. When Setalvad asked if privacy judgements can be used in the Pegasus case, senior lawyer Desai said while one can sue a person who invades privacy, the first problem is identifying who it is asking, “How will those governments who use spyware, issue a moratorium for the same?” Setalvad raised a crucial point. She drew a connection between the need for open and free coding asking, “Why are codes in EVM not made public?” 

A viewer asked if there was a way to block this software completely? According to Mishi Choudhary there isn’t one, but everyone can “indulge in preventive behavior”. She called for a public commentary on such tools, as the surveillance “is not ending anytime soon. There is going to be a constant struggle.” According to Choudhary, the role of private companies and how various applications enable invasion of privacy, should also be remembered, “we have built tech, but we end up paying for them with our civil liberties. We have to question if the apps are really helping us.”

Gupta demanded, “Victims of Pegasus need remedy as well. They need a certain degree of apology.”

“Energies, resources need to be channeled in saying ‘stop using tech against me’. Technology is always two steps ahead of regulation. Law two steps behind regulation,” added Choudhary.

Venu asked, “Pressure needs to be brought by the Opposition and the media. We cannot have bureaucrats deciding whether a media content should be censored or not. For tapping also, why should HM decide?”

According to Choudhary there is in fact a “need for global moratorium and international pressure” to be put on governments.

However, many questions remain:

• What is the extent of this surveillance?
• At what cost, in monetary terms, was it ordered?
• Where did the funds come from?
• Which agencies of the government have been deployed to conduct it and on what grounds?
• How does this surveillance affect the democratic rights of citizens to function freely and without threat to their personal and professional security? 

“The nature of the Indian state is changing in front of our eyes. There is no accountability,” said Setalvad calling for a need for “collective action, more discussions in non-English languages” as even the regional media is worried about Pegasus surveillance and they do not have the visibility of the mainstream English media. “Fear holds people back because people can see what this regime is capable of. Collective actions required to overcome the fear,” concluded Setalvad.

The entire discussion may be viewed here: 

Related:

Pegasus scandal: Justice Lokur part of West Bengal’s inquiry commission
Pegasus spyware trotting into ministers’ phones, who is next?
Another bullet from Arsenal pierces through NIA’s Bhima Koregaon case!
Handling of electronic evidence by agencies a perversion of criminal justice: CCG
Rona Wilson moves Bombay HC, demands probe into ‘planted evidence’

The post India’s Deep State: Is any citizen safe? appeared first on SabrangIndia.

West Bengal has reportedly formed a two-member inquiry commission to look into the Pegasus Project. According to Chief Minister Mamata Banerjee, this panel will investigate surveillance scandal where the spy software Pegasus was allegedly used to snoop on about 300 Indians including politicians, journalists, and human rights activists using the Israeli spyware Pegasus. The Commission consists of the former Supreme Court judge Madan Bhimrao Lokur, and former Calcutta High Court Chief Justice, Jyotirmay Bhattacharya.

The Indian Express quoted her saying, “We thought the Centre would form an inquiry commission or a court-monitored probe would be ordered to look into this phone-hacking incident. But the Centre is sitting idle…So we decided to form a commission of inquiry to look into the matter.” She added, “Names of people from West Bengal have figured on the Pegasus target list. The Centre is trying to snoop on everyone. The commission will find out details about this illegal hacking.”

As per some media reports, Banerjee had also urged the Supreme Court to take suo motu cognisance of this Pegasus spyware row, and had asked all opposition parties to form a united front against the central government without any delay.

Her nephew and Trinamool Congress Member of Parliament Abhishek Banerjee, has also appeared on a list of potential surveillance targets, as reported by The Wire. West Bengal is the first state to have formed such a committee to investigate this hacking scandal.

John Brittas, a Rajya Sabha Member has also moved the Supreme Court seeking a court-monitored probe into reports of alleged snooping.

Rajya Sabha member John Brittas has moved the #SupremeCourt seeking a court-monitored probe into reports of alleged snooping of activists, politicians, journalists and constitutional functionaries using Israeli spyware #Pegasus.https://t.co/YfGT7E5ubZ

— The Hindu (@the_hindu) July 25, 2021

Related:

Pegasus spyware trotting into ministers’ phones, who is next?

The post Pegasus scandal: Justice Lokur part of West Bengal’s inquiry commission appeared first on SabrangIndia.