Pegasus spyware | SabrangIndia

US court slams spyware giant NSO with $168M Fine: a reckoning for Pegasus and implications for India

sabrang — Tue, 27 May 2025 06:01:14 +0000

On May 6, 2025, a U.S. court in California ordered NSO Group, an Israeli spyware company, to pay $168 million in damages. The judgment was the result of a lawsuit filed by Meta Platforms, the owner of WhatsApp. This was not merely the conclusion of a protracted corporate lawsuit; it marked a landmark moment in the global fight against the clandestine and often abusive world of digital surveillance. The verdict, a resounding victory for Meta Platforms, owner of WhatsApp, has sent shockwaves through an industry that has long thrived in the shadows, peddling powerful tools of espionage to governments worldwide.

At the heart of this legal battle is NSO Group, the developer of Pegasus, a spyware tool of notorious capability. Pegasus has been repeatedly linked to state-sponsored surveillance campaigns targeting journalists, human rights activists, political dissidents, and even heads of state across the globe, transforming smartphones into pocket-sized spies. The U.S. court’s decision to hold NSO Group liable for its actions and impose substantial damages signifies a potential turning point. The sheer size of the penalty, combined with its status as the first U.S. jury verdict against a commercial spyware company, signals a shift in the landscape of accountability. NSO Group’s defence has often leaned on the argument that it sells only to sovereign governments, thereby attempting to deflect responsibility for how its tools are used. However, this verdict pierces that veil, holding the technology provider directly accountable for facilitating illegal acts. This suggests that the creators of such potent surveillance tools may no longer be able to easily evade responsibility for the abuse their products enable.

This article will dissect the Meta vs. NSO Group judgment, explore its implications for the shadowy spyware industry, and critically examine what this U.S. legal precedent means for India. The U.S. ruling, therefore, is not just a foreign legal development but a significant event with potential repercussions for India’s ongoing struggle for digital rights and accountability.

The verdict rings out: Meta’s gruelling six-year battle and NSO’s defeat

The culmination of a nearly six-year legal confrontation saw a U.S. federal jury in the Northern District of California order NSO Group to pay Meta Platforms approximately $167.7 million. This sum comprised $444,719 in compensatory damages, covering Meta’s costs in responding to the attack, and a colossal $167,254,000 in punitive damages, designed to punish NSO Group for its conduct and deter future wrongdoing.

This damages trial followed a crucial summary judgment by U.S. District Judge Phyllis J. Hamilton on December 20, 2024. In that earlier ruling, Judge Hamilton found NSO Group liable for violating the U.S. Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and for breaching WhatsApp’s terms of service. The case centred on NSO Group’s 2019 cyberattack, which exploited a vulnerability in WhatsApp’s audio calling feature. This flaw allowed NSO to covertly install its Pegasus spyware on the mobile devices of more than 1,400 WhatsApp users across the globe, including journalists, human rights activists, political dissidents, and diplomats.

Throughout the litigation, NSO Group employed a multi-pronged defence strategy, which was systematically dismantled by the U.S. courts. A cornerstone of NSO’s defence was the claim of foreign sovereign immunity, arguing that because it sells its spyware exclusively to government agencies, it should be shielded from lawsuits as an agent of those foreign states. This argument was consistently rejected by U.S. courts, culminating in the U.S. Supreme Court declining to hear NSO’s appeal on the matter. This series of rejections was pivotal, establishing that NSO Group, despite its governmental clientele, could indeed be sued in U.S. courts, particularly as evidence emerged that NSO utilized U.S.-based servers for its operations. NSO had long contended that U.S. courts lacked jurisdiction over its foreign operations targeting foreign victims, a claim significantly undermined by these rulings.

Furthermore, the NSO Group attempted to distance itself from the actual deployment of Pegasus, asserting that its government clients operate the spyware independently. However, court documents and trial testimony painted a different picture. Evidence, including sworn depositions from NSO employees, revealed the company’s direct involvement in the spyware’s installation and data extraction processes. Some employees even admitted to using WhatsApp to install spyware and continuing these activities even after Meta had filed the lawsuit. This direct operational role contradicted NSO’s narrative of being a passive technology provider.

The company also faced criticism and sanctions for its conduct during the discovery phase of the lawsuit, including its failure to produce the Pegasus source code as ordered by the court. In arguing against damages, NSO contended that Meta had suffered no actual financial loss, suggesting that employee salaries for remediation efforts would have been paid regardless of the attack and that WhatsApp’s servers were not physically damaged. The jury, however, sided with Meta, awarding the full amount of compensatory damages requested.

The crumbling of the “sovereign agent” facade is perhaps one of the most significant outcomes of this litigation. Spyware companies have historically hidden behind the argument that they merely sell tools to governments, thereby deflecting responsibility for any misuse. This verdict, by establishing NSO’s direct actions in deploying spyware and by piercing the sovereign immunity claim, creates a powerful precedent. It suggests that the creators of these potent surveillance tools can be held accountable in jurisdictions like the United States, especially if their actions involve U.S. infrastructure or violate U.S. laws. This development considerably increases the legal exposure for such companies on a global scale.

The composition of the damages award is also telling. The overwhelming proportion of punitive damages ($167.25 million) compared to compensatory damages ($444,719) indicates that the jury found NSO Group acted with “malice, oppression or fraud,” as noted in the court’s findings. Compensatory damages are intended to cover actual losses incurred by the plaintiff. Punitive damages, on the other hand, are designed to punish the defendant for egregious conduct and to deter similar behaviour in the future. The jury’s decision to award such substantial punitive damages sends an unequivocal message that NSO’s conduct was not merely illegal but profoundly reprehensible. This financial blow is aimed squarely at NSO Group and, by extension, the broader spyware industry, signalling that such activities will incur severe financial penalties that go far beyond merely covering the victim’s direct costs. This could make the business model of such companies, some of which, like NSO, are already reported to be under financial strain, far riskier and less tenable.

Pegasus unveiled: The “ghost” in the machine and its modus operandi

Pegasus is not just any spyware; it is a highly sophisticated tool engineered to infiltrate both iOS and Android devices, the dominant mobile operating systems globally. Its notoriety stems significantly from its “zero-click” exploit capabilities. This means Pegasus can be surreptitiously installed on a target’s device without requiring any action from the user – no need to click a malicious link, open an infected attachment, or even answer a call. The spyware can be delivered silently, for instance, through a missed WhatsApp call or a specially crafted message that doesn’t even need to be opened by the recipient.

Once installed, Pegasus effectively hands over complete control of the compromised device to the attacker. It can access a vast trove of personal and sensitive information, including encrypted messages (either by intercepting them before encryption on the sending device or by reading them after decryption on the receiving device), emails, photos, videos, call logs, contact lists, GPS location data, and stored passwords. Furthermore, Pegasus can remotely and covertly activate the device’s microphone and camera, turning the phone into a live surveillance device, all without the owner’s knowledge or consent. During the U.S. trial, NSO Group executives themselves conceded that Pegasus is capable of vacuuming up “every kind of user data on the phone”.

NSO Group has consistently maintained a specific narrative about its business model. The company claims that its flagship product, Pegasus, is sold exclusively to vetted government security and law enforcement agencies. The stated purpose, according to NSO, is to aid these agencies in legitimate activities such as conducting rescue operations and combating serious criminals, including terrorists, money launderers, and drug traffickers.

However, this official line stands in stark contrast to the findings of numerous independent investigations conducted by organizations like the University of Toronto’s Citizen Lab, Amnesty International, and various international media consortia, including the Pegasus Project. These investigations have meticulously documented the widespread use of Pegasus against unintended targets: journalists attempting to hold power accountable, human rights activists defending fundamental freedoms, lawyers representing sensitive clients, political opponents challenging incumbent regimes, and even heads of state. The trial also revealed that NSO Group invests heavily in its offensive capabilities, with executives admitting to spending tens of millions of dollars annually to develop sophisticated malware installation methods. The price tag for such capabilities is correspondingly high; for instance, NSO reportedly charged European government customers up to $7 million for the ability to hack just 15 devices, with additional costs for targeting devices internationally.

The glaring disparity between NSO Group’s stated purpose for Pegasus and the documented reality of its deployment against civil society effectively exposes the fallacy of the “dual-use” argument often employed for such powerful technologies. NSO’s defence consistently hinges on the supposed legitimacy of its clients and the intended use of Pegasus against “serious crime and terrorism.” However, the evidence presented during the trial, coupled with a vast body of independent research, points to a persistent pattern of abuse. This discrepancy suggests one or a combination of possibilities: NSO’s vetting processes for its government clients are woefully inadequate, its contractual controls designed to prevent misuse are ineffective or unenforced, or the company is wilfully blind to, if not complicit in, the misuse of its spyware by these clients. The argument that such tools have both legitimate and illegitimate uses – the “dual-use” defence – often crumbles when the technology in question is as inherently invasive as Pegasus and the oversight mechanisms are minimal or absent.

Moreover, the very existence, development, and marketing of a tool like Pegasus, capable of achieving total and covert compromise of a personal device, indicates a dangerous global trend towards the normalization of extreme surveillance capabilities. The fact that NSO Group could successfully develop and sell such a product to numerous governments worldwide suggests a significant global appetite for these intrusive powers. The technical sophistication of Pegasus, particularly its zero-click infection vectors, means that traditional cybersecurity defences employed by average users are often rendered useless. This creates an environment where the reasonable expectation of digital privacy is severely eroded, potentially casting a chilling effect on free speech, association, and dissent, even for individuals who are not directly targeted but fear they could be.

Turning point for spyware accountability?

The verdict against NSO Group is a landmark precedent in the fight against the unregulated proliferation of commercial spyware. It is the first U.S. jury verdict against a commercial spyware company and, significantly, the first U.S. verdict against NSO Group itself. The financial award also represents the largest reported verdict in a civil case brought under either the Computer Fraud and Abuse Act (CFAA) or the California Comprehensive Computer Data Access and Fraud Act (CDAFA).

The judgment is anticipated to have a significant impact on the broader spyware industry. Meta, in its statement following the verdict, emphasised that the ruling acts as a “critical deterrent to this malicious industry”. The success of Meta’s lawsuit may embolden other victims of spyware, whether individuals or corporations, to seek legal recourse against spyware vendors. Furthermore, the ruling could make it considerably harder for spyware companies to hide behind “plausible deniability” regarding the use of their products. This, coupled with the substantial financial penalty, is likely to lead to increased legal and financial risks for the industry, potentially affecting investment, operational strategies, and the overall viability of businesses built on selling such intrusive technologies.

This legal victory also serves to empower technology platforms in their efforts to protect their users and systems. It validates the legal strategy employed by tech companies like Meta, which utilized anti-hacking statutes such as the CFAA to hold spyware developers accountable for exploiting their platforms. Demonstrating a commitment beyond mere financial compensation, Meta has announced its intention to donate the damages recovered from NSO Group to digital rights organizations that are actively working to combat surveillance abuses and protect vulnerable users. This action is part of a growing trend where major technology companies, including Apple, which has also filed its own lawsuit against NSO Group, are taking a more proactive and aggressive stance in combating the commercial surveillance industry through both legal challenges and technical countermeasures.

The outcome of the Meta vs. NSO case signals a potential shift in the power dynamics that have characterized the surveillance technology landscape. For years, spyware firms like NSO Group operated largely in the shadows, their actions difficult to definitively prove and their legal standing often ambiguous due to claims of sovereign immunity and client confidentiality. Technology platforms, whose services were exploited as vectors for spyware delivery, were often in a reactive posture. This verdict, however, building upon the crucial judicial rejection of NSO’s sovereign immunity claims, empowers these platforms. They can now more confidently leverage their considerable legal and technical resources to proactively protect their ecosystems, thereby making it more costly and legally perilous for spyware vendors to target mainstream communication platforms.

The case also inadvertently highlights the role of the U.S. legal system as a, perhaps reluctant, enforcer of global digital rights. This is also a consequence of the geographical concentration of major technology company headquarters and critical internet infrastructure, including servers, within the United States. When global communication platforms, many of which are U.S.-based, find their terms of service violated or their U.S.-located servers accessed without authorization for the purpose of deploying spyware, it provides a jurisdictional hook for legal action within the American judicial system. While the outcome in the Meta vs. NSO case is viewed positively by digital rights advocates, it does raise broader questions about the sustainability and global desirability of relying predominantly on one nation’s courts to address what inherently international issues of spyware abuse are. This underscores the pressing need for enhanced international cooperation and the development of stronger, harmonized national laws elsewhere to combat this menace effectively.

Finally, the substantial financial penalty imposed on NSO Group, particularly the massive punitive damages award, underscores the potential of economic deterrence as a key weapon against the spyware industry. NSO Group has been reported to be facing significant financial difficulties, including being placed on a U.S. government blacklist that restricts its access to American technology and markets. A judgment of nearly $168 million could indeed be a fatal blow to an already struggling entity. This suggests that economic pressure, exerted through sanctions, large civil penalties, and divestment campaigns, might be one of the most effective tools to curb the proliferation of commercial spyware, especially since ethical appeals or reliance on the discretion of client governments have, to date, proven largely insufficient.

The Indian Connection: Pegasus shadows loom large over democracy

The NSO Group’s activities, as detailed in the U.S. court proceedings and prior investigations, have a significant and alarming Indian connection. Court documents related to the Meta lawsuit revealed that India was the second-most targeted country in the 2019 WhatsApp hacking campaign, with over 100 Indian users identified as victims. The list of those targeted in India reportedly included journalists, human rights activists, lawyers, and politicians, mirroring the global pattern of Pegasus deployment against civil society figures rather than solely against criminals and terrorists as NSO Group claims.

These findings were amplified by the Pegasus Project revelations in 2021. This collaborative investigative effort by international media organizations, based on a leaked list of potential surveillance targets, indicated that around 300 phone numbers in India were of interest to NSO’s clients. The Indian list controversially included serving ministers, prominent opposition leaders such as Rahul Gandhi, political strategists like Prashant Kishor, numerous journalists including Siddharth Varadarajan of The Wire, activists such as Umar Khalid, a former Election Commissioner, Ashok Lavasa, who had flagged poll code violations by the Prime Minister, and even sitting Supreme Court judges.

Amnesty International’s Security Lab has conducted forensic investigations that further substantiate these concerns. Their findings confirmed repeated targeting of Indian journalists. Siddharth Varadarajan, for instance, was found to have been targeted with Pegasus in 2018 and then again in October 2023. Another journalist, Anand Mangnale, South Asia Editor at The Organised Crime and Corruption Reporting Project (OCCRP), was targeted in August 2023 with a sophisticated zero-click exploit delivered via iMessage while he was reportedly working on a story about alleged stock manipulation by a large Indian conglomerate.

In response to the widespread outcry following the Pegasus Project revelations, the Supreme Court of India intervened in October 2021. Recognising the gravity of the allegations, the Court constituted an independent technical committee, headed by retired Supreme Court Justice R.V. Raveendran, to investigate the claims of Pegasus surveillance.This committee submitted its report in a sealed cover to the Supreme Court in August 2022. Out of the 29 phones analysed by the Technical Committee, just five showed signs of malware — and even in those cases, there was no clear evidence linking it to Pegasus, as per the three-part report presented to the Court by the Justice R.V. Raveendran committee. Crucially, the CJI NV Ramana (as he was then) also made a significant observation: the Indian government “did not cooperate” with the technical committee’s investigation.

The full contents of the technical committee’s report remain sealed and have not been made public.

The Indian government’s official stance on the Pegasus allegations has been one of consistent denial of any unauthorised interception by its agencies. Statements from the Ministry of Electronics and Information Technology (MeitY), including those made by Union Minister Ashwini Vaishnaw, have dismissed the reports as attempts to “malign Indian democracy and its well-established institutions”. The government has asserted that existing legal frameworks, such as the Indian Telegraph Act and the Information Technology Act, provide sufficient checks and balances against illegal surveillance. However, MeitY, through CERT-In (Indian Computer Emergency Response Team), was reportedly informed by WhatsApp about the Pegasus breach affecting Indian users as early as September 2019, raising questions about the timeliness and transparency of the government’s subsequent public responses.

More often than not, the government has invoked “national security” as a reason to avoid confirming or denying the procurement or use of Pegasus spyware. During Supreme Court hearings, the Solicitor General of India argued that “terrorists cannot claim privacy rights.” This sentiment was, to some extent, echoed by one of the judges who remarked, “What is wrong if the country is using spyware?… Using against whom is the question?”. These statements have fuelled concerns among civil liberties advocates that the national security argument is being used to shield potentially unlawful surveillance activities from scrutiny.

The Indian government’s persistent invocation of “national security” to sidestep transparency regarding Pegasus use, particularly its documented non-cooperation with the Supreme Court-appointed technical committee, presents a stark contrast to the detailed evidence and rigorous judicial scrutiny observed in the U.S. legal proceedings against NSO Group. While national security is undeniably a legitimate concern for any state, its deployment as a blanket justification to prevent any meaningful disclosure about the use of highly invasive spyware against a wide range of citizens—including journalists, opposition figures, and potentially even members of the judiciary—raises profound questions about democratic accountability and the potential for abuse of power. The U.S. verdict, which meticulously details the illegal hacking mechanisms employed by NSO, makes the Indian government’s opaque and defensive stance increasingly difficult to sustain, as the spyware tool itself has now been judicially recognized in a foreign court as problematic and its vendor held liable for its misuse.

The repeated and continued targeting of journalists in India, as confirmed by forensic analysis even after the initial Pegasus revelations and the Supreme Court’s intervention, suggests a brazen and deeply concerning attempt to suppress dissent and investigative journalism. When journalists investigating sensitive matters, such as allegations of financial misconduct by powerful entities, find themselves under state-sponsored surveillance, it sends a potent chilling message to the entire media community. This transcends individual privacy violations; it constitutes an assault on the freedom of the press, a cornerstone of any functioning democracy. The persistence of such targeting implies that the perpetrators feel a disturbing sense of impunity within the domestic Indian context.

The situation also presents a tale of two judiciaries and, by extension, two executive approaches. The proactive stance of the U.S. judiciary in holding NSO Group accountable, significantly aided by a well-resourced corporate plaintiff like Meta, contrasts sharply with the Indian Supreme Court’s current position. The Indian Court appears to be treading a cautious path, attempting to balance national security claims against individual queries about surveillance, a task made more challenging by the executive branch’s non-cooperation. While the U.S. case benefited from Meta’s considerable resources and clear legal standing as an aggrieved party whose platform was abused, in India, the petitioners are often individuals, under-resourced rights groups, or journalists. The Indian Supreme Court’s cautious handling of the sealed technical committee report and the government’s steadfast refusal to cooperate highlight systemic challenges in achieving accountability domestically. The fact that MeitY was reportedly informed of the WhatsApp breach affecting Indian users as far back as September 2019, yet the government’s public narrative and actions did not appear to reflect this urgency or information, further underscores this accountability deficit. The U.S. verdict might provide Indian petitioners with stronger international legal and moral backing, but overcoming domestic institutional hurdles remains a formidable challenge.

VI. Echoes in Delhi: How the US verdict resonates in India’s Pegasus saga

The U.S. District Court’s comprehensive findings against NSO Group and the subsequent multi-million dollar damages award are poised to have significant reverberations in India, where the Pegasus spyware controversy continues to simmer. The U.S. court’s meticulous detailing of NSO’s illegal activities and the intrusive nature of Pegasus spyware provide substantial evidentiary and moral support for petitioners currently before the Indian Supreme Court. Indeed, during hearings in April 2025, Senior Advocate Kapil Sibal, representing one of the petitioners, explicitly cited the U.S. judgment, highlighting the court’s observation that India was among the countries where WhatsApp users were targeted by Pegasus. The detailed revelations from the U.S. trial concerning NSO Group’s operational methods and its direct involvement in deploying the spyware can be leveraged to counter claims that the spyware’s use is solely determined by client governments without NSO’s active participation or knowledge.

This international legal precedent is likely to fuel fresh and more vociferous demands for transparency and accountability from the Indian government. Opposition parties, such as the Congress party which has already called for Supreme Court-monitored probes based on U.S. court revelations , along with civil society organizations; and various digital rights advocates, are expected to intensify their calls for the Indian government to: first, unequivocally state whether it procured and deployed Pegasus spyware; second, consent to a truly independent and transparent investigation into the allegations; and third, make the Supreme Court-appointed technical committee’s full report public, allowing for informed public debate and scrutiny.

The U.S. judgment also presents a formidable challenge to the broad “national security” argument frequently invoked by the Indian government to justify opacity surrounding the use of Pegasus. By laying bare the illicit hacking mechanisms of Pegasus and its deployment against ordinary citizens such as journalists and activists, the U.S. court’s findings weaken the credibility of using an all-encompassing national security pretext to shield such surveillance from any form of oversight in India. If the tool’s mode of operation is deemed illegal by a U.S. court when used against similar profiles of individuals, its alleged use in India under a vague and unsubstantiated national security rationale becomes increasingly questionable and harder to defend both domestically and internationally.

Ultimately, the U.S. verdict indirectly places India’s own democratic institutions—particularly its judiciary and parliamentary oversight mechanisms—under a critical test. If a foreign court, driven by a corporate plaintiff, can achieve a significant degree of accountability against the NSO Group, the question inevitably arises: why are Indian institutions apparently struggling to achieve similar accountability regarding the use of Pegasus within India’s borders? This focuses uncomfortable attention on the independence, efficacy, and resilience of these institutions when confronted with executive power and sweeping claims of national security. The Indian Supreme Court’s next steps in the Pegasus matter, with hearings scheduled for July 30, 2025, will be very closely watched in this context.

Conclusion

The broader struggle against illicit surveillance and the misuse of powerful espionage technologies is far from over. It requires sustained, multifaceted efforts from technology companies committed to protecting their users, from a vigilant and courageous civil society, from international bodies striving to establish global norms, and, most crucially, from national governments willing to uphold the rule of law and safeguard fundamental human rights in the increasingly complex digital age. The path to effectively reining in the global spyware menace is undoubtedly long and arduous, but the Meta-NSO verdict offers a crucial milestone, a tangible victory for a future where digital technologies empower rather than oppress.

(The author is part of the legal research team of the organisation)

Pegasus scandal: Did GoI engage in an elaborate cover-up?

State can’t get free pass every time spectre of “national security” is raised: SC in Pegasus case

The post US court slams spyware giant NSO with $168M Fine: a reckoning for Pegasus and implications for India appeared first on SabrangIndia.

Pegasus case: SC appointed Committee says GoI not cooperating

Fri, 26 Aug 2022 05:00:06 +0000

The Supreme Court bench of Chief Justice NV Ramana, Justice Surya Kant and Justice Hima Kohli has taken on record a sealed report submitted to it by the Committee set up by the court to probe allegations of the spyware Pegasus being secretly installed in the mobile phones of human rights activists and journalists.

The Telegraph reported that the court revealed that the Committee has examined 29 devices so far and found that five of them were infected by malware, though it was not Pegasus. LiveLaw also reported that the bench orally remarked that the Committee had submitted that the Government of India (GoI) had not cooperated. The publication quoted the bench as saying, “One thing committee has said, Government of India has not cooperated. The same stand you took here, you have taken there…”

Brief background of the Pegasus scandal

The scandal was first reported by French organisation Forbidden Stories in association with several global partners including The Wire in India. Their investigation revealed that the phones and other electronic devices of several Indian politicians, activists and journalists, had been placed under surveillance using the Pegasus spyware. Many of the people on the list voluntarily had their devices tested to get confirmation, following which the story broke and generated public debate and outrage.

In late July and early August 2021, after a Rajya Sabha Member of Parliament and a few journalists, all targetted by the spyware moved Supreme Court, the Centre that had been hitherto avoiding making any formal statements, finally made its first official comment on the matter in response to a question raised in Parliament.

The written response provided on August 9, by Ajay Bhatt, Minister of State in the Ministry of Defence, said, “Ministry of Defence has not had any transaction with NSO Group Technologies.” This is significant because NSO, the Israeli manufacturer of the spyware that was used to snoop on as many as 300 Indians including journalists, activists and dissenters, only engages in transactions with “vetted governments”. In hindsight, this appears to be just a carefully-worded non-denial.

Readers would recall that in September 2021, the GoI had refused to answer key questions pertaining to the purchase of Pegasus, a spyware developed by NSO Group of Israel, and only sold to vetted governments. The GoI had refused to budge from its stand citing national security concerns.

The SC had then taken umbrage to this stand and had observed, observed, “It is a settled position of law that in matters pertaining to national security, the scope of judicial review is limited. However, this does not mean that the State gets a free pass every time the spectre of “national security” is raised. National security cannot be the bugbear that the judiciary shies away from, by virtue of its mere mentioning.”

In fact, the Government will not be allowed to have its way was made clear in the very beginning of the judgment that began with an Orwellian quote:

“If you want to keep a secret, you must also hide it from yourself.”

___George Orwell, 1984

In October 2021, the SC ordered the formation of an independent expert committee to look into allegations of the use of the Pegasus spyware for targeted surveillance of several journalists, activists and political dissidents.

A three-member committee of technical experts was constituted to probe the allegations. The three technical experts were:

Dr. Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, National Forensics University, Gandhinagar, Gujarat.
Dr. Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala.
Dr. Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay, Maharashtra.

The functioning of this committee was overseen by Justice RV Raveendran, former Judge, Supreme Court of India, and he was assisted by:

Mr. Alok Joshi, former IPS officer (1976 batch)
Dr. Sundeep Oberoi, Chairman, ISO/IEC JTC1 SC7 (International Organisation of Standardisation/ International Electro Technical Commission/Joint Technical Committee)

Shocking revelations by the New York Times

In February 2022, New York Times revealed that the Government of India had purchased Pegasus way back in 2017, as part of a package included in a $2 billion defence deal with Israel. This left many wondering if the government has been willfully gaslighting its own citizens all this while?

The report titled The Battle for the World’s Most Powerful Cyberweapon said, “Though the Israeli government’s oversight was meant to prevent the powerful spyware from being used in repressive ways, Pegasus has been sold to Poland, Hungary and India, despite those countries’ questionable records on human rights.”

It further elaborated, “In July 2017, Narendra Modi, who won office on a platform of Hindu nationalism, became the first Indian prime minister to visit Israel. For decades, India had maintained a policy of what it called “commitment to the Palestinian cause,” and relations with Israel were frosty. The Modi visit, however, was notably cordial, complete with a carefully staged moment of him and Prime Minister Netanyahu walking together barefoot on a local beach. They had reason for the warm feelings. Their countries had agreed on the sale of a package of sophisticated weapons and intelligence gear worth roughly $2 billion — with Pegasus and a missile system as the centerpieces. Months later, Netanyahu made a rare state visit to India. And in June 2019, India voted in support of Israel at the U.N.’s Economic and Social Council to deny observer status to a Palestinian human rights organization, a first for the nation.”

Will at least some part of the Committee’s report be made public?

Now, the Supreme Court appointed Committee has submitted its report in three parts in a sealed cover to the Supreme Court. While there is much curiosity about the findings of the Committee, not all parts of the report are likely to be made public as it not only contains information pertaining to malware and public research material, but also material extracted from private mobile instruments which may contain confidential information. But the part by Justice RV Raveendra, who was overseeing the probe, could be uploaded to the court website. For now, the report remains in sealed cover. The case has been adjourned for four weeks.

State can’t get free pass every time spectre of “national security” is raised: SC in Pegasus case

Pegasus scandal: SC stays Justice Lokur Commission probe

Defence Ministry has had no transaction with Pegasus developer NSO Group: Centre in RS

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe

The post Pegasus case: SC appointed Committee says GoI not cooperating appeared first on SabrangIndia.

Spying on Opposition, Dissidents, Scribes Becomes More Dangerous

Wed, 10 Aug 2022 04:28:40 +0000

Image Credit: Aman Khatri

Snooping on opposition politicians, journalists, political dissidents or even business rivals seems to have become the norm. It is also becoming easier with new methods, technology and people available to carry out such tasks without much difficulty.

In 2021, it was the Pegasus Project. Now, cybersecurity groups have identified several cyber criminal outfits and individuals, including those acting like mercenaries, who can be engaged and used by any power—either governments, their agencies or even the big business—against their ‘enemies’.

While a large chunk of the victims is journalists, political dissidents are becoming the main target of these cyber attackers or hackers. These cyber criminals not only snoop to find out what the targets are up to but they can also gather their data and destroy their entire activity, even personal ones, by attacking their mobile phones, laptops and computers. Most of the time, victims do not even know that they are being tracked or hacked.

To understand the level of the threat being posed by ‘political’ cyber criminals, the Pegasus Project, its impact and expanse have to be understood first. An Israeli cyber arms firm named NSO Group created the Pegasus spyware. The company is supervised by the Israeli government’s Defenc3e Department.

Though NSO claims that the spyware was developed for surveillance of “serious crimes and terrorism”, the technology was used by governments around the world mostly against non-criminal individuals, mostly dissidents. About 50,000 phone numbers of mostly opposition politicians, political dissidents, journalists, lawyers and human rights activists, among others in various countries were leaked in 2020. As many as 14 presidents, prime ministers and diplomats were also on this list. This spyware was acquired/purchased by several governments under an agreement with Israel.

A significant number of the hacked phones inspected by Amnesty International’s cybersecurity team revealed that the malware was covertly installed on mobile phones and other devices running on iOS and Android. The information gathered by Amnesty International was sent by it to 17 global media organisations, leading to protests in different countries, including India, with the protestors demanding a probe into the acquisition and the use of Pegasus, its abuses and a limitation on trading such repressive malware.

A new situation has arisen now—a government or a large corporation can easily access these cyber criminals or mercenaries, who can be hired or their spyware bought to plant spy malware inside the devices of the target.

Threatpost, a Massachusetts (US)-based independent cybersecurity news organisation, has recently come out with a report regarding such emerging cyber threats. Since 2021, various “state-aligned threat groups” have turned up their targeting of journalists to steal data and credentials and also track them, according to the report. The report, quoting researchers at a leading cybersecurity firm called Proofpoint, said there have been “efforts by advance persistent threat (APT) groups. … Attacks began in early 2021 and are ongoing. The APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar with threat actors targeting email and social media accounts as phishing inroads in cyberespionage campaigns”. Sunnyvale (California)-based Proofpoint says it protects “people, data and brand against advanced threats and compliance risks”.

Another aspect of cybercrime targeting individual freedom has been pointed out in an article by Threatpost writer Elizabeth Montalbano. A “cybergang” called the Atlas Intelligence Group (AIG) has been recently spotted by security researchers recruiting independent black hat hackers to execute specific aspects of its own campaigns, she alleged.

AIG, also known as the Atlantis Cyber-Army, functions as “a cyber-threats-as-a-service criminal enterprise. This group markets services including data leaks, distributed denial of service, remote desktop protocol hijacking and additional network penetration services”, according to the report. AIG, the for-hire cyber criminal group, “is feeling the talent drought in tech just like the rest of the sector and has resorted to recruiting so-called ‘cyber mercenaries’ to carry out specific illicit hacks that are part of larger criminal campaigns”.

The report further stated that AIG is “unique in its outsourcing approach to committing cybercrimes. … For example, Ransomware-as-a-Service organised crime campaigns can involve multiple threat actors—each getting a cut of any extorted lucre or digital assets stolen. What makes AIG different is it outsources specific aspects of an attack to ‘mercenaries’, who have no further involvement in an attack. … only AIG administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets”.

Journalists have been targeted before but not like this. How do these cyber mercenaries attack a journalist or a dissident activist? The attacks typically involve some type of social engineering to lower the guard of targets to coax them to download and execute various malicious payloads onto their personal digital devices, the researchers said. The ways to attract a gullible journalist include emails and messages sent via various social media platforms on topics related to their areas of focus or specialisation, political or otherwise.

“In various instances, the attackers would lie low after posting malware infection. This would enable them to gain persistence on a recipient’s network and help them conduct lateral network reconnaissance and propagate additional malware infections within the target’s network. Secondary tactics included tracking or surveilling journalists.”

Proofpoint said that adversaries or hackers used web beacons planted on journalists’ devices to carry out surveillance. While the latest report tracks some of the most recent activities against journalists, targeting this group of individuals certainly is not novel given the type of information they know when it comes to political and socio-economic issues, the researchers noted.

“APT actors, regardless of their state affiliation, have and will likely always have the mandate to target journalists and media organisations and will use associated personas to further their objectives and collection priorities,” they wrote. Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.

The researchers at Proofpoint delved deep into these attacks on journalists. Some of the examples they wrote about included the targeting of media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment. If opened, the attachment would “install and execute Chinoxy malware—a backdoor that is used to gain persistence on a victim’s machine”. Early this year, a US-based media organisation was the target of phishing attacks that appeared to offer job opportunities from reputable companies to journalists. The attack was reminiscent of a similar one against engineers that the same group of cyber criminals had mounted in 2021.

“The sites were fraudulent and the URLs were armed to relay identifying information about the computer or device someone was working from to allow the host to keep track of the intended target,” the researchers said. Another example was that of a state-sponsored actor which hid behind the persona of a fake media organisation to deliver malware to public relations personnel for companies located in the United States, Israel and Saudi Arabia.

“Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks,” the researchers said. In one campaign that occurred in March 2022, a cyber criminal firm sent an email with the ironic subject line ‘Iran Cyber War’ that ultimately dropped a remote access trojan on the victims’ machines. “The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing,” the researchers added.

“Between September 2021 and March 2022, Proofpoint observed campaigns (run by this threat actor) approximately every two to three weeks. The March 2022 campaign targeted both individual and generic, group email addresses … (of those) involved in energy, media, government, and manufacturing.”

With individuals and cyber criminal groups involved in hacking and the dark Web becoming active in the Internet world, it would become easier for authoritarian and autocratic governments to target opposition leaders, political dissidents, human rights activists and journalists. These regimes can hire such cyber criminals on the sly without signing any official agreement as they did in the case of Pegasus.

The writer has extensively covered internal security, defence and civil aviation for the Press Trust of India for three decades. Views are personal.

Courtesy: Newsclick

The post Spying on Opposition, Dissidents, Scribes Becomes More Dangerous appeared first on SabrangIndia.

Rona Wilson’s devices hacked by two groups of hackers employed by same entity: Sentinel Labs

Thu, 10 Feb 2022 09:05:13 +0000

More skeletons are tumbling out of a closet in the matter pertaining to the allegations of malware and spyware planted on electronic devices used by activists implicated in the Bhima Koregaon case. Now, Sentinel Labs, another US-based cybersecurity firm (after Arsenal) has discovered more evidence of Rona Wilson’s devices being targeted.

According to Sentinel Labs, there are two separate sets of hackers who targeted Wilson’s devices. They were employed, possibly by the same entity that has “interests aligned with the Indian State”.

The curious case of the ModifiedElephant

One of the groups of hackers who targeted Wilson’s devices is an entity Sentinel Labs calls ModifiedElephant. A report by Sentinel Labs says, “ModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders, academics, and lawyers across India with the objective of planting incriminating digital evidence.” They also found that “ModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals,” and that “ModifiedElephant operates through the use of commercially available remote access trojans (RATs) and has potential ties to the commercial surveillance industry.”

As far as the entity’s modus operandi goes, Sentinel Labs found that “The threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers with infrastructure overlaps that allow us to connect long periods of previously unattributed malicious activity.” The report further says, “This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting,” adding on a chilling note, “ModifiedElephant is still active at the time of writing.”

The report further explained, “Their primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the malware of choice at the time,” adding, “The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target, such as activism news and groups, global and local events on climate change, politics, and public service.”

Who is ModifiedElephant targeting and why?

According to Sentinel Labs, “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.” The report further says, “After careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and individuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists, academics, and law professionals in India are those most highly targeted. Notable targets include individuals associated with the Bhima Koregaon case.”

The report goes on to say, “We observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.”

Other threat actors: What is SideWinder?

The second entity that popped up alongside Modified Elephant during Sentinel Lab’s investigation is SideWinder. According to Sentinel Labs, “Between February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be attributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is unclear as only the timing and targets of their phishing emails overlap within our dataset. This could suggest that the attackers are being provided with similar tasking by a controlling entity, or that they work in concert somehow.”

Activists implicated in Bhima Koregaon case targeted using malware and spyware

After it was discovered that Rona Wilson’s phone had been infected with the Pegasus spyware that was recently revealed to have been purchased by the Government of India as part of a 2-billion-dollar defence deal with Israel in 2017, there have been significant developments in the case.

Earlier this week, the National Investigation Agency (NIA) sought the special court’s permission to hand over the devices of seven activists including Wilson to a special Committee constituted by the Indian Supreme Court to probe allegations related to the Pegasus scandal. The seven activists whose phones the NIA wants examined are: Anand Teltumbde, Hany Babu, Rona Wilson, Shoma Sen, Sudha Bharadwaj and Vernon Gonsalves. Of these, only Bharadwaj is out on bail. Together these seven people have 26 devices that were seized, first by the Pune Police and then by the NIA.

An electronic copy of Rona Wilson’s laptop was first examined by US-based digital forensics firm Arsenal. In February 2021 it was revealed that an attacker used malware to infiltrate the laptop and place incriminating evidence on it. According to Arsenal’s report, “Rona Wilson’s computer was compromised for just over 22 months.” They also found, “The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

Then in December 2021 it came to light that an analysis by the Amnesty International’s Security Lab revealed that two backups of an iPhone 6 belonging to Wilson had “digital traces showing infection by the Pegasus surveillance tool”, something that by Pegasus’s own admission was licenced only to vetted governments. The phone backups were shared with the Amnesty team by Arsenal.

Finally, a New York Times expose shed light on how the Government of India had purchased the Pegasus software as part of a package included in a $2 billion defence deal with Israel in 2017, thus bringing the entire controversy full circle.

Pegasus scandal: Did GoI engage in an elaborate cover-up?

Pegasus scandal: SC stays Justice Lokur Commission probe

Defence Ministry has had no transaction with Pegasus developer NSO Group: Centre in RS

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe

The post Rona Wilson’s devices hacked by two groups of hackers employed by same entity: Sentinel Labs appeared first on SabrangIndia.

Bhima Koregaon: NIA seeks permission to hand over phones of 7 accused to Pegasus Committee

Tue, 08 Feb 2022 11:38:30 +0000

In fresh developments in the Bhima Koregaon case, the National Investigation Agency (NIA) has sought permission from the Special NIA Court to hand over the phones of seven activists accused in the Bhima Koregaon case to the an independent expert committee constituted by the Supreme Court to probe the Pegasus scandal.

The seven activists whose phones the NIA wants examined are: Anand Teltumbde, Hany Babu, Rona Wilson, Shoma Sen, Sudha Bharadwaj and Vernon Gonsalves. Of these, only Bharadwaj is out on bail. Meanwhile it was Wilson whose phone was revealed to have been infected with Pegasus as per the findings of Arsenal, a US-based digital forensics firm.

Together these seven people have 26 devices that were seized, first by the Pune Police and then by the NIA, which is why they could not offer the devices to the Committee themselves. Following this, the Committee wrote to the NIA in January seeking the devices to make copies of them and then examine them, reported Bar&Bench. This prompted the NIA to seek the special court’s permission.

The Pegasus scandal has been heating up especially in wake of multiple revelations by Washington Post and New York Times. It was Washington Post that had originally broke the story in December 2021 that an analysis by the Amnesty International’s Security Lab revealed that two backups of an iPhone 6 belonging to Wilson had “digital traces showing infection by the Pegasus surveillance tool”, something that by Pegasus’s own admission was licenced only to vetted governments. The phone backups were shared with the Amnesty team by Arsenal Consulting, a digital forensics firm that had upon request from Wilson’s defence team examined digital copies of his laptop and phones, and revealed that they had been infected by a malware that allowed for planting of false evidence on his devices.

In fact, this was the second time Arsenal had taken a closer look at Rona Wilson’s phone. In February 2021, the digital forensics firm, upon being approached by Wilson’s legal team, had analysed an electronic copy of activist Rona Wilson’s laptop and arrived at the conclusion that an attacker used malware to infiltrate the laptop and place incriminating evidence on it. According to Arsenal’s report, “Rona Wilson’s computer was compromised for just over 22 months.” They also found, “The attacker responsible for compromising Mr. Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery.”

But there was another chilling revelation, “Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile cases as well.”

On an eerie note, Arsenal conceded, “This is one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast time span between the delivery of the first and the last incriminating documents.”

The Arsenal report then went on to explain just how the carefully planned malware attack was carried out. Wilson received an email from someone using his fellow activist Varavara Rao’s email account. This person sent Wilson the malware in a document asking him to open it. Wilson thought he was just clicking a dropbox link, but it was just a series of steps by which NetWire was installed on his computer.

It is noteworthy that in wake of these findings not only Wilson, but another Bhima Koregaon accused Sudha Bharadwaj has demanded that an investigation be conducted to ascertain Arsenal’s claims.

But the NIA dismissed Arsenal’s findings, and instead of probing further, called into question the locus of Arsenal in offering opinion in the Bhima Koregaon case!

Then came the shocker from NYT that exposed earlier this month how the Government of India had purchased the Pegasus software as part of a package included in a $2 billion defence deal with Israel in 2017.

SabrangIndia had reported earlier on how the government of India had given a series of non-answers and engaged in elaborate deflective tactics, all on the pretext of national security concerns ever since the scandal was first reported by French organisation Forbidden Stories in association with several global partners including The Wire in India. Their investigation revealed that the phones and other electronic devices of several Indian politicians, activists and journalists, had been placed under surveillance using the Pegasus spyware. Many of the people on the list voluntarily had their devices tested to get confirmation, following which the story broke and generated public debate and outrage.

The written response provided on August 9, by Ajay Bhatt, Minister of State in the Ministry of Defence, said, “Ministry of Defence has not had any transaction with NSO Group Technologies.” This is significant because NSO, the Israeli manufacturer of the spyware that was used to snoop on as many as 300 Indians including journalists, activists and dissenters, only engages in transactions with “vetted governments”. This is also significant now in wake of NYT’s revelations that the software was bought as part of a package during a defense deal with the government of Israel, which means GoI’s carefully worded submission in the Parliament was nothing but a clever non-denial.

Interestingly, when the Supreme Court issued notice to the Centre in the matter, the Centre actually refused to disclose any information and did not file a detailed affidavit as asked for by the court, citing “national security” concerns. Interestingly, the SC had come down heavily on the government for offering this defence for not making formal submissions in the case.

Pegasus scandal: SC stays Justice Lokur Commission probe

Defence Ministry has had no transaction with Pegasus developer NSO Group: Centre in RS

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe

The post Bhima Koregaon: NIA seeks permission to hand over phones of 7 accused to Pegasus Committee appeared first on SabrangIndia.

Pegasus scandal: SC stays Justice Lokur Commission probe

Fri, 17 Dec 2021 09:10:22 +0000

In fresh developments in the Pegasus spyware case, the Supreme Court on Friday passed an interim order staying a probe being conducted into the Pegasus spyware scandal by a Commission led by (Retd) Justice Madan Lokur for the West Bengal Government. The SC was disappointed that a parallel probe was taking place even though the SC ordered the formation of a three-member technical Committee to conduct a probe.

In October this year, a SC bench comprising Chief Justice NV Ramana, and Justices Surya Kant and Hima Kohli, that was hearing a batch of petitions demanding a probe into these allegations, had ordered the formation of an independent expert committee to look into allegations of the use of the Pegasus spyware for targeted surveillance of several journalists, activists and political dissidents. The three technical experts are:

Dr. Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, National Forensics University, Gandhinagar, Gujarat.
Dr. Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala.
Dr. Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay, Maharashtra.

The functioning of this committee will be overseen by Justice RV Raveendran, former Judge, Supreme Court of India. Justice Raveendran will be assisted by:

Mr. Alok Joshi, former IPS officer (1976 batch)
Dr. Sundeep Oberoi, Chairman, ISO/IEC JTC1 SC7 (International Organisation of Standardisation/ International Electro Technical Commission/Joint Technical Committee)

SabrangIndia had reported earlier about how the West Bengal government had formed a two-member inquiry commission to look into the Pegasus Project in July this year. The Commission consists of the former Supreme Court judge Madan Bhimrao Lokur, and former Calcutta High Court Chief Justice, Jyotirmay Bhattacharya.

This was around the time when the government of India was still busy dodging questions about the scandal by giving a series of non-answers and engaging in elaborate deflective tactics, all on the pretext of national security concerns. In late July and early August 2021, after a Rajya Sabha Member of Parliament and a few journalists, all targetted by the spyware moved Supreme Court, the Centre that had been hitherto avoiding making any formal statements, finally made its first official comment on the matter in response to a question raised in Parliament.

More skeletons tumble out of the closet

Meanwhile, in yet another shocking disclosure, Washington Post has revealed that activist Rona Wilson, who has been implicated in the Bhima Koregaon case with many other fellow human rights defenders, was also a victim of the Pegasus spyware.

According to WaPo, an analysis by the Amnesty International’s Security Lab revealed that two backups of an iPhone 6 belonging to Wilson had “digital traces showing infection by the Pegasus surveillance tool”, something that by Pegasus’s own admission was licenced only to vetted governments. The phone backups were shared with the Amnesty team by Arsenal Consulting, a digital forensics firm that had upon request from Wilson’s defence team examined digital copies of his laptop and phones, and revealed that they had been infected by a malware that allowed for planting of false evidence on his devices.

Responding to a query by WaPo, NSO group said that the allegations raised in the inquiry “were not clear”, but also added on a rather chilling note, “Once a democratic country lawfully, following due process, uses tools to investigate a person suspected in an attempt to overthrow a (democratically elected) government, this would not be considered a misuse of such tools by any means.”

This discovery is likely to play a significant role in the cases against not just Wilson, but also others implicated in the Bhima Koregaon case, where one of the 16 accused, namely Fr. Stan Swamy has already passed away, and only Sudha Bharadwaj has been let out of jail on default bail.

The post Pegasus scandal: SC stays Justice Lokur Commission probe appeared first on SabrangIndia.

State can’t get free pass every time spectre of “national security” is raised: SC in Pegasus case

Wed, 27 Oct 2021 07:06:07 +0000

The Supreme Court has ordered the formation of an independent expert committee to look into allegations of the use of the Pegasus spyware for targeted surveillance of several journalists, activists and political dissidents.

A bench comprising Chief Justice NV Ramana, and Justices Surya Kant and Hima Kohli, that was hearing a batch of petitions demanding a probe into these allegations. Pegasus is a spyware developed by an Israeli company named NSO that has categorially stated that it only sells the product to “vetted governments”, however, the Government of India has so far refused to file an affidavit before the court on whether or not it used Pegasus, siting “national security” concerns.

On this subject, the Supreme Court observed, “It is a settled position of law that in matters pertaining to national security, the scope of judicial review is limited. However, this does not mean that the State gets a free pass every time the spectre of “national security” is raised. National security cannot be the bugbear that the judiciary shies away from, by virtue of its mere mentioning.”

In fact, the Government will not be allowed to have its way was made clear in the very beginning of the judgment that began with an Orwellian quote:

“If you want to keep a secret, you must also hide it from yourself.”

___George Orwell, 1984

Expert Committee to probe allegations

The court has now directed that a three-member committee of technical experts be constituted to probe the allegations. The three technical experts are:

Dr. Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, National Forensics University, Gandhinagar, Gujarat.
Dr. Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala.
Dr. Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay, Maharashtra.

The functioning of this committee will be overseen by Justice RV Raveendran, former Judge, Supreme Court of India. Justice Raveendran will be assisted by:

Mr. Alok Joshi, former IPS officer (1976 batch)
Dr. Sundeep Oberoi, Chairman, ISO/IEC JTC1 SC7 (International Organisation of Standardisation/ International Electro Technical Commission/Joint Technical Committee)

What will the Committee probe?

The Committee will investigate whether the “Pegasus suite of spyware was used on phones or other devices of the citizens of India to access stored data, eavesdrop on conversations, intercept information and/or for any information”. It will also get “details of the victims and/or persons affected by such a spyware attack.” The committee will also ascertain what “steps/actions have been taken by the Respondent Union of India after reports were published in the year 2019 about hacking of Whatsapp accounts of Indian citizens, using the Pegasus suite spyware.”

But most significantly, the Committee will enquire “whether any Pegasus suite of spyware was acquired by the Respondent Union of India, or any State Government, or any central or state agency for use against the citizens of India?” If it is discovered that the State did use Pegasus to spy on Indians, the Committee is to ascertains “under what law, rule, guideline, protocol or lawful procedure was such deployment made?”

The court will hear the matter again after eight weeks.

The complete order may be read here:

Pegasus scandal: Judgment to be pronounced tomorrow

Tue, 26 Oct 2021 13:50:23 +0000

Image Courtesy:newslaundry.com

The Supreme Court is likely to deliver judgment in connection with a batch of petitions seeking a probe into the surveillance scandal revolving around the use of the Israeli spyware Pegasus, that was allegedly used to spy on Indian activists, journalists and human rights defenders.

Brief background of the case

On July 18, it had been revealed that the Israeli spyware Pegasus had been used to target many journalists including over 40 from India. The Wire news portal broke the story in India, and its founding editors Siddharth Varadharajan, and MK Venu were on the list of journalists being tracked along with their investigative writer Rohini Singh and others. Journalists from the Hindustan Times, among others, were also on the list.

Denial by Indian authorities

While NSO, the Israeli manufacturer of the spyware, had categorically stated that the software was only sold to “vetted government”, Indian authorities first made vague statements and then denied purchasing or using Pegasus. Minister for Information Technology, Ashwini Vaishnaw had stated in Parliament on July 19 that there was no substance behind the snooping reports and that it was an attempt to malign the Indian democracy. “Hon’ble Speaker Sir, when we look at this issue through the prism of logic, it clearly emerges that there is no substance behind this sensationalism,” he submitted.

In a written response submitted before the Rajya Sabha on August 9, Ajay Bhatt, Minister of State in the Ministry of Defence, said, “Ministry of Defence has not had any transaction with NSO Group Technologies.”

West Bengal leads the way

On July 26, the West Bengal government appointed a two-member Commission headed by retired judge of the Supreme Court, Justice Madan Lokur and Calcutta High Court Chief Justice Jyotirmay Bhattacharya to inquire into the Pegasus scandal.

Affected parties move SC

Shortly afterwards, Rajya Sabha Member of Parliament John Brittas, and senior journalists N Ram and Sashi Kumar, approached the Supreme Court in two separate petitions, seeking a court monitored probe into allegations of use of Pegasus spyware for “surveillance” of citizens.

In August, five journalists: SNM Abdi, Prem Shankar Jha, Paranjoy Guha Thakurta, Rupesh Kumar Singh and Ipsa Shataksi, had moved court through Advocate-on-Record, Prateek Chadha, stating in their petition, that they have been subjected to a “deeply intrusive surveillance and hacking by the Government of India or some other third party.”

A bench comprising Chief Justice NV Ramana, and Justices Surya Kant and Hima Kohli had heard the matter and reserved judgment on September 13. It is noteworthy though that the Centre refused to file an affidavit pertaining to the use of Pegasus due to “national security reasons”. Solicitor General of India, Tushar Mehta, had said at the time, that the government would constitute a committee of domain experts, saying, “Revealing whether Pegasus was used or not, would not be in national interest. Allow the government to constitute the committee, independent of the government.”

Senior counsel Kapil Sibal, appearing for one group of the petitioners (journalists, N Ram and Sashi Kumar) had countered this saying, “All we want to know is if the State has used Pegasus. But my learned friend [Tushar Mehta] is saying that it will be detrimental to national interest. I am sorry, to not say that will be detrimental to justice. This spyware is per se illegal. It cannot be used. Ordinary citizens were targeted. This is a serious issue. State cannot say that they cannot tell the court.”

Bar and Bench meanwhile reported that on September 23, CJI ramana had said in open court that the SC was mooting constitution of an expert committee to probe the scandal.

Related:

The post Pegasus scandal: Judgment to be pronounced tomorrow appeared first on SabrangIndia.

UNHRC raises concern over Pegasus, rampant use of UAPA in India

Thu, 16 Sep 2021 04:18:57 +0000

During the 48^th session of the Human Rights Council, UN High Commissioner for Human Rights, Michelle Bachelet called for leadership from the Human Rights Council members. While her address started with crises of pollution, climate change and biodiversity amplifying conflicts, tensions and structural inequalities, there were other humanitarian issues that were also flagged.

These included, for India, the restrictions on public assembly, and frequent temporary communication blackouts in Jammu and Kashmir. “While hundreds of people remain in detention for exercising their right to the freedom of expression, and journalists face ever-growing pressure. Ongoing use of the Unlawful Activities (Prevention) Act throughout India is worrying, with Jammu & Kashmir having among the highest number of cases in the country. While I acknowledge the Government’s efforts to counter terrorism and promote development in the region, such restrictive measures can result in human rights violations and foster further tensions and discontent,” she said during the session.

The statement may be read here.

Voices against UAPA

The rampant use of Unlawful Activities (Prevention) Act (UAPA) is being flagged time and again by many within the country and as student activists incarcerated for the Delhi violence of 2020 under the garb of hatching a “conspiracy” and even as the accused in the Bhima Koregaon case continue to languish in jail, all under UAPA, the debate continues.

The UAPA is known for being used to incarcerate persons for long periods of time without trial and without framing charges, merely on basis of grounds with very slim chances to the detenu to defend himself. More often than not, the detenu’s detention is confirmed and keeps getting extended time and again until a higher court pulls the trigger on this system of oppression and grants bail.

Senior Advocate Mihir Desai, while speaking at an event honoring slain journalist Gauri Lankesh organised by Gauri Memorial Trust and Citizens for Justice and Peace (CJP), pointed out that even though the UAPA was enacted by the United Progressive Alliance (UPA) government, the ruling government has mastered the art of using it in a very targeted way. He further explained how UAPA is in effect, a kind of preventive detention law that attempts to detain a person for a long period of time. “The main provisions of UAPA are such that it enables preventive detention of people for long periods of time. UAPA had started as a law that banned organisations but now it’s an anti-terror law,” he said.

He then highlighted the series of amendments to the anti-terror law that made it even more stringent and harsh. He said that earlier, organisations could be banned because of “hate speech” and “secession” but due to the 2004 amendment to UAPA, organisations can now be banned for “spreading disaffection against the country”. He added, “Disaffection is such a wide term, the same language is used in the sedition provision in the Indian Penal Code.” Further, through the 2013 amendment to UAPA, the ban period which was earlier for 2 years, was increased to 5 years.

He explained how the National Investigation Agency (NIA), under the Centre, takes over investigation of cases and in a way dominates the investigation of cases. He said that as per the latest data, in 66 percent of the cases that are dealt by the National Investigation Agency, people aren’t charged for any actual incident of violence or finding arms, but only on grounds of “conspiracy”. He referred to the Bhima Koregaon case, where human rights activists have been arrested because there was an alleged conspiracy.

State surveillance

During the hearing on the implications of the Pegasus spyware, Bachelet at the outset stated that the unprecedented level of surveillance across the globe by state and private actors is incompatible with human rights.

“The targeting of human rights defenders, journalists and politicians is just another example of how tools allegedly meant to address security risks can end up being weaponized against people with dissenting opinions,” she said. “Surveillance measures can only be justified in narrowly defined circumstances, based on the law. In addition, such measures must be both necessary and proportionate to a legitimate goal. Government hacking at the scale reported is never going to meet these criteria,” she continued.

She also gave a call to all States that “until compliance with human rights standards can be guaranteed, governments should implement a moratorium on the sale and transfer of surveillance technology”.

The statement may be read here.

In early August, UN experts also called on all States to impose a global moratorium on the sale and transfer of surveillance technology until they have put in place robust regulations that guarantee its use in compliance with international human rights standards.

Pegasus and Supreme Court

Presently the Supreme Court is apprised of the matter related to the use of Pegasus spyware allegedly used against Indian citizens. The Solicitor General of India, Tushar Mehta on behalf of the Union government told the court that the government cannot disclose the use of Pegasus on the affidavit, because of national security reasons. However, he insisted that government interception is not illegal and that the government is in compliance with the laws. He conceded that a committee of domain experts will look into the petitioners’ contentions and submit the report before the court but the government cannot file an affidavit and make the document public.

Current regime has mastered the art of using UAPA selectively: Mihir Desai

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

The post UNHRC raises concern over Pegasus, rampant use of UAPA in India appeared first on SabrangIndia.

Centre refuses to disclose use of Pegasus in affidavit, pleads national security

Mon, 13 Sep 2021 11:27:09 +0000

The Supreme Court continued to hear the various petitions filed against the alleged use of Pegasus to spy on citizens of the country. The three-judge Bench of CJI NV Ramana, Justices Surya Kant and Hima Kohli has reserved its order in the matter, where the central government has refused to file a detailed affidavit disclosing information. The Bench has given the liberty to the government to approach the Court in the next two to three days, if they change their mind.

Although the Solicitor General of India, Tushar Mehta, had asked for more time to file an additional affidavit in the previous hearing, today, on September 13, he refused to disclose more information about the use of Pegasus and reiterated that the government would like to set up a committee to look into the grievances of the petitioners.

He said, “The position is like this…petitions before your lordships are seeking inquiries into unauthorised surveillance. I have filed an affidavit stating that in view of prevailing statutes, we are in compliance. I have stated in my affidavit that we would constitute a committee of domain experts…” He argued that the government cannot disclose the use of Pegasus on the affidavit, because of national security reasons.

He said, “The domain experts will look into it and file the report before your lordships….section 69 of the Information Technology Act permits interception but there has been no unauthorised interception. The Centre has informed the Parliament. Nonetheless, the issue is important. So, we have expressed our willingness to constitute a committee…Whether the government used A software or B software for authorised interception can’t be the subject matter of a court debate.”

SG Mehta pressed for the formation of the committee and said that the report will be submitted before the Supreme Court. “Everything will be fair… I [the government] am not averse to the fact that petitioners are alleging invasion of privacy. I will take it seriously. That is why I suggested the formation of a committee. Revealing whether Pegasus was used or not, would not be in national interest. Allow the government to constitute the committee, independent of the government. We would not like to place it on affidavit in interest of nation and security of the nation,” he submitted.

At this point, Justice Surya Kant intervened and clarified that the Bench does not intend to get into sensitive matters of national security of the nation. “We have clarified that when it comes to national security, nobody is interested in that. The only limited affidavit which we were expecting you to file was…there are citizens before us alleging infringement of rights. If you could just clarify that….”

The CJI reiterated, “We are going back again and again; we are not interested to know what you are doing to protect the interest and defense of the country. We are only concerned in the face of allegations, some software was used to target some citizens, to know if the government has used such a method. This needs examination…If you would have filed an affidavit, we would have known where we stand as of today.”

Senior counsel Kapil Sibal, appearing for one group of the petitioners (journalists, N Ram and Sashi Kumar) referred to the case Ram Jethmalani vs Union of India, 2008 11 SCC 1, to argue that the State may not act in a matter which prevents this court from rendering complete justice by withholding information. He said, “All we want to know is if the State has used Pegasus. But my learned friend [Tushar Mehta] is saying that it will be detrimental to national interest. I am sorry, to not say that will be detrimental to justice. This spyware is per se illegal. It cannot be used. Ordinary citizens were targeted. This is a serious issue. State cannot say that they cannot tell the court.”

Sibal then referred to the Hawala scam case, to argue that a panel of retired judges were constituted to probe the allegations and that the same should be adopted in this present case, instead of the court directing the government to form the committee. He said, “Why should the government be allowed to form a committee on its own? It should be completely away from their control.”

Shyam Divan, senior advocate appearing for petitioner Jagdeep S Chhokar, urged the court to direct the Cabinet Secretary to file a detailed affidavit on the matter. He said, “We have indicated cases where the court has directed the Cabinet Secretary to file an affidavit in the past. There could be an invasion of privacy by an agent of the government or outside the government. Either way it’s the duty of the state to protect the citizens from such an invasion. The Cabinet Secretary is in-charge of all departments. He can look into it.”

He further submitted that Pegasus is not just a surveillance mechanism but a malware that can implant false data and documents in the device. He said, “This is beyond the telegraph rules, and the IT act…the government is to be vitally concerned about this. If Pegasus is being deployed without knowledge, I respectfully urge that the Cabinet Secretary file an affidavit. My client is a retired IIM Professor and if people like him are targeted, then it is a direct assault on democracy.”

Senior counsel Rakesh Dwivedi, appearing for petitioners SNM Abdi and Prem Shankar Jha, argued that allowing the Government to constitute a committee and asking the petitioners to submit their phones will be a secretive exercise. He said, “It will not be a credible exercise in which people of the country will have faith.”

Senior counsel Dinesh Dwivedi, appearing for journalist Paranjoy Guha Thakurta, whose name was allegedly in the potential list of Pegasus targets, said that the affidavit of the central government is contradictory. He said, “In one place they [central government] say that the allegations are baseless but in other places they say allegations are serious and so they are constituting a committee…I appear for a journalist whose phone was snooped and it was accepted too, this was not denied.”

Senior Advocate Meenakshi Arora, appearing for Rajya Sabha member John Brittas of CPI(M), suggested that a Special Investigation Team should be set up, under a retired judge. Senior Advocate Colin Gonsalves, representing Software Freedom Law Centre argued that the government has been engaging in widespread surveillance and if this were true, the government committee would be of no help.

After the arguments of the petitioners, the Solicitor General Tushar Mehta vehemently argued against filing of another affidavit and said that interception in the country is not an illegal activity. In his concluding submissions, he said, “There is a statutory regime in place, interception per se is not illegal. Mr. Shyam Divan states that Pegasus is a dangerous technology, it is a dangerous technology, it can be used and abused. But that will leave us nowhere.”

He added, “Let there be a committee of experts to find out whether the petitioners are right or wrong. It is the assurance of me that the domain experts will not be directly or indirectly related to the government and the report will be submitted to your hon’ble court. That is how a façade is created that the government is hiding something. We have nothing to hide. We can’t place this in an affidavit in the public domain. Let domain experts look into it. The insistence that it should come into public domain by way of an affidavit will alert potential targets like terror groups, etc.”

CJI Ramana then said, “Beating around the bush is not the issue, Mr. Mehta.” He then ended the hearing by saying, “if the committee examines the issues, and submits the report to us, it will still be in the public domain….let us see what order we will pass. We are reserving and will pass an interim order.”

Pegasus spyware trotting into ministers’ phones, who is next?

Pegasus Project: 5 targeted journalists move SC, say have been subject to intrusive hacking

Pegasus Snoopgate: RS MP, Journalists move SC for court monitored probe

The post Centre refuses to disclose use of Pegasus in affidavit, pleads national security appeared first on SabrangIndia.