When the issue of Israeli spyware being used by government to spy on certain individuals was raised in the LokSabha on the second day of its current winter session, in an unabashed response, the Minister of State in the Home Affairs Ministry Kishan Reddy said that Section 69 of the Information Technology Act (IT Act) empowers the Central Government to intercept and monitor anyone. The question was asked on the floor of the lower house by MDMK’s A Ganeshamurthi.

This statement coming from the Home Affairs Ministry today, has silenced all speculation and can be considered as a clear admission by the central government that it did in fact spy upon lawyers and human rights activists, in blatant misuse of its powers.

Only 10 agencies can tape phones: Centre

In a written reply, the central government further also said there are only 10 agencies that are authorised to tape phones in India. These include the CBI, the ED and the Intelligence Bureau. The government said these agencies have to take permission from the Union Home Secretary approval before putting anyone on surveillance.

The 10 authorities that can intercept phones in India are: Intelligence Bureau, Central Bureau of Investigation, Enforcement Directorate, Narcotics Control Bureau, Central Board of Direct Taxes, Directorate of Revenue Intelligence, National Investigation Agency, R&AW, Directorate of Signal Intelligence and Delhi Police Commissioner.

The Law

Section 69 of the IT Act deals with provisions pertaining to Power to issue directions for interception or monitoring or decryption of any information through any computer resource, whereby, the government or its authorised officers, in the interest of “sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence” may intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource.

Sabrang India had recently done an analysis on how vague and arbitrary are the provisions that allow interception by the government, enabling the government to justify its surveillance activities by using such vague provisions as a shield.

In October this year,WhatsApp filed a complaint in a California Court against Israel’s NSO Group, many things have unravelled. The claims of the IT Ministry that WhatsApp did not inform them about the vulnerability in their service, were countered by Whatsapp stating that besides notifying the government in May about a vulnerability in its service, it sent a letter in early September that 121 Indians were compromised by the Israeli spyware Pegasus. To this, the IT Ministry responded saying that the September letter sent to them was very vague. The government had alleged that it was disturbed that the company had not brought the privacy breach of Indian citizens to their attention during the two meetings with the minister earlier this year.

On November 1, this year, Whatsapp confirmed that NSO Group’s spyware called Pegasus was used to spy upon  journalists and human rights activists in India who were informed by Whatsapp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019

After this shocking revelation, the 19 affected Indian users who were contacted by WhatsApp wrote an open letter to the Central government saying, “It is a matter of public concern whether Indian tax payer money has been spent on this kind of Cyber surveillance… We seek an answer from the Government of India about whether it was aware of any contract between any of its various ministries, departments, agencies, or any State government and the NSO Group or any of its contractors to deploy Pegasus or related malware for any operations within India?” The government, back then, had neither confirmed nor denied the usage of the spyware.

However, by invoking section 69 of the IT Act when asked if the government was tapping Whatsapp conversations, the government has silenced all speculations and we have a clear admission from the horses mouth!

Related:

WhatsApp confirms: Israeli spyware was used to snoop on Indian journalists, activists

Besides May alert, WhatsApp sent another in September on 121 Indians breached

Phone tapping and now face scan, Govt. creeping into our privacy

What is Ravishankar Prasad Hiding on WhatsApp Hack?

The post Did GOI just admit in Lok Sabha to using Pegasus to spy on activists? appeared first on SabrangIndia.

This is what political parties and others are asking: was it a government agency that bought the hacking tools from the Israeli company? And used it against its own citizens? Are we, as Justice Srikrishna said, becoming an Orwellian surveillance state?  Justice Srikrishna headed the committee that gave detailed recommendations on framing a data and privacy protection law. Though its recommendations were submitted in 2018, the government has been dragging its feet over such a law protecting the privacy of its citizens.

If we listen to Ravi Shankar Prasad, the IT minister, it is either the fault of the Congress, who used to bug their opponents phones; or Facebook’s: he has asked WhatsApp to “explain” the hacks. In other words, deflect from the simple and straight forward question, did any central government agency buy or license Pegasus from the Israeli company?

Under the rules of the IT Act, ten central government agencies were notified in 2018, who have powers of interception. The home ministry’s denial on an RTI on whether Pegasus was procured by the government, was limited only to agencies under the home ministry. What about agencies such as NTRO, RAW and CBI, which are not under the home ministry? Why has the voluble Ravi Shankar Prasad, otherwise offering his opinion on everything under the sun, been so coy about providing a straight answer to this question?

The CPI(M) in a press statement raised questions, “The government needs to answer whether any of its agencies were involved in the use of this hacking software, particularly since most of the persons affected were targeted by the government in May last year. Under law, hacking peoples phones would constitute a cyber crime. If the government is not involved in the Pegasus software as it claims, why has it not filed an FIR and started criminal investigations?”

NSO, the Israeli company has claimed that they supply such software only to government agencies. If indeed the Indian government agencies are not involved, then the hacking of peoples smartphones constitute a criminal offence. Why has the government, specifically the IT ministry not filed an FIR and started criminal investigations on this? Blaming the Congress for previous misdeeds including the Emergency, does not absolve this government from performing its constitutional duties. Or is it the IT minister’s kindergarten alibi that “they did first”?

NSO has been notorious for supplying its hacking tools to governments and various spy agencies. Among its buyers have been Saudi Arabia and United Arab Emirates, who have used these tools to hack into their critics phones and computers. It was widely reported that Jamal Khashoggi’s iPhone was hacked by Saudi intelligence agencies using Pegasus, prior to his killing in Saudi’s Istanbul consulate. 

The only legal step that has been taken in this hacking is Facebook, the owner of WhatsApp platform, filing a civil suit for damages against two Israeli entities, NSO and Q Cyber Technologies, in a Federal Court in San Francisco, US.

What is Pegasus “software” and how does it affect the smartphone users, particularly WhatsApp users? The Israeli company supplies hacking tools for various kinds of devices including Android based smartphones or iPhones, who between them have a near 100 per cent monopoly (or duopoly)  over all smartphones. For WhatsApp, which has been widely publicising its 100 per cent end-to-end encryption, it is particularly embarrassing, as it has neglected to tell its users that such encryption does not help if the users’ phones are hacked; such information is available in unencrypted form on the users’ phones. To compound their embarrassment, the Pegasus hacking software used a security hole in the WhatsApp software.

The current security hole has been patched by WhatsApp. But this was only one such hole. There are many others which are not even known. These are called zero-day exploits – meaning that they are unknown to the supplier of such software – and are sold by criminals on the Dark Net. Even companies pay big money to hackers to learn about their security holes, quite often buying such information from the same Dark Net that criminals use.

If this buying and selling of such software are limited to only criminals or companies intent on patching their systems against vulnerabilities, the problems would have been far less than what we face today. This has been made far worse due to government’s intelligence agencies entry into this business. They bring in big bucks, large teams and tap into the leading research institutions in the name of national security.

While the US and the western media has been talking about Russia and China, they are largely silent on Israeli agencies and of course US agencies NSA-CIA, and UK’s GCHQ. These three sets of intelligence agencies have developed the most extensive suit of software tools or attack tools for penetrating computers, smartphones, the switches and routers that are a part of the telecom infrastructure of every country and even in our homes.

In this sense, hacking tools and cyber weapons are not significantly different, only their purpose is different. If anybody hacks into a computer or a phone, the hacker – and not the consumer –  effectively owns the phone as they can control what the device does.

In the US, its domestic laws, permissive as they are under their so-called global war on terror, still has a modicum of protection on domestic surveillance; even under the FISA courts’ very wide latitude given to the security agencies. We know from Snowden and WikiLeaks revelations that the US had penetrated the telecom infrastructure of every country, and had backdoors to US manufactured equipment and software platform for installing its spyware.

The Israeli agencies worked closely with the US agencies. The US could not sell such software or equipment to “friendly” monarchies and fascist rulers as it comes under export control rules. In US, these software are recognised as weapons, and their exports are strictly controlled. No such controls exist for the Israelis, who use a number of companies that are very closely tied to the Israeli military and its spy agencies. NSO and other such companies are essentially the US-Israeli arm of supplying such software tools to other spy agencies of “friendly” governments.

Such sale of software tools to the government of other countries also provide the US and Israel additional intelligence feeds. The countries including India may feel that they have “bought” this software, but all such software operates based on “servers” set up by such companies, which again are linked to Israel. All this information goes back to Israel and the US spy agencies. When governments buy such software from foreign sources, they in effect, are partnering foreign agencies to spy on their own citizens; or help foreign powers shape the domestic narrative. If NTRO or RAW have indeed bought Pegasus, the narrative that such hacking can produce, can be easily manipulated by Israeli or US spy agencies. This is the risk of “outsourcing” intelligence operations and tools. 

According to a Reuters report on the victims of the WhatsApp Pegasus breach, … “a ‘significant’ portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. If the NSO’s claims of selling only to governments are correct, either the Pegasus spyware was used by governments to hack each other, or they were victims of Israeli spying. To compound the danger, the NSA’s and CIA’s spyware tools were dumped by hackers on the net in 2017 and are available to criminals. This shows how dangerous such software is for everybody, not just activists.

What make such tools particularly dangerous is that they are not the work of a few hackers but have the resources of a state behind them. These are not hacking tools but cyber weapons. This is why the governments need to sign a moratorium on developing and deploying such weapons, the same as we have on chemical and biological weapons.

First published in https://peoplesdemocracy.in/

The post What is Ravishankar Prasad Hiding on WhatsApp Hack? appeared first on SabrangIndia.

Is there an NSO connection with the UIDAI Aadhaar? It appears so. The Economic Times reports that investigations show that the company that backed Israeli cyber technology company NSO Group has an ‘India connection’. Francisco Partners invested in and later acquired CrossMatch, a certified supplier of biometric devices according to its website. In an August 2018 press release highlighting sales of its ‘U.are.U’ and ‘TouchChip’ line of “readers, modules and sensors” exceeding 750,000 units, the company said, “CrossMatch has a long history of providing high-performing biometric enrolment and verification devices in support of Aadhaar”.CrossMatch, according to media reports, received its certificate of approval from the Indian government in 2011. The newspaper reports that it had also tried to reach out to the UIDAI spokesperson, with specific queries around the nature of relationship between CrossMatch and the government agency. At the time of going to press, UIDAI was yet to respond.

Over the past weekend after the Whatsapp Snoop Scam broke sharp questions are being asked, not the least of which being, who benefits most from such sinister surveillance? The government, of course.Who would want the phone records/activity of Shalini Gera of the Jagdalpur Legal Aid Group and Bhima Koregaon case accused Sudha Bharadwaj’s lawyer; Advocate Nihalsingh Rathod, who heads the Human Rights Law Network in Nagpur, and is a lawyer of accused Surendra Gadling in the same case; Bela Bhatia, Adivasi rights activist from Chhattisgarh; Anand Teltumbde, academic and writer on Dalit issues, also an accused in the same case; Ankit Grewal, who represented Sudha Bharadwaj; and several other activists and journalists?
Now there is more. ET reports that the lawsuit filed by Facebook-owned WhatsApp against Israeli cyber technology company NSO Group has revealed not just this surveillance of lawyers, journalists and activists but also a questionable role played by private equity funds in the growth of the industry that often function in a grey zone.

This is how it works: NSO cofounders Shalev Hulio and Omri Lavie did a classic management buyout of the company from San Francisco-based PE firm Francisco Partners using the financial muscle of London-based Novalpina Capital for $1 billion. Francisco Partners made about eight times the $120 million it paid to buy the company five years before. Although it had announced the sale on February 14, 2019, in a press release, that communication is no longer visible on its website. It is, however, part of the documents in the WhatsApp suit against NSO filed in a California court October 29 for allegedly hacking its servers and systems.

Francisco Partners was co-founded in 1999 by former TPG Capital principal Dipanjan ‘DJ’ Deb along with David Stanton, another senior TPG executive, who left the company in 2005 as managing partner, and others. Francisco Partners is largely said to be technology-focused, with a penchant for surveillance technology companies in the growth stage. According to those who know the company, Francisco Partners “typically buys promising companies for cheap and helps them grow, before aiming for a substantial return”.

Biometric Service Provider CrossMatch
The company, according to persons ET spoke to, also “actively solicits clients for their investee companies”. To be sure, this is not unusual among private equity firms. Novalpina, the PE firm which helped acquire the NSO Group, on the other hand, buys companies with “proven track records”.

On Friday, ET reached out to Dipanjan Deb and his assistant with questions. The evasive response by the company that tells the full story may be read here
 

The post The “India Connection” in the WhatsApp Snoop Scam appeared first on SabrangIndia.