At the heart of this legal battle is NSO Group, the developer of Pegasus, a spyware tool of notorious capability. Pegasus has been repeatedly linked to state-sponsored surveillance campaigns targeting journalists, human rights activists, political dissidents, and even heads of state across the globe, transforming smartphones into pocket-sized spies. The U.S. court’s decision to hold NSO Group liable for its actions and impose substantial damages signifies a potential turning point. The sheer size of the penalty, combined with its status as the first U.S. jury verdict against a commercial spyware company, signals a shift in the landscape of accountability. NSO Group’s defence has often leaned on the argument that it sells only to sovereign governments, thereby attempting to deflect responsibility for how its tools are used. However, this verdict pierces that veil, holding the technology provider directly accountable for facilitating illegal acts. This suggests that the creators of such potent surveillance tools may no longer be able to easily evade responsibility for the abuse their products enable.

This article will dissect the Meta vs. NSO Group judgment, explore its implications for the shadowy spyware industry, and critically examine what this U.S. legal precedent means for India. The U.S. ruling, therefore, is not just a foreign legal development but a significant event with potential repercussions for India’s ongoing struggle for digital rights and accountability.

The verdict rings out: Meta’s gruelling six-year battle and NSO’s defeat

The culmination of a nearly six-year legal confrontation saw a U.S. federal jury in the Northern District of California order NSO Group to pay Meta Platforms approximately $167.7 million. This sum comprised $444,719 in compensatory damages, covering Meta’s costs in responding to the attack, and a colossal $167,254,000 in punitive damages, designed to punish NSO Group for its conduct and deter future wrongdoing.

This damages trial followed a crucial summary judgment by U.S. District Judge Phyllis J. Hamilton on December 20, 2024. In that earlier ruling, Judge Hamilton found NSO Group liable for violating the U.S. Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and for breaching WhatsApp’s terms of service. The case centred on NSO Group’s 2019 cyberattack, which exploited a vulnerability in WhatsApp’s audio calling feature. This flaw allowed NSO to covertly install its Pegasus spyware on the mobile devices of more than 1,400 WhatsApp users across the globe, including journalists, human rights activists, political dissidents, and diplomats.

Throughout the litigation, NSO Group employed a multi-pronged defence strategy, which was systematically dismantled by the U.S. courts. A cornerstone of NSO’s defence was the claim of foreign sovereign immunity, arguing that because it sells its spyware exclusively to government agencies, it should be shielded from lawsuits as an agent of those foreign states. This argument was consistently rejected by U.S. courts, culminating in the U.S. Supreme Court declining to hear NSO’s appeal on the matter. This series of rejections was pivotal, establishing that NSO Group, despite its governmental clientele, could indeed be sued in U.S. courts, particularly as evidence emerged that NSO utilized U.S.-based servers for its operations. NSO had long contended that U.S. courts lacked jurisdiction over its foreign operations targeting foreign victims, a claim significantly undermined by these rulings.

Furthermore, the NSO Group attempted to distance itself from the actual deployment of Pegasus, asserting that its government clients operate the spyware independently. However, court documents and trial testimony painted a different picture. Evidence, including sworn depositions from NSO employees, revealed the company’s direct involvement in the spyware’s installation and data extraction processes. Some employees even admitted to using WhatsApp to install spyware and continuing these activities even after Meta had filed the lawsuit. This direct operational role contradicted NSO’s narrative of being a passive technology provider.

The company also faced criticism and sanctions for its conduct during the discovery phase of the lawsuit, including its failure to produce the Pegasus source code as ordered by the court. In arguing against damages, NSO contended that Meta had suffered no actual financial loss, suggesting that employee salaries for remediation efforts would have been paid regardless of the attack and that WhatsApp’s servers were not physically damaged. The jury, however, sided with Meta, awarding the full amount of compensatory damages requested.

The crumbling of the “sovereign agent” facade is perhaps one of the most significant outcomes of this litigation. Spyware companies have historically hidden behind the argument that they merely sell tools to governments, thereby deflecting responsibility for any misuse. This verdict, by establishing NSO’s direct actions in deploying spyware and by piercing the sovereign immunity claim, creates a powerful precedent. It suggests that the creators of these potent surveillance tools can be held accountable in jurisdictions like the United States, especially if their actions involve U.S. infrastructure or violate U.S. laws. This development considerably increases the legal exposure for such companies on a global scale.

The composition of the damages award is also telling. The overwhelming proportion of punitive damages ($167.25 million) compared to compensatory damages ($444,719) indicates that the jury found NSO Group acted with “malice, oppression or fraud,” as noted in the court’s findings. Compensatory damages are intended to cover actual losses incurred by the plaintiff. Punitive damages, on the other hand, are designed to punish the defendant for egregious conduct and to deter similar behaviour in the future. The jury’s decision to award such substantial punitive damages sends an unequivocal message that NSO’s conduct was not merely illegal but profoundly reprehensible. This financial blow is aimed squarely at NSO Group and, by extension, the broader spyware industry, signalling that such activities will incur severe financial penalties that go far beyond merely covering the victim’s direct costs. This could make the business model of such companies, some of which, like NSO, are already reported to be under financial strain, far riskier and less tenable.

Pegasus unveiled: The “ghost” in the machine and its modus operandi

Pegasus is not just any spyware; it is a highly sophisticated tool engineered to infiltrate both iOS and Android devices, the dominant mobile operating systems globally. Its notoriety stems significantly from its “zero-click” exploit capabilities. This means Pegasus can be surreptitiously installed on a target’s device without requiring any action from the user – no need to click a malicious link, open an infected attachment, or even answer a call. The spyware can be delivered silently, for instance, through a missed WhatsApp call or a specially crafted message that doesn’t even need to be opened by the recipient.

Once installed, Pegasus effectively hands over complete control of the compromised device to the attacker. It can access a vast trove of personal and sensitive information, including encrypted messages (either by intercepting them before encryption on the sending device or by reading them after decryption on the receiving device), emails, photos, videos, call logs, contact lists, GPS location data, and stored passwords. Furthermore, Pegasus can remotely and covertly activate the device’s microphone and camera, turning the phone into a live surveillance device, all without the owner’s knowledge or consent. During the U.S. trial, NSO Group executives themselves conceded that Pegasus is capable of vacuuming up “every kind of user data on the phone”.

NSO Group has consistently maintained a specific narrative about its business model. The company claims that its flagship product, Pegasus, is sold exclusively to vetted government security and law enforcement agencies. The stated purpose, according to NSO, is to aid these agencies in legitimate activities such as conducting rescue operations and combating serious criminals, including terrorists, money launderers, and drug traffickers.

However, this official line stands in stark contrast to the findings of numerous independent investigations conducted by organizations like the University of Toronto’s Citizen Lab, Amnesty International, and various international media consortia, including the Pegasus Project. These investigations have meticulously documented the widespread use of Pegasus against unintended targets: journalists attempting to hold power accountable, human rights activists defending fundamental freedoms, lawyers representing sensitive clients, political opponents challenging incumbent regimes, and even heads of state. The trial also revealed that NSO Group invests heavily in its offensive capabilities, with executives admitting to spending tens of millions of dollars annually to develop sophisticated malware installation methods. The price tag for such capabilities is correspondingly high; for instance, NSO reportedly charged European government customers up to $7 million for the ability to hack just 15 devices, with additional costs for targeting devices internationally.

The glaring disparity between NSO Group’s stated purpose for Pegasus and the documented reality of its deployment against civil society effectively exposes the fallacy of the “dual-use” argument often employed for such powerful technologies. NSO’s defence consistently hinges on the supposed legitimacy of its clients and the intended use of Pegasus against “serious crime and terrorism.” However, the evidence presented during the trial, coupled with a vast body of independent research, points to a persistent pattern of abuse. This discrepancy suggests one or a combination of possibilities: NSO’s vetting processes for its government clients are woefully inadequate, its contractual controls designed to prevent misuse are ineffective or unenforced, or the company is wilfully blind to, if not complicit in, the misuse of its spyware by these clients. The argument that such tools have both legitimate and illegitimate uses – the “dual-use” defence – often crumbles when the technology in question is as inherently invasive as Pegasus and the oversight mechanisms are minimal or absent.

Moreover, the very existence, development, and marketing of a tool like Pegasus, capable of achieving total and covert compromise of a personal device, indicates a dangerous global trend towards the normalization of extreme surveillance capabilities. The fact that NSO Group could successfully develop and sell such a product to numerous governments worldwide suggests a significant global appetite for these intrusive powers. The technical sophistication of Pegasus, particularly its zero-click infection vectors, means that traditional cybersecurity defences employed by average users are often rendered useless. This creates an environment where the reasonable expectation of digital privacy is severely eroded, potentially casting a chilling effect on free speech, association, and dissent, even for individuals who are not directly targeted but fear they could be.

Turning point for spyware accountability?

The verdict against NSO Group is a landmark precedent in the fight against the unregulated proliferation of commercial spyware. It is the first U.S. jury verdict against a commercial spyware company and, significantly, the first U.S. verdict against NSO Group itself. The financial award also represents the largest reported verdict in a civil case brought under either the Computer Fraud and Abuse Act (CFAA) or the California Comprehensive Computer Data Access and Fraud Act (CDAFA).

The judgment is anticipated to have a significant impact on the broader spyware industry. Meta, in its statement following the verdict, emphasised that the ruling acts as a “critical deterrent to this malicious industry”. The success of Meta’s lawsuit may embolden other victims of spyware, whether individuals or corporations, to seek legal recourse against spyware vendors. Furthermore, the ruling could make it considerably harder for spyware companies to hide behind “plausible deniability” regarding the use of their products. This, coupled with the substantial financial penalty, is likely to lead to increased legal and financial risks for the industry, potentially affecting investment, operational strategies, and the overall viability of businesses built on selling such intrusive technologies.

This legal victory also serves to empower technology platforms in their efforts to protect their users and systems. It validates the legal strategy employed by tech companies like Meta, which utilized anti-hacking statutes such as the CFAA to hold spyware developers accountable for exploiting their platforms. Demonstrating a commitment beyond mere financial compensation, Meta has announced its intention to donate the damages recovered from NSO Group to digital rights organizations that are actively working to combat surveillance abuses and protect vulnerable users. This action is part of a growing trend where major technology companies, including Apple, which has also filed its own lawsuit against NSO Group, are taking a more proactive and aggressive stance in combating the commercial surveillance industry through both legal challenges and technical countermeasures.

The outcome of the Meta vs. NSO case signals a potential shift in the power dynamics that have characterized the surveillance technology landscape. For years, spyware firms like NSO Group operated largely in the shadows, their actions difficult to definitively prove and their legal standing often ambiguous due to claims of sovereign immunity and client confidentiality. Technology platforms, whose services were exploited as vectors for spyware delivery, were often in a reactive posture. This verdict, however, building upon the crucial judicial rejection of NSO’s sovereign immunity claims, empowers these platforms. They can now more confidently leverage their considerable legal and technical resources to proactively protect their ecosystems, thereby making it more costly and legally perilous for spyware vendors to target mainstream communication platforms.

The case also inadvertently highlights the role of the U.S. legal system as a, perhaps reluctant, enforcer of global digital rights. This is also a consequence of the geographical concentration of major technology company headquarters and critical internet infrastructure, including servers, within the United States. When global communication platforms, many of which are U.S.-based, find their terms of service violated or their U.S.-located servers accessed without authorization for the purpose of deploying spyware, it provides a jurisdictional hook for legal action within the American judicial system. While the outcome in the Meta vs. NSO case is viewed positively by digital rights advocates, it does raise broader questions about the sustainability and global desirability of relying predominantly on one nation’s courts to address what inherently international issues of spyware abuse are. This underscores the pressing need for enhanced international cooperation and the development of stronger, harmonized national laws elsewhere to combat this menace effectively.

Finally, the substantial financial penalty imposed on NSO Group, particularly the massive punitive damages award, underscores the potential of economic deterrence as a key weapon against the spyware industry. NSO Group has been reported to be facing significant financial difficulties, including being placed on a U.S. government blacklist that restricts its access to American technology and markets. A judgment of nearly $168 million could indeed be a fatal blow to an already struggling entity. This suggests that economic pressure, exerted through sanctions, large civil penalties, and divestment campaigns, might be one of the most effective tools to curb the proliferation of commercial spyware, especially since ethical appeals or reliance on the discretion of client governments have, to date, proven largely insufficient.

The Indian Connection: Pegasus shadows loom large over democracy

The NSO Group’s activities, as detailed in the U.S. court proceedings and prior investigations, have a significant and alarming Indian connection. Court documents related to the Meta lawsuit revealed that India was the second-most targeted country in the 2019 WhatsApp hacking campaign, with over 100 Indian users identified as victims. The list of those targeted in India reportedly included journalists, human rights activists, lawyers, and politicians, mirroring the global pattern of Pegasus deployment against civil society figures rather than solely against criminals and terrorists as NSO Group claims.

These findings were amplified by the Pegasus Project revelations in 2021. This collaborative investigative effort by international media organizations, based on a leaked list of potential surveillance targets, indicated that around 300 phone numbers in India were of interest to NSO’s clients. The Indian list controversially  included serving ministers, prominent opposition leaders such as Rahul Gandhi, political strategists like Prashant Kishor, numerous journalists including Siddharth Varadarajan of The Wire, activists such as Umar Khalid, a former Election Commissioner, Ashok Lavasa, who had flagged poll code violations by the Prime Minister, and even sitting Supreme Court judges.

Amnesty International’s Security Lab has conducted forensic investigations that further substantiate these concerns. Their findings confirmed repeated targeting of Indian journalists. Siddharth Varadarajan, for instance, was found to have been targeted with Pegasus in 2018 and then again in October 2023. Another journalist, Anand Mangnale, South Asia Editor at The Organised Crime and Corruption Reporting Project (OCCRP), was targeted in August 2023 with a sophisticated zero-click exploit delivered via iMessage while he was reportedly working on a story about alleged stock manipulation by a large Indian conglomerate.

In response to the widespread outcry following the Pegasus Project revelations, the Supreme Court of India intervened in October 2021. Recognising the gravity of the allegations, the Court constituted an independent technical committee, headed by retired Supreme Court Justice R.V. Raveendran, to investigate the claims of Pegasus surveillance.  This committee submitted its report in a sealed cover to the Supreme Court in August 2022. Out of the 29 phones analysed by the Technical Committee, just five showed signs of malware — and even in those cases, there was no clear evidence linking it to Pegasus, as per the three-part report presented to the Court by the Justice R.V. Raveendran committee. Crucially, the CJI NV Ramana (as he was then) also made a significant observation: the Indian government “did not cooperate” with the technical committee’s investigation.

The full contents of the technical committee’s report remain sealed and have not been made public.

The Indian government’s official stance on the Pegasus allegations has been one of consistent denial of any unauthorised interception by its agencies. Statements from the Ministry of Electronics and Information Technology (MeitY), including those made by Union Minister Ashwini Vaishnaw, have dismissed the reports as attempts to “malign Indian democracy and its well-established institutions”. The government has asserted that existing legal frameworks, such as the Indian Telegraph Act and the Information Technology Act, provide sufficient checks and balances against illegal surveillance. However, MeitY, through CERT-In (Indian Computer Emergency Response Team), was reportedly informed by WhatsApp about the Pegasus breach affecting Indian users as early as September 2019, raising questions about the timeliness and transparency of the government’s subsequent public responses.

More often than not, the government has invoked “national security” as a reason to avoid confirming or denying the procurement or use of Pegasus spyware. During Supreme Court hearings, the Solicitor General of India argued that “terrorists cannot claim privacy rights.” This sentiment was, to some extent, echoed by one of the judges who remarked, “What is wrong if the country is using spyware?… Using against whom is the question?”. These statements have fuelled concerns among civil liberties advocates that the national security argument is being used to shield potentially unlawful surveillance activities from scrutiny.

The Indian government’s persistent invocation of “national security” to sidestep transparency regarding Pegasus use, particularly its documented non-cooperation with the Supreme Court-appointed technical committee, presents a stark contrast to the detailed evidence and rigorous judicial scrutiny observed in the U.S. legal proceedings against NSO Group. While national security is undeniably a legitimate concern for any state, its deployment as a blanket justification to prevent any meaningful disclosure about the use of highly invasive spyware against a wide range of citizens—including journalists, opposition figures, and potentially even members of the judiciary—raises profound questions about democratic accountability and the potential for abuse of power. The U.S. verdict, which meticulously details the illegal hacking mechanisms employed by NSO, makes the Indian government’s opaque and defensive stance increasingly difficult to sustain, as the spyware tool itself has now been judicially recognized in a foreign court as problematic and its vendor held liable for its misuse.

The repeated and continued targeting of journalists in India, as confirmed by forensic analysis even after the initial Pegasus revelations and the Supreme Court’s intervention, suggests a brazen and deeply concerning attempt to suppress dissent and investigative journalism. When journalists investigating sensitive matters, such as allegations of financial misconduct by powerful entities, find themselves under state-sponsored surveillance, it sends a potent chilling message to the entire media community. This transcends individual privacy violations; it constitutes an assault on the freedom of the press, a cornerstone of any functioning democracy. The persistence of such targeting implies that the perpetrators feel a disturbing sense of impunity within the domestic Indian context.

The situation also presents a tale of two judiciaries and, by extension, two executive approaches. The proactive stance of the U.S. judiciary in holding NSO Group accountable, significantly aided by a well-resourced corporate plaintiff like Meta, contrasts sharply with the Indian Supreme Court’s current position. The Indian Court appears to be treading a cautious path, attempting to balance national security claims against individual queries about surveillance, a task made more challenging by the executive branch’s non-cooperation. While the U.S. case benefited from Meta’s considerable resources and clear legal standing as an aggrieved party whose platform was abused, in India, the petitioners are often individuals, under-resourced rights groups, or journalists. The Indian Supreme Court’s cautious handling of the sealed technical committee report and the government’s steadfast refusal to cooperate highlight systemic challenges in achieving accountability domestically. The fact that MeitY was reportedly informed of the WhatsApp breach affecting Indian users as far back as September 2019, yet the government’s public narrative and actions did not appear to reflect this urgency or information, further underscores this accountability deficit. The U.S. verdict might provide Indian petitioners with stronger international legal and moral backing, but overcoming domestic institutional hurdles remains a formidable challenge.

VI. Echoes in Delhi: How the US verdict resonates in India’s Pegasus saga

The U.S. District Court’s comprehensive findings against NSO Group and the subsequent multi-million dollar damages award are poised to have significant reverberations in India, where the Pegasus spyware controversy continues to simmer. The U.S. court’s meticulous detailing of NSO’s illegal activities and the intrusive nature of Pegasus spyware provide substantial evidentiary and moral support for petitioners currently before the Indian Supreme Court. Indeed, during hearings in April 2025, Senior Advocate Kapil Sibal, representing one of the petitioners, explicitly cited the U.S. judgment, highlighting the court’s observation that India was among the countries where WhatsApp users were targeted by Pegasus. The detailed revelations from the U.S. trial concerning NSO Group’s operational methods and its direct involvement in deploying the spyware can be leveraged to counter claims that the spyware’s use is solely determined by client governments without NSO’s active participation or knowledge.

This international legal precedent is likely to fuel fresh and more vociferous demands for transparency and accountability from the Indian government. Opposition parties, such as the Congress party which has already called for Supreme Court-monitored probes based on U.S. court revelations , along with civil society organizations; and various digital rights advocates, are expected to intensify their calls for the Indian government to: first, unequivocally state whether it procured and deployed Pegasus spyware; second, consent to a truly independent and transparent investigation into the allegations; and third, make the Supreme Court-appointed technical committee’s full report public, allowing for informed public debate and scrutiny.

The U.S. judgment also presents a formidable challenge to the broad “national security” argument frequently invoked by the Indian government to justify opacity surrounding the use of Pegasus. By laying bare the illicit hacking mechanisms of Pegasus and its deployment against ordinary citizens such as journalists and activists, the U.S. court’s findings weaken the credibility of using an all-encompassing national security pretext to shield such surveillance from any form of oversight in India. If the tool’s mode of operation is deemed illegal by a U.S. court when used against similar profiles of individuals, its alleged use in India under a vague and unsubstantiated national security rationale becomes increasingly questionable and harder to defend both domestically and internationally.

Ultimately, the U.S. verdict indirectly places India’s own democratic institutions—particularly its judiciary and parliamentary oversight mechanisms—under a critical test. If a foreign court, driven by a corporate plaintiff, can achieve a significant degree of accountability against the NSO Group, the question inevitably arises: why are Indian institutions apparently struggling to achieve similar accountability regarding the use of Pegasus within India’s borders? This focuses uncomfortable attention on the independence, efficacy, and resilience of these institutions when confronted with executive power and sweeping claims of national security. The Indian Supreme Court’s next steps in the Pegasus matter, with hearings scheduled for July 30, 2025, will be very closely watched in this context.

Conclusion

The broader struggle against illicit surveillance and the misuse of powerful espionage technologies is far from over. It requires sustained, multifaceted efforts from technology companies committed to protecting their users, from a vigilant and courageous civil society, from international bodies striving to establish global norms, and, most crucially, from national governments willing to uphold the rule of law and safeguard fundamental human rights in the increasingly complex digital age. The path to effectively reining in the global spyware menace is undoubtedly long and arduous, but the Meta-NSO verdict offers a crucial milestone, a tangible victory for a future where digital technologies empower rather than oppress.

(The author is part of the legal research team of the organisation)

Related:

Pegasus case: SC appointed Committee says GoI not cooperating

Pegasus scandal: Did GoI engage in an elaborate cover-up?

State can’t get free pass every time spectre of “national security” is raised: SC in Pegasus case

The post US court slams spyware giant NSO with $168M Fine: a reckoning for Pegasus and implications for India appeared first on SabrangIndia.

Is there an NSO connection with the UIDAI Aadhaar? It appears so. The Economic Times reports that investigations show that the company that backed Israeli cyber technology company NSO Group has an ‘India connection’. Francisco Partners invested in and later acquired CrossMatch, a certified supplier of biometric devices according to its website. In an August 2018 press release highlighting sales of its ‘U.are.U’ and ‘TouchChip’ line of “readers, modules and sensors” exceeding 750,000 units, the company said, “CrossMatch has a long history of providing high-performing biometric enrolment and verification devices in support of Aadhaar”.CrossMatch, according to media reports, received its certificate of approval from the Indian government in 2011. The newspaper reports that it had also tried to reach out to the UIDAI spokesperson, with specific queries around the nature of relationship between CrossMatch and the government agency. At the time of going to press, UIDAI was yet to respond.

Over the past weekend after the Whatsapp Snoop Scam broke sharp questions are being asked, not the least of which being, who benefits most from such sinister surveillance? The government, of course.Who would want the phone records/activity of Shalini Gera of the Jagdalpur Legal Aid Group and Bhima Koregaon case accused Sudha Bharadwaj’s lawyer; Advocate Nihalsingh Rathod, who heads the Human Rights Law Network in Nagpur, and is a lawyer of accused Surendra Gadling in the same case; Bela Bhatia, Adivasi rights activist from Chhattisgarh; Anand Teltumbde, academic and writer on Dalit issues, also an accused in the same case; Ankit Grewal, who represented Sudha Bharadwaj; and several other activists and journalists?
Now there is more. ET reports that the lawsuit filed by Facebook-owned WhatsApp against Israeli cyber technology company NSO Group has revealed not just this surveillance of lawyers, journalists and activists but also a questionable role played by private equity funds in the growth of the industry that often function in a grey zone.

This is how it works: NSO cofounders Shalev Hulio and Omri Lavie did a classic management buyout of the company from San Francisco-based PE firm Francisco Partners using the financial muscle of London-based Novalpina Capital for $1 billion. Francisco Partners made about eight times the $120 million it paid to buy the company five years before. Although it had announced the sale on February 14, 2019, in a press release, that communication is no longer visible on its website. It is, however, part of the documents in the WhatsApp suit against NSO filed in a California court October 29 for allegedly hacking its servers and systems.

Francisco Partners was co-founded in 1999 by former TPG Capital principal Dipanjan ‘DJ’ Deb along with David Stanton, another senior TPG executive, who left the company in 2005 as managing partner, and others. Francisco Partners is largely said to be technology-focused, with a penchant for surveillance technology companies in the growth stage. According to those who know the company, Francisco Partners “typically buys promising companies for cheap and helps them grow, before aiming for a substantial return”.

Biometric Service Provider CrossMatch
The company, according to persons ET spoke to, also “actively solicits clients for their investee companies”. To be sure, this is not unusual among private equity firms. Novalpina, the PE firm which helped acquire the NSO Group, on the other hand, buys companies with “proven track records”.

On Friday, ET reached out to Dipanjan Deb and his assistant with questions. The evasive response by the company that tells the full story may be read here
 

The post The “India Connection” in the WhatsApp Snoop Scam appeared first on SabrangIndia.

 

The recent WhatsApp hacking scandal and the Indian government’s response reminds one of this joke about Sherlock Holmes and Dr Watson: they are on a camping trip and go to sleep in a tent. In the middle of the night, Holmes shakes Watson awake and asks, “Watson, what do you see?” Watson says he sees thousands of stars, to which Holmes replies, “You idiot, somebody has stolen our tent!”

IT minister Ravi Shankar Prasad told the media that the government had asked WhatAapp (which is owned by Facebook) to give an explanation. Of course, WhatsApp/Facebook should be called out. But what about the Israeli surveillance company called NSO Group that sold its Pegasus spyware to, as yet, unknown clients so that they could hack into the phones of at least 17 Indian lawyers, activists and journalists using a flaw in WhatsApp’s digital infrastructure? The Modi government has very friendly relations with the Israelis. Should they not ask Prime Minister Netanyahu or the Israeli intelligence apparatus to press NSO to reveal the clients? Remember that the Israeli government has reportedly classified Pegasus as a ‘weapon’ because of its very powerful features and its potentially dangerous use.
 

Who Benefits?

After all, the big question here is this: cui bono, that is, who benefits? Who would want the phone records/activity of Shalini Gera of the Jagdalpur Legal Aid Group and Bhima Koregaon case accused Sudha Bharadwaj’s lawyer; Advocate Nihalsingh Rathod, who heads the Human Rights Law Network in Nagpur, and is a lawyer of accused Surendra Gadling in the same case; Bela Bhatia, Adivasi rights activist from Chhattisgarh; Anand Teltumbde, academic and writer on Dalit issues, also an accused in the same case; Ankit Grewal, who represented Sudha Bharadwaj; and several other activists and journalists?
Only the Indian government or its agencies, or even state governments would have any advantage in getting their hands on their phone data. The 10 persons involved in the Bhima Koregaon case have been accused of such serious charges like planning to assassinate PM Modi, overthrow the government, and so on. Till date, despite over a year of investigations, nothing much has emerged, which makes for a strong motivation to scrounge around for some clue in the activists’ phones.

That this is not just a pie in the sky is confirmed by reports of how Pegasus has been put to use elsewhere in the world by governments. There are reports of it having been used in Mexico to spy upon journalists, in Rwanda to spy upon a human rights’ activists and there is even a link to the infamous murder of Saudi journalist Jamal Kashoggi.
 

Different Agencies Interested in Spying

In December 2018, the government notified that 10 central security agencies and authorities would be allowed to carry out surveillance of all electronic communications, internet-based activity and computers, empowered under the Information Technology Act, 2000. The matter was challenged in the Supreme Court where in March 2019, the government said that it had a detailed Standard Operating Procedure (SOP) for such surveillance. But the bottom line was that bureaucrats would review applications for surveillance—and we all know how bureaucrats function. The petitioners in the Supreme Court had pointed out that in 2017, enforcement authorities ordered Facebook, Google and Twitter for data of more than 200,000 accounts under various laws. Earlier, the Srikrishna Committee had said that review authorities meet once in two months and have the task of reviewing more than 15,000-18,000 surveillance orders. So, there is a whole lot of agencies in this game and they are given the green signal more often than not.

In fact, it is not just the central government and its agencies that would be interested in spying on the current bunch of activists. As the emails leaked from the ‘Hacking Team’ (now archived at Wikileaks) have shown, state police departments too are actively seeking tools to snoop on their targets. The case documented is of the Andhra Pradesh police scouting around for surveillance tools in 2015. As recently as March this year, there were reports that the intelligence department of Andhra Pradesh state government had acquired an Israeli device or tool for breaking WhatsApp encryption. This was just before the Lok Sabha elections in May this year.

So, the answer to the question ‘who benefits?’ by acquiring Pegasus yields a whole phalanx of deadly curious agencies, both central and state-level. Who knows, there may even be some private agencies that have been roped in to provide the services! After all, many unthinkable services are these days outsourced to shadowy NGOs, like the one which handled the recent MEPs visit to Kashmir.
 

Smoke and Mirrors

Ministry officials have been quoted in media reports as complaining that senior WhatsApp officials never mentioned this leak in meetings with them in May this year. WhatsApp has quickly countered, saying they had mentioned it. Other reports suggest that officials complained still more that WhatsApp just gave them ‘technical jargon’ (sic) implying thereby that the IT Ministry couldn’t understand it.

Ridiculous as all this sounds, there is a method in this madness. Prasad may or may not be in the loop on the whole thing. But all this speculation about WhatsApp and Prasad’s indignation has created a fog within days of the scandal spilling out. It has become a game of smoke and mirrors. The government, through Prasad, is seemingly outraged and full of righteous indignation, just as it was in March 2018, when it was revealed that a UK-based data analytics company Cambridge Analytica (CA) had stolen data of 87 million Facebook users. Prasad had similarly fulminated against Facebook and threatened legal action.

One and a half years later, nothing has happened as far as India is concerned although in the UK, Cambridge Analytica closed down and Facebook has paid 500,000 pounds to the UK’s Information Commissioner’s Office (ICO), to settle the latter’s investigation into the scandal. India’s Central Bureau of Investigation is still playing 20-questions with Facebook and the now defunct CA.

As this cut and thrust between India and WhatsApp continues, nobody is paying attention to whoever used Pegasus to snoop on diverse Indian citizens. Maybe that’s what the government wants.

Courtesy: https://www.newsclick.in/
 

The post Who Benefits? The Question Nobody’s Asking in the WhatsApp Hacking Case appeared first on SabrangIndia.

The Whatsapp Snoopgate issue that spread like wildfire, not only had the general public under its attack, but lawyers defending the human rights activists arrested under the controversial Bhima Koregaon case have also confirmed that their phones were being targeted by Pegasus, a the surveillance software developed by Israeli company NSO group that came to be in question, The Huffington Post report.

The surveillance revelations come after the messaging platform sued Israeli surveillance firm NSO Group on Tuesday, accusing it of helping government spies break into the phones of roughly 1,400 users across four continents including diplomats, political dissidents, journalists and government officials. NSO denied the allegations.

The malware attack, according to Whatsapp, exploited its video calling system to send malware to the mobile devices of a number of users. The malware would allow NSO’s clients – said to be governments and intelligence organisations – to secretly spy on a phone’s owner, opening their digital lives up to scrutiny, the Economic Times reported.

WhatsApp sued the NSO Group in a federal court in San Francisco on Tuesday, accusing it of using WhatsApp servers in the United States and elsewhere “to send malware to approximately 1,400 mobile phones and devices (‘Target Devices’)… for the purpose of conducting surveillance of specific WhatsApp users (‘Target Users’)”. It had later sent out a privacy alert message to people it detected to be targeted by Pegasus.

The NSO has said that it sells its software to governments around the world. However, the Ministry of Home Affairs’ Cyber and Information Security division in response to an RTI query said that there was no information on any order being given to purchase the Israeli spyware Pegasus.

Why the spying on Bhima-Koregaon lawyers is a significant revelation
The spyware attack that shocked users had high-profile targets. Right from Former Union Minister Praful Patel and former Lok Sabha MP Santosh Bharatiya, the spyware attacked the phones of lawyers, journalists and human rights activists.

Among those who may have been targeted are Chhattisgarh-based activist Shalini Gera, Nagpur-based lawyer Nihalsing Rathod, Adivasi rights activist Bela Bhatia, academic and writer on Dalit issues Anand Teltumbde, former BBC journalist Shubhranshu Choudhary, and Chandigarh-based lawyer, associated with the Bhima Koregaon case, Ankit Grewal.

India has been notorious for spying on citizens without warrants, but the use of Pegasus in the Bhima-Koregaon case is particularly alarming for it makes use of files illegally obtained from the computers and phones of the accused, who have been charged with waging war against the state.

In June 2018, the Pune police had launched a series of country-wide raids on activists and lawyers involved in fighting Dalit issues, Adivasi rights, and those accused of supporting the Communist Party of India (Maoist).

Civil liberty activists SudhaBharadwaj, Arun Ferreira, Vernon Gonsalves, Gautam Navlakha, Varavara Rao and Anand Teltumbde were arrested during the raids. Termed ‘Urban Naxals’ the Pune police produced ostensibly incriminating correspondence that they claimed was drawn from the computers of these activists. Now, lawyers representing the accused say the Pegasus hack proves that this correspondence was planted on their computers.

Nihalsingh Rathod, who is one of the lawyers in the team of Surendra Gadling, a popular Dailt rights lawyer, is now joining the dots saying he now knows how the so-called ‘letters’ that the police had obtained because they were planted on the hard-drives of activists.

Surendra Gadling was among those who had been arrested and booked under several activities of the Unlawful Activities (Prevention) Act and the Indian Penal Code.

He told Huff Post India, he learnt he was a target when he was contacted by a researcher from the University of Toronto’s Citizen Lab on October 7 2019.

On October 7, 2019 he was contacted by a senior researcher John Scot-Railton from the Toronto University’s ‘Citizen Lab’ informing him that he faced a “specific digital risk”.

“The researcher told me that he suspected that my phone had been targeted by malware and compromised,” Rathod told HuffPost India. “The researcher didn’t tell me that the malware was sold exclusively to national governments, and so I did not suspect that the Indian government was behind the attack.”
“Before his arrest, similar things happened to Surendra Gadling’s phone and computer. He asked me about it. I thought it was just spam.”

Rathod said he was now planning legal action against the Indian state.

“The senior researcher told me that his lab had followed my work and during their research had found out that my profile was under a surveillance attack. All those calls made to me for two years suddenly began to make sense,” Rathod told The Wire.

The Citizen Lab was one of the first research organizations to examine how Pegasus operated.

“We have always maintained that the letters police claim to have found on Gadling’s computer were planted,” Rathod said. “As defenders of human rights and the constitution, we feel helpless and hopeless.”

However, Rathod nor Gadling are the only ones to have received such messages and calls.

Two days ago, Rupali Jadhav, a 33-year-old cultural and anti-caste activist from Pune shared screenshots of messages she had received from WhatsApp and Citizen Lab.

The reason Jadhav said her profile was compromised because she had been associated with an anti-caste cultural group called the Kabir Kala Manch and has been handling social media movements in the state. She is the official administrator of the WhatsApp and Facebook pages of Kabir Kala Manch, Bhima Koregaon Shaurya Din Prerana Abhiyan, Elgaar Parishad, and the political party Vanchit Bahujan Aghadi, she told The Wire.

Degree Prasad Chouhan, a Dailt rights activist and lawyer too received a similar chain of messages as did Shalini Gera, Bela Bhatia, AnandTeltumbde and Saroj Giri.

Gera, who has been a part of the lawyers collective Jag Lag, has faced a severe backlash from several right-wing organisations and Chhattisgarh police for the work she and her colleagues had been doing in the state.

Bela Bhatia is a Bastar-based academic, researcher and human rights defender. She has participated in the preparation of many fact-finding reports and served on a Planning Commission-appointed panel to examine challenges to governance in areas of the Maoist rebellion.

Saroj Giriis  a lecturer in Political Science, University of Delhi, Delhi. He writes on contemporary social and political issues and is an activist.

Anand Teltumbde is an Indian professor, scholar, writer, and civil rights activist. He has written extensively about the caste system in India and advocated for the rights of Dalits.

Speaking about the calls and messages from Citizen Lab and WhatsApp Anand Teltumbde said, “[The researcher] explained to me what the spyware is all about. He sent me a text message first. Then I enquired about Citizen Lab’s credibility and spoke to its representative. The NSO group has said that it has given Pegasus licenses only to governments across the world. So, it is clear that the India’s government used the spyware against us, citizens.”

The espionage attempt has not spared research scholars too. Ajmal Khan, a 29-year-old Delhi based research scholar was approached by Citizen Lab too. He is well-known among students’ group in Mumbai and apart from being part of several anti-caste movements and civil rights movements, he has been active in students’ struggles including the agitation following Ph.D. scholar Rohith Vemula’s death in 2016.

It is clear that even after the denial of the Ministry of Home Affairs, the spyware attacks on the phones of these activists were not random, but were part of a carefully orchestrated plan to silence dissent and rebellion.

Condemning the development that has come to light, Amnesty International has cited this attack on activists to be a grave violation of their right to privacy and has pledged its legal support to get the Israeli ministry to stop the manufacturing of NSO’s products.

Sources – The Wire, Huffington Post.

Related:
The UK government spied on human rights groups – now they’re taking it to court
HC directs police to file report on SambhajiBhide’s role in violence: Bhima-Koregaon Case
BhimaKoregaon case: Bail Applications of three social activists rejected by Bombay High Court
Bhima-Koregaon Case: HC Refuses to Quash Case AgainstGautamNavlakha
Years of hard work taken away: DU Professor on Pune police raids without search warrant
 
 
 

The post Whatsapp Spyware Attack: Bhima-Koregaon activists being spied on by the Centre? appeared first on SabrangIndia.