What is Pegasus leak?
On 19 July, a consortium of 17 international media organisations published an investigation around a leaked list of phone numbers from across the world, dubbed the Pegasus Project. These numbers are allegedly a “target list” of phones hacked/to be hacked by the Pegasus spyware product sold by Israel's NSO Group. FirstpostThe Pegasus leak: What you need to know right now
The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others.
20 July, 2021 - 06:01pm
The hacks — confirmed by forensic analysis of the phones — represent a tiny fraction of what may be a vast surveillance net, intensifying concerns about the erosion of civil liberties in India under Prime Minister Narendra Modi.
Hundreds of Indian phone numbers appeared on a list that included some selected for surveillance by clients of NSO Group, an Israeli firm. The list contained numbers for Rahul Gandhi, India’s main opposition leader; Ashok Lavasa, a key election official considered an obstacle to the ruling party; and M. Hari Menon, the local head of the Bill and Melinda Gates Foundation.
Others included on the list were journalists, activists, opposition politicians, senior officials, business executives, public health experts, Tibetan exiles and foreign diplomats. A group of Modi critics accused of plotting to overthrow the government also appeared on the list.
The spyware that infiltrated seven of the analyzed phones is called Pegasus. It secretly unlocks the contents of a target’s mobile phone and transforms it into a listening device. NSO says it licenses the tool exclusively to government agencies to combat terrorism and other serious crimes.
In India, use of the spyware appears to have gone well beyond those objectives. Five of the phones infiltrated in India belonged to journalists and one to a high-profile political adviser working for Modi’s opponents.
It is not known how many of the phones on the list were actually targeted for surveillance or how many attempts were successful. Forensic analyses performed on 22 smartphones in India whose numbers appeared on the list showed that 10 were targeted with Pegasus, seven of them successfully. Eight of the 12 inconclusive results involved Android phones, which do not log the information needed for the method used to uncover infection.
Sushant Singh, an Indian journalist whose phone number first appeared on the list in 2018, reported extensively on a controversial purchase of fighter jets from France by the Modi government. Pegasus was active on Singh’s iPhone as recently as this month, a forensic analysis showed.
The targeting of journalists creates “an environment of fear and intimidation” where “democracy eventually stands weakened,” Singh said.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to the list of thousands of phone numbers worldwide and shared it with The Post and other outlets. Forbidden Stories oversaw the investigation, called the Pegasus Project, and Amnesty’s International’s Security Lab provided forensic analyses and technical support but had no editorial input.
It is not clear how many of the mobile phones on the worldwide list were ultimately infected by spyware. In all, Amnesty’s Security Lab examined 67 phones where attacks were suspected. Thirty-seven phones showed traces of Pegasus activity: 23 were successfully infected, and 14 showed signs of attempted targeting. For the remaining 30 phones, the tests were inconclusive. Half of them were Android devices, which do not store the types of data needed by Amnesty to indicate infection.
Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.
The numbers from India and to a lesser extent Pakistan that appeared on the list offer a portrait of an NSO client’s priorities in the region. The records included at least one number once used by Pakistani Prime Minister Imran Khan, as well as hundreds of others in the country. Khan did not respond to a request for comment.
Yet there were many more Indian numbers on the list. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, has found evidence that 10 countries represented on the list, including India, have been clients of NSO, according to Bill Marczak, a senior research fellow.
India has neither confirmed nor denied that it obtained Pegasus spyware. In 2019, WhatsApp said it had uncovered a vulnerability through which more than 1,400 of its users worldwide were targeted using Pegasus, a group that included people in India. In a parliamentary debate later that year, then-Indian law minister Ravi Shankar Prasad repeatedly declined to answer questions about whether the country had bought the tool. Prasad said that no “unauthorized” surveillance had occurred.
In response to detailed questions, a statement from India’s Ministry of Electronics and Information Technology said the claim of government surveillance of specific people “has no concrete basis or truth associated with it whatsoever.”
The government did not respond to questions about whether it is an NSO Group client. The statement said that “any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.”
In lengthy responses, NSO called the investigation’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities. It added that its technologies have helped prevent terrorist attacks and bombings and broken up rings that trafficked in drugs, sex and children.
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations,” the company said.
More than 30 Indian journalists appeared on the list. Those whose phones were compromised, forensic analysis showed, included Siddharth Varadarajan and M.K. Venu, two co-founders of the Wire, an Indian digital media outlet and a partner in the Pegasus Project.
Another person successfully targeted with Pegasus software was Prashant Kishor, an influential campaign strategist who once worked for Modi but this year helped defeat his party in a crucial state election. Kishor’s phone was compromised as recently as July 14, a forensic analysis showed. He said the apparent surveillance was “really disappointing.” Those responsible “were looking to take undue advantage of their position of power with the help of illegal snooping,” Kishor said.
Some of the Indian numbers on the list belonged to people who could be viewed as legitimate targets of inquiry by Indian law enforcement or intelligence services, including some belonging to people connected to ongoing criminal investigations.
Yet the numbers also included people who did not appear to have had run-ins with law enforcement authorities. In addition to the journalists, there were opposition politicians, activists, several public health experts and business executives. Some were government critics, while others seemed to be allies.
Two ministers in Modi’s government — Ashwini Vaishnaw, the new minister for information technology, and Prahlad Singh Patel, a junior minister for water resources — were among those whose phone numbers appeared on the list. Vaishnaw and Patel did not respond to requests for comment.
One of the most prominent people on the list was Rahul Gandhi, a leading opposition figure and the great-grandson of India’s first prime minister. When numbers used by Gandhi were added to the list in 2018, he was Modi’s chief rival in upcoming national elections.
Those selected included not only Gandhi but some of his staff members and friends. Alankar Sawai and Sachin Rao, two of his close advisers, were among those whose numbers appeared on the list, as were several of Gandhi’s personal friends. Sawai and Rao did not answer requests for comment.
Gandhi responded with a statement. “Targeted surveillance of the type you describe, whether in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India is illegal and deplorable,” he said. “If your information is correct, the scale and nature of surveillance you describe goes beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished.”
Another person who was an impediment to Modi’s ambitions was also on the list: Ashok Lavasa, a senior official who was in line to lead the powerful Election Commission of India. Lavasa determined that Modi repeatedly violated election guidelines during the 2019 national campaign. He later resigned from the commission. Lavasa declined to comment.
Others had nothing to do with politics. Several people working in India’s health sector are represented on the list, among them Gagandeep Kang, a virologist, and two employees of the U.S. Centers for Disease Control and Prevention based in Delhi.
In 2018, Kang was helping with aspects of the response to an outbreak of the deadly Nipah virus in the southern Indian state of Kerala. She urged Indian health officials to share blood samples of those infected with a global initiative to develop vaccines against future pandemics, an effort that was ultimately fruitless. Kang struggled to imagine why she would be deemed a target of surveillance. “I lead a very, very boring life,” she said.
M. Hari Menon, the India country head for the Bill and Melinda Gates Foundation, as well as at least one other foundation employee were added to the list in mid-2019. It was a period when the foundation was extending a significant honor to Modi: In September, the prime minister was named a “global goalkeeper” at an annual ceremony in New York for his work on sanitation. Menon did not respond to a request for comment.
Proximity to India’s top officials was also common among some on the list. In 2019, a woman made an explosive complaint against the chief justice of India’s Supreme Court, accusing him of sexual harassment. After she rebuffed his advances, she said, she was dismissed from her job at the court. The justice denied the allegations.
After the woman’s accusations went public, family members said they received anonymous threats. At least 11 phone numbers used by the woman, her husband and two other family members were also on the list of those apparently selected for potential surveillance. The justice is now a member of Parliament with the ruling party.
The breadth of the potential targets in India raises legal questions. The Indian government has the power to “surveil, monitor and decrypt” communications, but hacking is a crime in India.
Lawyers looking to represent people whose phones have been hacked by Pegasus face an imposing hurdle: How can they challenge the legality of a tool that the government has never acknowledged using?
Legal surveillance requests in India are granted by a senior official in the Home Ministry, both at the federal and state levels. They are reviewed by a small committee of civil servants, and there is no oversight by the courts unless there is a challenge in a specific case. Only a minority of surveillance requests are rejected, said G.K. Pillai, former home secretary.
The federal government alone was approving as many as 9,000 telephone interception requests a month in 2014, according to an official reply to the Software Freedom Law Center.
Shashi Tharoor, a member of Parliament who chairs the committee on information technology and belongs to the opposition Congress Party, said hacking is against the law in India, except if the government “invokes a national security exception, which, to my knowledge, they have not done.” Surveillance using a spyware tool like Pegasus “would be illegal unless those who have done it can demonstrate otherwise.”
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.
20 July, 2021 - 06:01pm
NSO asserts that the 60 intelligence, military and law enforcement agencies to which it licenses its software are subject to rigorous reviews. Similarly, the Israeli Defense Ministry insists that “appropriate measures are taken” when cyber products are exploited for a purpose besides combating illegal activity. So why was Saudi Arabia allowed to keep Pegasus after the murder of Post Opinions contributing columnist Jamal Khashoggi? Amnesty International’s forensics discovered that Pegasus successfully infected the phone of his fiancee in the days after his death; in the months before it, the spyware was targeted at her as well. NSO has always denied that its technology was associated with the crime, but it also claims to have no visibility into client activity. NSO also says confidentiality agreements keep it from revealing even who its clients are.
Pegasus can access a victim’s texts, location, photos and, more alarmingly, sometimes with merely a message that produces no notification and requires no action. A victim doesn’t even need to make a mistake. This technology of course can be used for legitimate and even positive purposes — disrupting drug cartels, for instance, or fighting terrorism. Yet it can also be abused, and when it is, the rest of the world usually finds out only through the very activists, academics and journalists whose phones are under threat of infiltration by those who hope to stop them from doing their jobs.
NSO isn’t alone, and neither is Israel. The private spyware industry is thriving, largely unrestrained. That must end. Transparency requirements and accountability requirements should ensure companies’ “rigorous reviews” are actually rigorous, but governments should also take the onus on themselves to assess the human rights impact of issuing a license before it’s approved — and, if it is approved, after. Countries with a history of turning these technologies against citizens should be prohibited from purchasing them at all. And countries that respect the bounds of the law should refuse to buy from companies that do business with those that don’t. Global leaders must work together to fix a problem that doesn’t care about geography. Luckily, they have an incentive to act: They are targets, too.
Read some of the Washington Post Editorial Board’s recent opinions on technology policy and tech’s role in society:
See more opinions from the Editorial Board.
Sign up to get editorials, along with other Opinions pieces, in your inbox six days a week.
20 July, 2021 - 06:01pm
NSO Group first came under major scrutiny for their surveillance technology in 2016, when analyses by the NGOs Citizen Lab and Lookout Mobile Security discovered that the firm had exploited “zero-days”—unpatched security vulnerabilities—on Apple’s iOS. All it took was one click of a link sent through a text message for Pegasus to be installed on a user’s phone. Once on the phone, Pegasus enables keystroke monitoring of all communications, as well as enabling Pegasus operators to remotely record audio and video using the hacked phone’s camera and microphone. The discovery of Pegasus spyware on the phone of United Arab Emirates human rights activist Ahmed Mansoor highlighted the ability of governments to abuse Pegasus by targeting political dissidents rather than terrorists and serious criminals.
Since 2016, NSO has faced multiple accusations that Pegasus is being used to target journalists and activists around the world. These include Mexican journalist Rafael Cabrera, Citizen Lab’s own reporters, and the family of murdered Saudi journalist Jamal Khashoggi, among others.
The most recent addition to this list of Pegasus’ targets is actually 50,000 additions: reporting consortium The Pegasus Project released a report on Sunday that found a list of over 50,000 phone numbers that they believe were identified as “people of interest” by clients of NSO.
Ostensibly, Pegasus is supposed to be used only to “investigate terrorism and crime” and “leaves no traces whatsoever,” on the hacked device, which makes it nearly impossible to detect once installed. However, a Forensic Methodology Report by Amnesty International finds that neither statement is true. The report uncovers “widespread, persistent and ongoing unlawful surveillance and human rights abuses” that NSO’s spyware perpetrated on human rights activists, journalists, academics, and government officials across the globe.
NSO was founded in 2010. Pegasus was introduced sometime between then and 2016, but that’s really all we know about its creation, partially because NSO has tended to deemphasize Pegasus in its marketing and instead emphasizes their “range” of products—anti-drone, data analytics, search-and-rescue, and even COVID tracking technologies. NSO group has been notoriously secretive, releasing little-to-no information regarding their operations, customers, or safeguards against misuse. In 2016, when NSO first came under scrutiny for the Pegasus targeting of Mansoor, the firm did not even have a website. In February of 2019, Francisco Partners, a U.S. private equity fund, sold NSO Group to the firm’s Israeli co-founders Omri Lavie and Shalev Hulio, who partnered with Novalpina Capital to purchase a majority stake in NSO. NSO Group’s previous owners, Francisco Partners, bought the company in 2014 for $130 million. In 2019, it was valued at over $1 billion.
Novalpina, Lavie, and Hulio declared that, as the new majority stakeholders of NSO Group, they were committing themselves to more transparency and pledged to do “whatever is necessary” to prevent their technology being used to abuse human rights. The cornerstone of NSO Group’s human rights policy is a vetting process, in which NSO staff examine governments who hope to acquire the firm’s technology, looking at the country’s human rights record, its relationship to Israel, and the level of need for the surveillance tool. NSO claims to have passed on $300 million in sales opportunities as a result of their human rights review processes. However, as MIT Technology Review reported in August 2020, it’s completely possible for a country with a poor human rights record to acquire Pegasus: Morocco’s worsening record on human rights was outweighed by the country’s history of cooperation with Israel and its critical terrorism problem, so the sale was approved.
NSO licenses Pegasus to governments in 40 undisclosed countries, and has long maintained they do not operate the systems once sold to their clients, nor do they have access to the data of their client’s targets. This is the defense that the firm returns to, time and again, when reports surface that their Pegasus technology has been used as a tool of oppression and violence.
NSO states firmly that they will terminate their contract with any clients who abuse the technology. The company cites three instances of clients abusing Pegasus and subsequently having their contract terminated as evidence of NSO’s willingness to shut down abuse.
There are other guardrails in place once Pegasus is sold to a client, which include prohibiting U.S. phones from being infected with the spyware (Pegasus is supposed to self-destruct if it finds itself within American borders). And, though ad hoc teams are created to investigate when reports of abuse arise, there is reportedly no permanent internal team tasked with investigating and handling abuse.
NSO and their technologies are regulated by the export control authorities from the three countries from which their products are exported: Bulgaria, Cyprus, and Israel. Yet, because NSO repeatedly asserts that any misuse of the technology is done at the hands of the clients, rather than the company, it can be difficult to pinpoint where an abuse is coming from and who should be held accountable—as has been the case regarding a lawsuit brought by Facebook/WhatsApp against NSO.
Despite NSO’s self-proclaimed “unprecedented step forward” in the form of their recently released Transparency and Responsibility Report, there remains a lot that is unclear. Amnesty International points to the lack of accountability in the report for the unlawful surveillance of journalists and activists, the company’s refusal to acknowledge how their own policies have denied the right to remedy for victims of Pegasus’ unlawful spying, as well as NSO’s failure to “disclose all the legal challenges the company has faced resulting from the misuse of its technology.”
Amnesty, U.N. surveillance experts, and Edward Snowden (among others) are now calling for a global moratorium on the sale of not only NSO spyware like Pegasus, but all surveillance technology, until proper rules and regulations can be put in place internationally.
Slate is published by The Slate Group, a Graham Holdings Company.
All contents © 2021 The Slate Group LLC. All rights reserved.
20 July, 2021 - 06:01pm
Of the 50,000 phone numbers that were, according to a consortium of investigative journalists, possible targets for surveillance using the Israeli company NSO Group Ltd.'s Pegasus spyware, apparently not one had a +1 prefix. NSO says it can't - or doesn't - hack U.S.-based smartphones. You might think, therefore, this is not a problem the United States needs to worry about.
In fact, the future of surveillance - which, as the investigation documented, is being targeted at dissidents and activists as much as terrorists and criminals - will be determined by decisions made in the U.S.
Those decisions will determine the future of democracy worldwide. NSO's clients are all sovereign governments, according to the company. What they don't say, but the investigation revealed, is that these governments are mostly autocracies such as Saudi Arabia or increasingly illiberal democracies such as Hungary and India.
NSO is a private company, so one might be tempted to blame corporate greed for the fact that its advanced technology is ending up in the hands of autocrats. Yet the Israeli government, through export licenses, controls where the company is allowed to send its products. One of the investigative journalists involved in the Pegasus report said that "the selection of Indian numbers started in earnest the day before ... [Indian Prime Minister Narendra] Modi and Israel's former PM [Benjamin] Netanyahu enjoyed a walk on the beach in Israel."
If anything, it is the U.S. private sector - from Facebook Inc.'s WhatsApp to Microsoft Corp. to Alphabet Inc.'s Google - that is leading the charge against the impunity enjoyed by private spyware firms. WhatsApp's CEO, in response to the Pegasus leak, urged "a global moratorium on the use of unaccountable surveillance technology."
WhatsApp's CEO, in response to the Pegasus leak, urged "a global moratorium on the use of unaccountable surveillance technology."
Google regularly warns Android users that they are being targeted by "government-based attackers," sending out "more than 12,000 warnings to users in 149 countries" in just the third quarter of 2019. Apple Inc. - though it unfortunately chose to minimize the significance of the Pegasus leak - thinks that the iPhone's security and privacy features are a valuable differentiator for its products.
These companies are not making such efforts out of a pure and idealistic love of democracy. They are doing so because adhering to U.S. norms on privacy matters to how their products are marketed and sold. Right now, the scruples of U.S.-based tech companies provide whatever minimal protection people in troubled democracies have against snooping by their own governments.
We now know who is vulnerable when that protection fails. In India, attempted Pegasus targets reportedly included the leader of the political opposition, activists fighting for lower-caste empowerment, an independent member of the election commission and even a well-known virologist. In Viktor Orban's Hungary, the list was dominated by activist lawyers and crusading journalists. And as many as 50 people linked to current Mexican President Andrés Manuel López Obrador, who ran as an insurgent against the previous administration, were in the leaked database.
Both the Hungarian and Indian governments deny using Pegasus to spy on dissidents and the opposition. Yet surveillance technology could easily be deployed in such countries to shrink the space available for liberal democratic politics. U.S. President Joe Biden has made the defense of democratic institutions a cornerstone of his foreign policy. If he's serious, then his administration must start asking a few questions.
Here's one: How much of this technology is being developed in the U.S., including by U.S. government agencies, and making its way to illiberal autocrats? NSO's founders are, according to multiple reports, thought to be alumni of Israel's signals intelligence division, Unit 8200. And we know - including through the Edward Snowden leak - that the U.S. National Security Agency provides Israeli intelligence "controlled access to advanced U.S. technology and equipment."
What are the nature of those controls? Are they sufficient to prevent the development and sale of technology to autocrats who want to use it against their own people? Snowden himself, in response to these latest revelations, warned that "if we don't do anything to stop the sale of this technology, it's not just going to be 50,000 targets. It's going to be 50 million targets, and it's going to happen much more quickly than any of us expect. ... There are certain industries, certain sectors, from which there is no protection, and that's why we try to limit the proliferation of these technologies."
The U.S. and other democracies don't want autocrats benefiting from technology designed to defend democracy, so they carefully monitor the end-use of the weapons packages that they develop and export. It's time to extend that effort transparently to digital technologies that, in today's world, can be just as easily misused.
20 July, 2021 - 04:35pm
When a list of phone numbers of potential targets for surveillance using Israeli malware is bared to the public through a collaborative investigation by an international consortium of journalists, and when among those in the India list are individuals belonging to Opposition parties, civil society, journalists (including three editors of The Indian Express, two current and one former) and a constitutional authority, the government must set up a probe into the matter. When the Israeli vendor insists that the spyware is sold only to “vetted governments”, the government does not have the option of brazening it out or resorting to conspiracy mongering. The new minister for Information Technology, Ashwini Vaishnaw, has said that the outing of the list is a bid to “malign Indian democracy and its well-established institutions”. Home Minister Amit Shah has spoken darkly of “disruptors” and “obstructors” and recycled his own disturbing formulation from an earlier time, “aap chronology samajhiye…” But the ministers cannot point the finger away by invoking worn spectres. Minister Vaishnaw has also spoken of the presence of established procedures and protocols through which lawful interception of electronic communication is carried out for national safety and security. He is right, too, in saying that the mere presence of a phone number in the database is not confirmation that the corresponding device was hacked. Yet, he and his government must now address the Pegasus in the room: The growing impression that red lines have been breached, for government or its agencies to target political opponents, dissidents and activists.
This is about the constitutionally guaranteed right to privacy of individuals, and also about more than that. The Pegasus allegations have cast a shadow on the integrity of institutions. It is true that earlier governments also operated in grey zones of espionage, were accused of phone tapping of political opponents. Yet, the nature of this alleged scandal is different — both because of the scale of the purported abuse of power and the political climate that forms its backdrop. The sophistication of technology now makes possible a level of invasiveness that wasn’t possible earlier. The government that is called upon to explain the alleged misuse of spyware is one that wears on its sleeve its intolerance of dissent, and which has sought to criminalise the dissenter by weaponising vaguely worded laws.
Also on the list of those selected for possible surveillance by the spyware are phones connected with the woman who in April 2019 accused the then sitting Chief Justice of India Ranjan Gogoi of sexual harassment — he was subsequently cleared by an in-house SC committee and nominated to Rajya Sabha by the BJP-led regime. The apex court must take note — and this is not the only reason why it must step in. The Pegasus allegations are debilitating in their potential effect on the trust that underpins the pact between government and people. The court must play its role in ensuring that the questions are answered, and due process is followed, no matter where it might lead to. Of late, the government has been pushing back at Big Tech — and with reason — on what’s right, and wrong. It has been celebrating, rightly, the rise of tech unicorns in a range of services where the citizen’s phone and her data are, effectively, the engines of entrepreneurship. Trying to snoop unlawfully is what maligns Indian democracy. For the sake of national security, the department of dirty tricks needs to come clean.