The Israeli company NSO’s spyware is in the news in India for all the wrong reasons
Illustration: Saurabh Singh
HERZLIYA IS A coastal Israeli city where a large number of the country’s wealthy citizens live. Outside the Middle East, this affluent city, named after Theodor Herzl, the founder of modern Zionism, often finds mention for its expensive villas and fine beaches located in a tony neighbourhood called Herzliya Pituach. But lately, it has earned some notoriety thanks to its being the headquarters of a cyber intelligence company named NSO Group Technologies, which has been sued by Facebook after its clients used its Pegasus spyware to snoop on 1,400 civilians, mostly lawyers, journalists and rival politicians in over 40 countries, by exploiting a vulnerability on its WhatsApp messaging platform. Pegasus, a servant of Zeus in Greek mythology, is a white, winged horse capable of miraculous feats, and is now symbolic of creative inspiration. In cyber parlance, vulnerability is a weakness that can be utilised by hackers to break into a computer or a smartphone. The number of civilian victims of this attack in India stand at 121 and, with the exception of those who chose to speak out of their own volition, neither WhatsApp nor the Toronto-based Citizen Lab, which helped the messaging freeware investigate into a case of hacking between April 29th and May 10th this year, has disclosed the names of people targeted for surveillance.
In response to queries on the lawsuit, filed by Facebook in the US on October 29th, an NSO spokesperson said the company’s sole purpose is to provide technology to licensed government intelligence and law-enforcement agencies to help them fight terrorism and serious crime. The statement added: ‘Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.’ To repeated queries whether the Indian Government is a client of its Pegasus spyware, NSO’s reply was that ‘to protect the ongoing public-safety missions of its agency customers and given significant legal and contractual constraints, the NSO Group is not able to disclose who is or is not a client or discuss specific uses of its technology’. According to media reports, NSO’s representatives had visited Chhattisgarh many months ago and had offered to help with surveillance in a state that faces a Maoist threat. Although the deal fell through, NSO officials conducted talks with several other states, too, according to reports. A former home ministry official who was part of a new cyber-security initiative told Open that “surveillance has its many uses”. He added, “But illegal surveillance of people who exercise their right of legitimate forms of dissent using lawsuits, articles, speeches and so on can have disastrous consequences in a democracy. Such measures are akin to what is called ‘chilling effect’ usually practised in dictatorships.” Chilling effect is typically suppression of free speech using fear as a weapon.
NSO insists that it sells its Pegasus spyware only to official agencies and governments. “Which is why I am sure the Indian Government was involved in this snooping,” alleges lawyer Prashant Bhushan, who adds that lawyers who were identified for surveillance—Shalini Gera, Nihalsing Rathod and Ankit Grewal, among others—will file a lawsuit in the US. “I think it is better to file a case in the US than here,” Bhushan said, emphasising that all stakeholders may be linked with each other in assisting the Government. The Union IT minister, Electronics & IT secretary, a few members of CERT-IN (Indian Computer Emergency Response Team, whose chairman is the Electronics and Information Technology secretary) did not respond to requests for comment. CERT-IN is the nodal Central agency that deals with cyber security threats. As the news broke of Facebook’s lawsuit against NSO, the Government was hesitant to respond and sought to lay the blame on WhatsApp for not informing officials of the matter. Such remarks by high-level, anonymous sources in the Government that were widely reported were immediately countered by WhatsApp which said it had warned the Indian Government of the problem twice—first in May and then in September. Says a WhatsApp spokesperson: “Our highest priority is the privacy and security of WhatsApp users. In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable. We agree with the Government of India that it’s critical that together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide.” Some of the victims of this snooping were contacted by members of Citizen Lab, warning that they were under surveillance. Miles Kenyon, communications specialist at Citizen Lab, tells Open, “We are unable to comment on this story at the moment while we undertake additional research and are unable to discuss specific user cases under our research ethics protocols.”
The NSO Group is well-networked. Founded by serial entrepreneurs Shalev Hulio and Omri Lavie, who are on the board of directors, the Israeli company—which has come under recurring criticism from Amnesty International for its unwarranted surveillance—has several big names as senior advisers. Among them are Tom Ridge, former Pennsylvania governor who was also the first US secretary of Homeland Security; Gérard Araud, a former French diplomat; and Juliette Kayyem, who is currently on the faculty of Harvard University’s Kennedy School of Government. Others include former Israeli armed forces veterans. Ridge and Kayyem did not respond to requests for comments. Last November, Amnesty International said it was taking legal advice ‘in order to revoke the export licence of Israeli-based NSO Group, after it was revealed the cyber firm’s spyware had been used in an attempt to spy on an Amnesty staff member’. It also said that Pegasus was also used to target the Emirati award-winning human rights defender Ahmed Mansoor, who has been in prison in the United Arab Emirates since March 2017.
Shortly after the brutal murder of Saudi Arabian-origin journalist, author and Washington Post columnist Jamal Khashoggi at the Saudi consulate in Istanbul in October last year, NSA whistleblower Edward Snowden called NSO the ‘worst of the worst’ and alleged that Pegasus was used to help track Khashoggi. He accused the Saudis of using the spyware to know about Khashoggi’s movements by spying on his friend Omar Abdulaziz, a Saudi activist in exile in Canada. A brochure of Pegasus claims that it ‘penetrates Android, iOS and Symbian based devices’. Other claims include extraction of ‘contacts, messages, emails, photos, files, locations, passwords, processes list and more’. It boasts that it ‘leaves no trace on the device’. Pegasus’ modus operandi is that hackers make multiple calls to the target and then exploit the vulnerability to take control of the device. Citizen Lab, which is familiar with Pegasus attacks and had tracked similar strikes elsewhere, contend that it is a software which also gets active when a person opens a malicious URL received as a message. Such hacking is called spear phishing. Meanwhile, on the NSO website is a cryptic, yet thought-provoking quote from Theodor Seuss Geisel, children’s author and political cartoonist who was more popular as Dr Seuss: ‘You have brains in your head. You have feet in your shoes. You can steer yourself any direction you choose.’ Considering the secrecy with which NSO operates, one might never be able to completely decipher what this quote means unless, of course, one is in the business of surveillance.
While WhatsApp has sued NSO and made noises about the incident, the silence of some others is deafening. Companies that own operating systems used on smartphones need to speak out too, says Sangeeta Mahapatra, a research associate at the German Institute of Global and Area Studies, Hamburg, who closely watches global and Indian trends on the cyber space. “While Wikipedia, Facebook and WhatsApp have filed cases against illegal surveillance, this would have been the right time for other such companies to join forces. The growth and usage of technologies is evolving at a fast pace. There are multiple points of access to data now. New vulnerabilities arise. It’s important to have certain no-go zones like civic surveillance right from the beginning to prevent the threat from worsening,” she points out, adding that “Brands’ survival depend on being secure.” Open wrote to Tim Cook, CEO of Apple, and Sundar Pichai, CEO of Google, asking if they were contemplating any action against NSO or making statements on illegal activities it is accused of having committed. At the time of going to press, neither had responded even as NSO continues to deny any wrongdoing.
Companies such as Apple and Google that run iOS and Android operating systems on their respective smartphones have a lot to worry about. Once a phone is hacked, through either WhatsApp or any other app, the control of the operating system falls into the hands of the people doing the surveillance. Which means banking passwords and all other data on the phone can be manipulated or used by the hacker. Any company that is accountable to the user of its operating system needs to sit up and take note of such targeted and mass attacks.
A SECTION OF cyber security experts and lawyers feel that while the Watergate scandal led to the fall of an administration in the US several decades ago, this incident involving the NSO Group, which repeatedly claims that it sells its Pegasus spyware exclusively to governments, has not created much of a storm, especially in India. Ritesh Bhatia, Mumbai-based founder of V4WEB, a company that is into cyber crime investigations, says that this is the first time that he is hearing of such a case in India. “While every country does some kind of surveillance (only if approved by the courts), as it is required to keep the nation safe, snooping on rivals or ordinary citizens is not a good sign for a healthy democracy.” But he feels that the Pegasus affair is creating a “slow storm”.
Mahapatra, for her part, hastens to add that large-scale civic surveillance is not feasible. She goes on, “Surveillance needs a lot of money and high-skilled capability, which most states lack. They have to depend on private tech and surveillance companies. Take the case of the US’ National Security Agency, which had to pay more than $35 billion to tech companies just to meet compliance costs for their PRISM surveillance programme. When you add to this the costs of the software, hardware and skilled manpower of surveillance, the massive invoice may act as a deterrent to those states wanting to do mass surveillance.” Mahapatra, however, cautions, “What is worrying is that the growth of the smartphone and the app industry is being matched by the growth of the digital surveillance industry. This can provide a cost-effective way for states to snoop on targeted private individuals without investing in a separate surveillance infrastructure.”
As to the question of comparison with Watergate—which involved surveillance of political rivals by then US President Richard Nixon’s staff using FBI and other agencies, leading to his resignation—Mahapatra avers that in India, there are three main problems that may normalise the culture of surveillance. She explains: “First, state surveillance bodies like CMS, NETRA, LIM, NATGRID, Social Media Labs, etcetera, have been established by executive orders. When all of these are fully functional, they can conduct unchecked civic surveillance unless they are brought under judicial and legislative oversight.” She adds: “Second, the traditional media have failed in their role of holding the Government to account. Barring a few, most did not cover the Pegasus scandal that directly challenges India’s democratic character. Those that did cover it also treated it as the story of the day without any follow-up. The media by their very silence signal their fear of being under surveillance and expose their cravenness.”
NSO is well-networked. It has several big names as senior advisers, including Tom Ridge, the first US Secretary of Homeland Security
The Third problem, Mahapatra says, is that “in social media, I found bots and trolls trying to offer legitimacy to state surveillance by using two pernicious tropes—‘private citizens can be surveyed for national security’ and ‘if we have nothing to hide, we should not object to state surveillance’. This kind of discourse does not just undermine but negates democracy. Snooping is illegal. Under IT Act, Section 43, hacking a device is illegal and privacy is a fundamental right as per the Puttaswamy case of 2017. There is no exception [made] for the Government under the current legal scheme to snoop on private citizens.” She sums up her argument by saying that in social media, she has also seen a “pushback” happening against organised bot and troll activity. “Netizens are fighting back against the snooping culture, showing clear limitations of digital propaganda. If the traditional media asks critical questions of the Government, India will not face the reality of mass surveillance in the near future,” Mahapatra says.
Mahapatra disapproves of major criticism of companies such as WhatsApp. Some years ago, after mob violence, especially in northern India by cow vigilantes, the Government had blamed WhatsApp for not doing enough to curb crime triggered by WhatsApp messages. Such charges forced the Facebook-owned company to put in place controls to make mass sharing of dangerous content through its communication app cumbersome; it also put out appeals across TV, radio and print, asking people to help combat hoaxes. Besides setting up an Indian arm of the company and appointing a grievance officer, WhatsApp also set a limit on forwarding messages. Most such measures were later adopted worldwide.
Mahapatra argues, “If the Government blames the whistleblower, they are either exposing their lack of understanding about surveillance, which does not speak well of their ability to protect citizens from private and foreign snoopers, or they are demonstrating their lack of seriousness in pursuing a matter that affects our security and democratic well-being. The Government can demonstrate their seriousness by questioning NSO and side by side, implementing the data privacy Act and establishing an independent authority, a judicial or parliamentary committee, to regulate surveillance. The threat is critical now and there’s no time like the present to do all this.” It is thanks to WhatsApp’s collaboration with Citizen Lab that NSO’s Pegasus could be finally traced. For its part, NSO said, ‘In the strongest possible terms, we dispute today’s [October 29] allegations and will vigorously fight them.’ But allegations against NSO are only mounting. According to Amnesty International, there were targeted digital attacks using Pegasus against two Moroccan human rights defenders—academic and activist Maati Monjib and human rights lawyerAbdessadak El Bouchattaoui.
WhatsApp says, ‘The safest way to stop NSO’s spyware products reaching governments who plan to misuse them is to revoke the company’s export licence… Amnesty International is supporting a legal case in Tel Aviv District Court to force the Israeli Ministry of Defence to do exactly that.’ Queries made of Israel’s defence minister and NSO for clarifications on cyberattacks on human rights defenders were not answered. According to Citizen Lab, NSO also goes by the name Q Cyber Technologies.
The question that is now often being asked is whether it would help if users switched to other messaging platforms than WhatsApp. Citizen Lab says: ‘No. A vulnerability in the WhatsApp software was exploited to deliver the spyware. All complex software can have these types of vulnerabilities. This vulnerability was not a flaw in WhatsApp’s end-to-end encryption protocol.’ But then, in India, WhatsApp downloads fell by 80 per cent between October 26th and November 3rd compared with the previous nine-day period, according to reports.
The irony about India is that there is a lot to buttress its cyber security prowess. While Indian human rights defenders, lawyers and others were snooped upon using Pegasus and a police officer’s phone was illegally tapped by authorities in Chhattisgarh, forcing the Supreme Court to wonder if there was any privacy left anymore in India, the country’s financial institutions and nuclear facilities suffered cyber attacks. Both incidents are reflective of the challenge the country faces at a time when hackers can use the invisible wave spectrum in smart light bulbs to steal personal data from the home network. There is tireless enthusiasm worldwide to hack and snoop through the most innovative of means. Reports say that a new attack technique has been perfected using light to hack into voice assistants that include Google Assistant, Alexa and Siri.
“As of now, India is going through a Watergate moment. Yet, it is a tragedy that more people and more companies are not speaking up to arrest cyber crimes committed on civilians,” says an Indian government official formerly associated with a key cyber security panel. Is it that NSO is too well-networked in the country to be talked about? We may soon know. Or we may not.