The Pegasus Project revelation of governments across the world deploying Israeli NSO Group’s Pegasus spyware on mobile devices of journalists, activists, politicians, and businessmen has exacerbated concerns over violations of data privacy and security. Cases of cybercrime and violations of data privacy are increasing. Recently, more than 80 Muslim women were put up for “auction” on an app called Sulli Deals sparking outrage and was removed by the host platform, GitHub. Journalist Nidhi Razdan revealed she was a victim of spear-phishing. In June 2020, she received fraudulent emails saying that she had been offered a post of Associate Professor at Harvard University to teach journalism. During the lockdown, there has also been an increase in cyber-harassment and financial fraud. Cyber Security and Data Privacy Consultant, RITESH BHATIA, who conducts cybercrime investigations, and whose interest areas include Infrastructure and Data Protection, Security Audits, Risk Assessment, New Age Cybercrimes, Dark Web and Digital Forensics, talks to SRAVASTI DATTA, about the nature of Pegasus software, ways of ensuring data privacy, who owns responsibility for cybersecurity, and the need for robust cyber laws. Excerpts:
What is the solution to protect oneself from Pegasus?
Do not click on links sent by strangers. Do not download any attachments, images, etc sent by unknown numbers. Once Pegasus is installed it’s difficult for even a Forensic person to find out if it is there on your phone.
Ritesh Bhatia (Cyber Security and Data Privacy Consultant)
Pegasus has been installed through “zero-click exploits”, could you explain what that means?
For spyware to be installed, you have to click on it. Zero click attacks require no action by device users. Pegasus has been installed through WhatsApp calls. WhatsApp, owned by Facebook, sued the NSO group in 2019. NSO found a vulnerability in WhatsApp calls that when they would call up via WhatsApp they would be able to install the spyware–this is called the “zero-click exploit”.
What are the other kinds of spyware?
There are numerous not-so-sophisticated spyware that can be downloaded from several websites. Some of them are available for a meagre 5,000 to 10,000 rupees a year. Then there are also apps snooping on you. For example, a beauty cam app may seem to be touching up your photos but behind the scenes, it knows everything about you, including your location, SMS, gallery, call log and so on
What is spear-phishing?
Spear-phishing targets specific people or companies. How does one trust the person who is getting in touch? It is to work on the concept of I trust nobody online. I will not share sensitive information with anyone. If people ask certain questions then that is when someone should be alert. Crosscheck their information, if they claim to be from a particular institute, crosscheck to see if that claim is true. Are we cross-checking information or wonder if this is too good to be true?
How can one protect oneself from online financial fraud?
With UPI having gained momentum, one should remember that one does not have to click on any link to receive money.
Make sure that your credit and debit cards are always in your possession and in your sight while doing a transaction especially on POS devices.
Disable international transactions on debit and credit cards as OTPs are not required for such transactions.
Do not give access to others via remote apps such as Anydesk, Quick Support, etc.
When you are a victim of a financial crime, ensure you act immediately. The government has started a helpline 1555260 but then it is also important to see how effective it is. The person who has been defrauded has to call their number on 1555260. Often, someone else calls on behalf of the person cheated but they may be in another city, so it’s going to be difficult to register a complaint.
Should the onus of cybersecurity lie with consumers?
Awareness is important. Every day we hear of people losing lakhs of rupees, why is there no awareness? If the government wants to promote ‘Digital India’, then what has it done to protect citizens? You can’t keep blaming the citizens. I don’t agree that it is the consumer’s fault, it is the technology’s fault, it is fault that you are not protecting their money.
There is an entire industry of cybercriminals, it’s a digital pandemic, but what has been done about it?
How do you ensure data privacy?
There are three ways in which to ensure data privacy: Psuedonymisation, Anonymousisation and Minimisation. I will start with the third category, the more data is asked the more the person’s data is at risk. If for some reason you still want that data it should only be with the person it has been given to, the maximum you should ask for is email, what’s the need for other details? A transport app, for example, should not have access to your photos but it can have access to location but there can also be an option to enter one’s location.
Whenever there is data with xxx that is Anonymousisation. The concept of Psuedonymisation is to give pseudonyms. Overall the practice of protecting someone else’s data is important and that starts with Minimisation. Data privacy should be an essential part of designing products.
In the light of the harassment of Muslim women through the Sulli deals app and the burgeoning cases of harassment, revenge porn and sextortion, how can one protect oneself?
Why do we have to keep telling people what to do and what not to do? Why aren’t there enough laws? We are still with an archaic Information Technology Act 2000. Does anyone have the right of telling women not to post their pictures? Why is it okay for a man to harass women? You should be confident in taking swift action against the perpetrator. However, prompt police action and robust laws are lacking, these need to be addressed.
(Sravasti Datta is a freelance journalist.)