Is Fighting Cyber-Espionage Against Dissidents Getting Difficult?

Spying on opposition leaders, dissidents and critics has always been a norm in countries ruled by right-wing, fascist or authoritarian governments. The latest method has been to use emerging technologies which penetrate email accounts or smartphones and acquire all information about such activists, politicians, or scribes. One of them is the Pegasus spyware, developed by an Israeli defence company, which can be surreptitiously installed in a target’s smartphone. It is able to read messages, geolocate and secretly turn on the device’s camera and microphone. It allows hackers to record calls, intercept messages and turn cell phones into mobile listening devices. These technologies have developed to such an extent that it has now become way easier for repressive regimes or big businesses to target their rivals. These rulers/corporations can now also use the services of cyber criminal gangs who use the Dark Web and carry out all forms of hacking, without signing any official agreement as they ostensibly did in the case of Pegasus. The spyware is allegedly made available only to government agencies, its Israeli manufacturer NSO Group which is a cyber arms firm working under the Defence Ministry has claimed.

Reports about the use of Pegasus had originated two years ago. As per these reports, about 50,000 phones of opposition politicians, political dissidents, journalists, lawyers, and human rights activists, among others, in various countries were leaked in 2020. An investigation by a consortium of 17 media outlets uncovered the use of Pegasus to spy on 180 journalists, 600 politicians, 85 rights activists and 65 business bosses, in different countries across the globe. As many as 14 Presidents, prime ministers and diplomats were also on this list. This spyware was acquired/purchased by several governments under an agreement with Israel. A significant number of the hacked phones inspected by Amnesty International’s cybersecurity team revealed that the malware was covertly installed on mobile phones and other devices running on iOS and Android. The information gathered by Amnesty was sent by it to 17 global media organisations, which published the reports. This led to outrage in the affected countries, including India, with the protestors demanding a probe into the acquisition and the use of this spyware, its abuses and a limitation on trading such repressive malware.

Following reports that the Pegasus spyware was used in India to keep a tab on opposition politicians, journalists and activists two years ago, there was an uproar over the issue and a strong demand made for a thorough probe. While the government did not accede to the demands, the Supreme Court ordered an enquiry. Later, it formed a technical committee to probe allegations that the Israeli spyware was used by government agencies for targeted surveillance of politicians, journalists and activists. After the inquest, the top court said in August last year that the technical committee had found malware in five out of 29 mobiles it had examined, but could not establish that it was due to the Israeli spyware.

Last month, however, European parliamentarians concluded a 14-month investigation and expressed serious concern over the use of the same notorious Pegasus spyware against opposition politicians and journalists in Hungary, Poland, Greece, Cyprus and Spain. The EU lawmakers voted to press member states and the European Commission to strictly regulate government use of spyware after scandals involving the Pegasus software. A special committee in the European Parliament set up to look into the issue, overwhelmingly adopted the recommendations and sought that those governments or their agencies, which had used Pegasus to spy on the smartphones of politicians and journalists, should be held accountable. Members of this committee adopted a report detailing the findings of the inquiry, with 30 votes in favour, three against and four abstaining. A text outlining the recommendations for the future was also adopted with 30 votes in favour, five against and two abstaining. This text is expected to be voted by the full European Parliament at the upcoming plenary session starting June 12.

The 14-month EU parliament inquiry shed light on "the anti-democratic and illicit practices of some EU governments, and still, I have to say little to no meaningful action has been taken”, said the inquiry report’s lead Member of European Parliament (MEP) Sophie in ‘t Veld. The MEPs’ probe covered Pegasus use in EU members Greece, Cyprus, Poland, Spain and Hungary and also gathered information from Israel, where the software was made. During the discussion in the European Parliament, Sophie in ‘t Veld said the lawmakers suspected that Greece exported such spyware (Predator) to Cyprus, which then delivered it to Sudan where over 1,000 people have been killed since April 15 in fighting between the military and a rival paramilitary group. Dutch conservative MEP Jeroen Lenaers said the refusal of Poland’s right-wing government to cooperate appeared to be “part of a wider approach to silence any kind of dissent in Poland and it’s extremely concerning.” In their final report, the lawmakers said that Poland’s use of Pegasus was part of “a system for the surveillance of the opposition and critics of the government – designed to keep the ruling majority and the government in power.” They argued that the use of spyware in Hungary was “part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government”, media reports quoting the parliamentarians said.

An official statement of the European Parliament later said its Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA) adopted its final report and recommendations following the 14-month-long inquiry into the abuse of spyware in the EU. “MEPs condemned spyware abuses that aim to intimidate political opposition, silence critical media and manipulate elections. They note that EU governance structures cannot effectively deal with such attacks and say reforms are needed”, the statement said. After the vote, Committee Chair Jeroen Lenaers said: “Our inquiry has made it clear that spyware has been used to violate fundamental rights and endanger democracy in several EU member states, Poland and Hungary being the most blatant cases. Spyware use must always be proportionate and authorised by an independent judiciary, which unfortunately is not the case in some parts of Europe. Stricter EU-level scrutiny is needed to ensure that spyware use is the exception, to investigate serious crimes, and not the norm. Because we acknowledge that it can – when used in a controlled manner – be an important tool to combat crimes like terrorism. Our committee has formulated a wide range of proposals to regulate the use of spyware, while respecting national security competencies. Now the Commission and member states should do their part and transpose our recommendations into concrete legislation to protect the rights of citizens.”

Among the adopted report’s recommendations were that the use of Pegasus and similar spyware be effectively halted and a European tech lab be created to help citizens targeted by such software. The report shed light on the “alarming practice of using surveillance technology to monitor and intimidate individuals belonging to key sectors of society”. Journalists, who played a crucial role in upholding democracy by providing essential information to the public, have been subjected to this surveillance, stifling their ability to operate freely and independently. Politicians and businesspeople too have faced “unwarranted intrusion into their private lives and professional activities, undermining their ability to carry out their roles effectively”. The European Parliament “explicitly condemns these actions, emphasising the significance of safeguarding democratic principles, freedom of the press, and the right to privacy”, the statement added.

While the European Parliament has taken a stern stand on the matter, the Israeli company NSO Group has been subjected to export limitations by the US federal government. Major technology companies, including Apple and Meta (the owner of WhatsApp), also have taken NSO to court. Last week, the US Supreme Court allowed Meta Platforms Inc's (META.O) WhatsApp to pursue a lawsuit accusing Israel's NSO Group of exploiting a bug in the WhatsApp messaging app to install spy software allowing the surveillance of 1,400 people, including journalists, human rights activists and dissidents. A coalition of digital defence groups and NGOs identified several cases of Israeli spyware use in Armenia to target officials, journalists and activists, a Reuters report said, adding that Armenia was found by Alphabet’s Google to have employed another spyware called Predator in the past. Researchers also believe that Azerbaijan, which has been at war with Armenia over the disputed Nagorno-Karabakh territory for years, too used Pegasus against domestic opponents.

However, in India, there has not been much of a response from the government, barring the stand taken by it in the Supreme Court. The apex court instead reportedly observed (on August 25, 2022) that “they (its probe committee) have observed that the Government of India did not cooperate (with it)”. The three-urge bench comprising then Chief Justice N V Ramana and Justices Surya Kant and Hima Kohli quoted the report and recommended amending the law to improve privacy protection, fixing of accountability and establishing of a grievances redressal mechanism. A report in the Financial Times on March 30 this year said: “India is hunting for new spyware with a lower profile than the controversial Pegasus system blacklisted by the US government, with rival software makers preparing bids on lucrative deals being offered by Narendra Modi government. “There has been no official response to this report so far.

So the most important threat to democracy and freedom of speech now is the prevalence of a new situation where a government or a large corporation can easily access cyber criminals or mercenaries, who can be hired, or their spyware bought to plant spy malware inside the devices of any target anywhere. There exist cyber-criminal gangs which function as “a cyber-threats-as-a-service criminal enterprise”. Such groups market services including data leaks, distributed denial of service, remote desktop protocol hijacking, additional network penetration services and sophisticated forms of phishing. Hence, it would become practically impossible to identify or expose this emerging threat of cyber espionage.

The writer has extensively covered internal security, defence and civil aviation for the Press Trust of India for three decades. Views are personal.