Two sets of questions asked in Parliament to two different ministries, on the Israeli software Pegasus used to hack into the smartphones of Indian activists, have drawn different replies. Clearly, the government is hiding far more than it is willing to reveal.
Minister of State for Home Affairs, G Kishan Reddy, replied on 19 November to a question raised by Dayanidhi Maran, a Member of Parliament and former minister of information technology, on whether the government “does tapping of WhatsApp calls and messages” and the “protocols being followed”. Reddy's reply states that the government has powers, under section 69 of the Information Technology (IT) Act, “...to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted, any information generated, transmitted, received or stored in any computer resource...” It then states the circumstances in which the government could exercise these powers and the protocol it would follow for such interceptions.
Simply put, Reddy’s reply has said—without stating that it had actually tapped the phones of activists—that the government has the power to use spyware to tap phones and the procedure for tapping. In other words, yes we can do it, and this is how we do it.
Contrast this with IT minister Ravi Shankar Prasad’s answer to a similar question on 20 November.
Question: Asaduddin Owaisi and Syed Imtiaz Jaleel
Whether the government has taken cognizance of the reports of alleged use and purchase of the Pegasus spyware by government agencies and if so, the details thereof along with the reaction of the government thereto;
Answer: Ravi Shankar Prasad, minister IT: Some statements have appeared, based on reports in media, regarding this. These attempts to malign the government of India for the reported breach are completely misleading. The government is committed to protect the fundamental rights of citizens, including the right to privacy. The government operates strictly as per provisions of law and laid down protocols. There are adequate provisions in the Information Technology (IT) Act, 2000 to deal with hacking, spyware etc.
In other words, reports of the government buying and use of Pegasus are not wrong, but misleading. Then it states what Kishan Reddy’s statement also says, though in different words: that the government has powers under the IT Act to deal with hacking, spyware etc, and that it operates as per the law. To “deal with” spyware, in Prasad’s language, could very well include buying such spyware!
If this is not so, and if the government has nothing to hide, why did the Bharatiya Janata Party (BJP) leaders in Parliament’s Standing Committee on Information Technology oppose taking up this issue? The committee, with 24 members attending, split half-and-half, and it required a casting vote from Shashi Tharoor, chairman of the committee, to resolve the issue. PDT Achary, former secretary-general of the Lok Sabha, called this vote—on what can or cannot be taken up—“unheard of” in the history of Indian Parliament.
Prasad’s answer in Parliament also makes it clear that WhatsApp-Facebook had informed the government, not once but twice this year—in May and again in September—about the hacking of its software. In its second report, WhatsApp-Facebook had informed the government that at least 121 of their user’s phones had been hacked.
The government’s response—if it was indeed innocent—should have been to ask who these 121 people are, to reach out to them for information, and to file a First Information Report and open criminal investigations. All this should have been done under the IT Act that Prasad quotes at Maran in his response to Maran’s question in Parliament. Instead, CERT-In, his ministry’s arm that looks in to IT security issues, asked WhatsApp some useless questions.
The lack of any action by the government to open investigations into this hacking, not even asking WhatsApp who the 121 are, to check whether they are important functionaries of the government— and therefore if this was an act of a hostile power—shows that the government is fully aware of who the people whose phones have been hacked are. Reuters reported on 31 October 2019 that Pegasus hacking tools have been used to spy on government officials in 20 countries. How is the Indian government so sure that none of its officials are among the 121 Indians whose phones were hacked?
The government’s behaviour in refusing to open investigations, stonewalling the simple question whether any of its arms had procured and used Pegasus, its opposition to Parliament’s standing committee taking up this issue, all lead to the conclusion that a government agency had procured the Pegasus tools and used them against at least the 121 activists. How many more phones and devices have been hacked is an open question. WhatsApp is only one of many applications that Pegasus can target. If the Pegasus tools are indeed being used by a government department, then these 121 could very easily be the tip of an iceberg. This could well be the reason why the government is hiding the truth of the Pegasus hack.
The other issue, which has yet to surface, is that even though WhatsApp has now closed this security hole—which used a missed call—what about other security holes that still exist, and other attack vectors that Pegasus is known to possess?
Let us take up the security issues regarding the new WhatApp hack that has been reported. It uses an “infected” video which, when opened, leads to our phones getting hacked. Once a phone has been infected, how can it be cleaned so that it is infection-free and our communications are not compromised? Once an attack with the level of sophistication of Pegasus takes place, it is possible that the phone’s operating system is compromised, and the hack gains what is called root access. If this happens, a simple factory reset of the phone and loading the applications once again may not work, as the operating system is not reloaded during this process. Consequently, such a hack could permanently damage our phones.
Also, if the government has wilfully damaged our smartphones and our computer equipment, who pays for it? Can NSO, the Israeli company that owns the Pegasus tools, be sued in India for complicity in criminal acts, and can we claim damages from it?
The other question regarding the hacking of our smartphones, even if executed under the powers given to the government under Section 69 of the IT Act, is how this section stands in relation to the right to privacy that has been declared a fundamental right by the Supreme Court in the Aadhaar/Puttaswamy judgement? Can the government seize—such hacking is equivalent to a seizure of my phone and my data—our information in this way, without informing us?
One problem with WhatsApp-Facebook touting its end-to-end encryption is that it gives its users a false sense of security. If the phone itself is infected, there is no need to break their encryption: the phone has de-encrypted messages stored anyway, on both the sender’s and the receiver’s phones. This is the reason why the CIA and NSA in the United States (US) never spent much time on deciphering intercepted encrypted messages. Instead, it used backdoors that it helped create in collusion with software and equipment manufacturers, so that it could hack into people’s equipment and therefore their communications. Spook agencies do not target encrypted communications. It is much simpler for them to target the existing security holes in hardware and software. These holes are simply mistakes in programming—sloppy code. Or worse, the holes are created by the companies on purpose, to help their home spook agencies. Or the companies use these holes themselves, to spy on their users for commercial reasons.
Spyware or malware created by some group of criminals and traded in the Darknet may cause damage, but there is much bigger damage when major spy agencies such as the CIA-NSA in the US, the GCHQ in the United Kingdom or Unit 8200 in Israel, are involved in creating spyware. As we now know, even these “tools” eventually enter the black or grey markets. In 2016, NSA’s hacking tools were dumped on the internet by the hacker group, The Shadow Brokers. This was followed, in 2017, by WikiLeaks' Vault 7 documents on CIA’s hacking capabilities. These spyware tools are far more sophisticated and operate at levels that no group of criminals can reach. This is the threat in the digital century, where all our communications are increasingly becoming digital.
This brings me to my last point. Pegasus is not a simple “security” company selling its spyware to commercial buyers. It is very much a part of the Israeli military-industrial complex that, in conjunction with its US allies, the NSA and CIA, has created a whole box of tricks. Any country that buys this software or uses it against its own citizens also provides a direct conduit to this information to Israel and the US agencies. In other words, these tools do not simply hack the activist’s equipment, but hacks the IT infrastructure of their countries as well. Using spyware from such companies compromises far more than merely the security of activists. This is a lesson all governments need to learn.