Insights into Editorial: Pegasus misadventure: On WhatsApp snooping scandal
Context:
The Government’s reaction to messaging platform WhatsApp’s revelation that Indian journalists and human rights activists were among some 1,400 people globally spied upon using a surveillance technology developed by Israel-based NSO Group is inadequate and, more unfortunately, far from reassuring.
In this case, a malicious code, named Pegasus, exploited a bug in the call function of WhatsApp to make its way into the phones of those select users, where it would potentially have had access to every bit of information.
what exactly is Pegasus?
All spyware does what the name suggests — they spy on people through their phones.
Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
Once Pegasus is installed, the attacker has complete access to the target user’s phone.
The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
The Pegasus tool at that time exploited a software chink in Apple’s iOS to take over the device. Apple responded by pushing out an update to “patch” or fix the issue.
Israeli company developed this Pegasus Spyware:
Israeli company, NSO Group developed the spyware. The Spyware exploited a vulnerability in Whatsapp’s video call feature that allowed attackers to inject the spyware on to the phones simply by ringing the number of a target’s device.
However, NSO said that it sells Pegasus only to Governments and their agencies.
Pegasus is believed to be one of the most sophisticated spyware in the world. The spyware can hack both iOS and Android devices by targeting vulnerabilities in the operating systems.
It is capable of running in the background without the targeted user ever knowing about the hack.
Can Pegasus be used to target just about anyone?
- Technically, yes. But while tools such as Pegasus can be used for mass surveillance; it would seem likely that only selected individuals would be targeted.
- In the present case, WhatsApp has claimed that it sent a special message to approximately 1,400 users who it believed were impacted by the attack, to directly inform them about what had happened.
- WhatsApp has not said how many people it contacted in India. By reports, at least two dozen academics, lawyers, Dalit activists, and journalists were alerted by the company in India.
- It is not known who carried out the surveillance on the Indian targets.
- The NSO Group, while disputing WhatsApp’s allegations “in the strongest possible terms”, has said that it provides the tool exclusively to “licensed government intelligence and law enforcement agencies”, and not just to anyone who wants it.
There cannot be any national security without individual privacy
- The targeted users included activists, journalists, and senior government officials, among others.
- This intrusion by the spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.
- The security of a device becomes one of the fundamental bedrocks of maintaining user trust as society becomes more and more digitised.
- Such an approach belies appreciating the injury and threats to individuals and the country.
- There is an urgent need to take up this issue seriously by constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
- We must all recognise that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware.
- This is a core part of our fundamental right to privacy.
Conclusion:
The Government says, it is concerned over the breach of privacy of the citizens of India and asked WhatsApp to explain the kind of breach and what is it doing to safeguard the privacy of millions of Indian citizens.
In a country where data protection and privacy laws are still in a nascent stage, incidents such as this highlight the big dangers to privacy and freedom in an increasingly digital society.
It is thus imperative that the Government sends a strong message on privacy, something that the Supreme Court in 2017 declared to be intrinsic to life and liberty and therefore an inherent part of the fundamental rights.
The first thing it could do is to answer categorically if any of the governmental agencies used NSO’s services.
It is, therefore, extremely important for the Government to clear the air on this issue in no uncertain terms especially when WhatsApp had given information to CERT-IN, a government agency, even if without any mention of Pegasus or the extent of breach.