Pegasus Scandal: High Level Independent Investigation Needed, Says Cyber Security Expert

Hacking is a crime and no exemption is given either for government or for private persons in the application of this law, Internet Freedom Foundation's Apar Gupta tells Outlook.

Pegasus Scandal: High Level Independent Investigation Needed, Says Cyber Security Expert

Apar Gupta, lawyer and Executive Director of Internet Freedom Foundation, talks to Outlook's Preetha Nair about the security breaches which are involved in the alleged state surveillance by Israeli spyware Pegasus.

Many opposition parties have raised concerns of national security on the Pegasus-aided surveillance. How real are the concerns?

I think there's a credible basis to the allegations being raised with respect to threats of national security given that there is no clear government denial and the range of people who are targeted are public personalities quite often also holding offices which will impact the very foundations of electoral democracy, such as Election Commissioner, a constitutional authority. The lack of a clear denial by the government poses the possibility of a foreign government utilizing Pegasus to target Indian citizens who are at these levels of public function thereby becoming a national security issue, Even if the government by itself has acted and utilized Pegasus which is the other possibility as per a contract entered between NSO group, which is the company that deploys  and has created Pegasus under which the installation of the software is not only done through download or through a CD, it is done through an installation that is supervised by two of its engineers. So, there is a degree of constant service which is provided by the NSO group to client states by itself... Further, given that this is classified as arms exports from Israel, where specific permissions need to be taken by the Israeli Ministry of Defense, the very large questions is to whether there would be the possibility of any data leak or oversight or any kind of access to the contents that is extracted from the smartphones of the targets that can be utilized not only by Israel, but other countries as well.

So, at the very least, the demand for a high-level independent investigation, maybe in the form of even a joint parliamentary committee is only needed today to restore some degree of confidence if not to address the actual breach of national security.

Do you think a violation of various laws at multiple levels are involved in the alleged snooping by the Israeli spyware?

This is correct. The first level of violation of laws is with respect to the laws of Israel by itself under which, through a 2007 law, any kind of malware export, which is classified as a cyber weapon such as Pegasus requires an end-user export certificate, which restricts the use of the software to prevent cases of terrorism or national security. However, as we have seen from the range of targets, it is quite often been deployed for political purposes on leaders of opposition or candidates contesting elections, or even an Election Commissioner. So there is a violation at that level itself. The second is that the surveillance framework in India does not authorize the installation of such malware by itself. Hence, it would be outside the scope of authorizations, even if authorizations would be issued under the Indian telegraph act or the Information Technology Act. And the third level of violation is that under the Information Technology Act, particularly section 66, this classifies as a computer contaminant in which there can be a criminal penalty placed on the people who do it and there is no exemption for the government to utilize this software under a legal order, given that it is a crime punishable by a term of imprisonment.

Does it come under the fundamental right to privacy especially in the case of the woman, who raised sexual harassment charges against the former Chief Justice of India?  

The fundamental right to privacy is a larger public law and definitely, that also holds. If you look at it constitutionally, there has been also a breach, but much more in terms of the applicable rules, regulations processes, there is a clear breach at several levels.

In the case of the woman, who raised sexual harassment charges against the former CJI is also a violation of exactly the protections which are provided to survivors under Indian law because many of her relatives have been put under surveillance. So, even if it does not start out as harassment, which we cannot state, given that there has not been an inquiry that has been conducted till now, which is truly impartial and open. And even the contents of that are confidential. But still, at the very level, this surveillance has been done on her and her relatives or questionably may have been done because their numbers are there, but their smartphones have not yet been examined or verified. It still is a form of harassment, subsequent to the complaint, which has been filed.

The government has maintained that authorized surveillance is permissible under the law.

I don't think the IT minister clearly stated that Pegasus has been utilized by the Government of India or any of its agencies. The minister further did not clearly state that Pegasus is a form of surveillance. He only made references to the applicable legal frameworks, which are under the telegraph Act and the IT act. And as per several experts, including our own legal analysis, it is clearly prohibited and constitutes a crime under Information technology.

Hacking is a crime and no exemption is given either for government or for private persons in the application of this law.

Is there any law that prohibits the procurement of malware or, technologies by the government?

While the procurement itself may not be prohibited, the use certainly is. Because the use of any malware is a crime under Section 66 of the Information Technology Act.

The Pegasus leak also has many phone numbers of BhÄ«ma Koregaon accused and their family members. Earlier, US-based forensic firm Arsenal has also revealed the planting of evidence through malware in the accused’s devices. Do you connect any dots here?

The 2019 reports with respect to the first list of Pegasus targets included several activists, including those who are present now being prosecuted in the Bhīma Koregaon case. The case also has existing allegations which have been verified to forensic analysis by Arsenal, with respect to at least two of the accused in different reports that there has been malware found with respect to the evidence under which they are being charged to be tampered or placed through a process of spyware in which their devices have been hacked. Hence putting two and two together, there is a very, very strong inference which arises that makes the evidence the basis of which is the criminal investigation into this incident suspect.

Any digital security tips you want to share..

We at the Internet Freedom Foundation would advise people to refer to the existing guidance provided by well-established international groups such as amnesty tech, as well as the Electronic Frontier Foundation, which helps people in a very accessible way, first devise what is called as a threat vector in terms of the risk profile that they fit in. Then take active steps towards erecting some forms of security hygiene around it...