By
As the Pegasus phone intrusion saga unravels, raising troubling questions over the government’s invasion of privacy, veteran journalists and civil rights activists turn the heat on the Centre by petitioning the Supreme Court for a probe into the matter.
“The world is not sliding, but galloping into a new transnational dystopia. This development has not been properly recognised outside of national security circles. It has been hidden by secrecy, complexity and scale. The Internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen.”
—Julian Assange, Cypherpunks:
Freedom and Future of the Internet, 2012
At that time, many people might have written off Assange’s statements as hyperbole. But as things stand today, with technological advancements firmly establishing digital authoritarianism across the world, his words have proven to be prophetic.
The revelations of governments using the Pegasus spyware developed by the NSO Group of Israel to snoop on “individuals of interest” such as politicians, journalists and activists have blown apart the “secrecy, complexity and scale” maintained by national security circles that Assange refers to. The expose was coordinated by Forbidden Stories, a Paris-based non-profit organisation. It is a collaborative investigation by more than 80 journalists from 17 news organisations in 10 countries to stitch together the story that journalists in India are referring to as the country’s Watergate moment.
Going beyond the sheer scale of the scandal, which is massive in terms of the total number of potential targets—more than 50,000 phone numbers in 50 countries—the expose revealed the dark underbelly of regimes hell-bent on retaining power at any cost, especially India, a democracy that figures among the top 10 countries where Pegasus victims are concentrated. The other nine countries are Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
The technology behind the sophisticated hacking is nothing short of remarkable. When installed on a smartphone, Pegasus, a military grade malware that was developed in 2016, can collect all communication, including encrypted information, and location information from the device.
How the malware works
The malware can then monitor the activities of the device-holder through a zero-click process and collect the phone’s data in a remote control fashion. No further human intervention is required for the malware to start mining and transmitting the data available on the device.
In short, the malware can infiltrate all security features of a device to collect data without the user’s knowledge or permission. At present, no known fixes exist for this malware.
It is well known that government agencies are not shy of snooping on their political opponents or even civilians, usually by tapping their phones. But the fact that someone can gain access to a person’s conversations, messages, and other private data, and gather intimate knowledge of what is going in their life, is a shocking reminder of how vulnerable individual rights have become. Apart from an infringement on privacy, the employment of such technology is a portent for the future of democracies. No wonder then that when the story broke in mid-July, it took the world by storm.
In order to confirm that phones had indeed been infected with the malware, Amnesty International’s Security Lab subjected the devices of many targeted individuals to forensic analysis, which was then peer reviewed by University of Toronto’s Citizen Lab.
The news organisations that were part of the project include The Guardian, Le Monde, Haaretz, Die Zeit, The Washington Post and The Wire.
The Wire said that Amnesty’s Security Lab conducted in-depth forensic analyses of 67 smartphones, of which 23 had been successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive. It quoted Claudio Guarnieri, director of Amnesty’s Security Lab, as saying: “There are a bunch of different pieces, essentially, and they all fit together very well. There’s no doubt in my mind that what we’re looking at is Pegasus.” Amnesty has published the full technical analysis on www.amnesty.org.
The findings of the investigations have been astounding, to say the least, hinting at the culpability of several governments across the globe, since the NSO Group has said that it sells Pegasus only to vetted governments, presumably with the approval of the Israeli government.
Pegasus emerges in India
While the Indian government has neither admitted nor denied that it had purchased the malware, the Pegasus infections in the country began to appear on the targeted individuals’ devices shortly after Prime Minister Narendra Modi met his Israeli counterpart Benjamin Netanyahu in mid-2017 along with National Security Advisor Ajit Doval.
According to reports, at least 1,000 phone numbers are on the list of potential targets of surveillance in India, of which 300 have been verified by the investigation project. Amnesty subjected 22 of these phones to forensic analysis, of which 10 were confirmed to have been infected with Pegasus and eight of the other 12 yielded inconclusive results.
The potential targets include 40 journalists, doctors, lawyers, officers and a sitting judge of the Supreme Court, politicians from opposition parties, Ministers, civil society activists and a former member of the Election Commission of India (Ashok Lavasa). This indicates that the surveillance had nothing to do with national security or public order and safety, the only two circumstances under which it is legal to engage in surveillance in the country. Hacking is a criminal offence under the Information Technology (IT) Act, 2000.
The revelations are worrisome because the information mined, in part or whole, could have been instrumental in changing the course of the politics of the day and could have been used to manipulate elections, undermine election campaigns and strategies, or frame political opponents.
Among the targeted phone numbers, nine were associated with Congress leader Rahul Gandhi, including five personal numbers of his friends. Prashant Kishore, the election strategist, and Abhishek Banerjee, Trinamool Congress member of Parliament, were put on the snoop list during the West Bengal Assembly election, one of the most fiercely contested elections in recent times in which the Trinamool ultimately trounced the Bharatiya Janata Party (BJP).
Eight numbers used by Alok Verma, former director of the Central Bureau of Investigation, and his family members were on the list. These were added soon after he was sacked on the night of October 23, 2018. He moved the Supreme Court against his dismissal and may have been under surveillance when his case was being heard in the apex court. Similarly, Jitendra Kumar Ojha, who was ‘compulsorily retired’ from the Research and Analysis Wing in 2017, was added to the list in early 2018, when he moved the Central Administrative Tribunal challenging his premature dismissal from service.
Even Union Ministers were on the snoop list. About 18 numbers associated with Jal Shakti Minister Praful Singh Patel and two numbers of Information Techonology Minister Ashwini Vaishnaw were found on the database. Ironically, Vaishnaw, in his new role as IT Minister after a recent Cabinet reshuffle, had to defend the government in the Pegasus row. He said that the questions raised by the Pegasus Project had already been answered and that the questionnaire sent to the government indicated poorly conducted research and lack of due diligence by the media organisations involved.
Some of the other names that figured on the list were Praveen Togadia, former head of the Vishwa Hindu Parishad (VHP), Pradeep Awasthi, personal secretary to former Rajasthan Chief Minister Vasundhara Raje Scindia, and Sanjay Kachroo, who was chosen as officer on special duty by Smriti Irani, former Human Resource Development Minister, but never appointed. Sanjay Kachroo’s father and minor son were also on the list.
Supreme Court not spared
Several people associated with the Supreme Court figured in the list, raising troubling questions about the extent to which those who had deployed Pegasus had compromised the system. The list also featured 10 numbers of a former Supreme Court staffer who had accused Ranjan Gogoi, former Chief Justice of India, of sexual harassment, and those of her family members.
The numbers of N.K. Gandhi and T.I. Rajput, the officers who used to work in the ‘writ’ department of the Supreme Court’s registry, were also found in the database. A mobile number formerly held by Justice Arun Kumar Mishra, who retired from the Supreme Court in September 2020 and is currently head of the National Human Rights Commission (NHRC), was added to the database in 2019. The numbers of several lawyers also figured in the the list. In early 2018, the numbers of Vijay Kumar Aggarwal and his wife were added to the database after he became the fugitive businessman Nirav Modi’s counsel.
Aljo P. Joseph, a New Delhi-based lawyer, was added to the list in 2019. He represents Christian Michel, the British middleman extradited to India in December 2018 in connection with the Agusta Westland helicopter deal case. The number of junior lawyer M. Thangathurai, who worked under former Attorney-General Mukul Rohatgi, was also on the snoop list.
A lawyer who did not wish to be named told Frontline that the deployment of the Pegasus spyware on people associated with the Supreme Court was an extremely sensitive issue, adding that no one in the judicial system would dare raise it even as the court might continue to hear matters concerning Pegasus.
Elgaar Parishad
The phone numbers of several persons accused in the Elgaar Parishad-Bhima Koregaon case, who are now behind bars, figure in the snoop list. They include M.T. Hany Babu, Rona Wilson, Vernon Gonsalves, Anand Teltumbde, Shoma Sen, Gautam Navlakha, Arun Ferreira, and Sudha Bharadwaj, along with the family members and friends of other co-accused persons. The entire case is based on evidence allegedly found on some of their computers by the National Investigating Agency (NIA).
In April this year, Rona Wilson and Shoma Sen moved the Bombay High Court seeking the quashing of the charges against them after Arsenal Consulting, a digital forensics company based in Massachusetts, United States, found that documents had been planted on their computers. The NIA had kept them and others in jail citing documents found on their computers as incriminating evidence. Arsenal’s findings and the Pegasus expose now raise questions about the validity of the case against them.
Given the magnitude of the breach of public trust and the Union government’s skirting of the entire issue, the West Bengal government on July 26 set up a two-member judicial commission of inquiry into the Pegasus revelations headed by retired Supreme Court Judge Madan B. Lokur. The other member is Justice Jyotirmay Bhattacharya, former Chief Justice of Calcutta High Court.
Journalists’ petition
Several petitions have also been filed in the Supreme Court in the wakeof the Pegasus revelations, which are being heard by a Bench comprising Chief Justice of India N.V. Ramana and Justice Surya Kant. Prominent among the petitioners are N. Ram, former Editor-in-Chief of The Hindu Group of Publications and Director, The Hindu Publishing Group (THG), and Sashi Kumar, chairman of the Asian College of Journalism, who have demanded a formal, court-supervised investigation.
The petitioners have sought a direction to the Union of India to disclose if the government or any of its agencies have bought Pegasus and conducted surveillance in any manner whatsoever. They have also raised the questions around the implications of such a hack and whether it represented an attempt by agencies and organisations to muzzle and chill the exercise of free speech and expression of dissent in India.
The petitioners said that if such a hack had indeed taken place, it was an unacceptable violation of the right to privacy which has been held to be a fundamental right under Articles 14, 19 and 21 by the Supreme Court in the K.S. Puttaswamy versus Union of India (2017) case.
The petitioners said: “The Pegasus hack is a direct attack on communicational, intellectual and informational privacy, and critically endangers the meaningful exercise of privacy in these contexts. The right to privacy extends to use and control over one’s mobile phone/electronic device and any interception by means of hacking/tapping is an infraction of Article 21. Further, the use of the Pegasus spyware to conduct surveillance represents a grossly disproportionate invasion of the right to privacy.”
Their plea stated that the targeted interception seriously compromised the effective exercise of the fundamental right to free speech and expression under Article 19(1)(a) of the Constitution. The petitioners said: “It has an obvious chilling effect on expression by threatening invasion into the most core and private aspects of a person’s life. The specific targeting of scores of journalists is an attack on the freedom of the press, and seriously abridges the right to know, which is an essential component of the right to free speech and expression.”
Also, the legal regime for surveillance under Section 5(2) of the Telegraph Act has been completely bypassed in the present case, according to the petitioners. They said: “Surveillance is justified only in cases of public emergency or in the interests of public safety, and the existence of such conditions must be inferred reasonably and cannot be determined solely on the assessment of the government. Neither of these mandatory conditions have been met in the present case, rendering the surveillance wholly illegal.”
The plea further said that the interception occasioned by the Pegasus spyware constitutes a criminal offence punishable under inter alia Section 66 (computer related offences), 66B (punishment for dishonestly receiving stolen computer resource or communication device), 66E (punishment for violation of privacy) and 66F (punishment for cyberterrorism) of the IT Act, punishable with imprisonment and/or fine.
The petitioners said: “The attack prima facie constitutes an act of cyber-terrorism that has several grave political and security ramifications, especially considering that the devices of government Ministers, senior political figures and constitutional functionaries which may contain sensitive information have been targeted.”
The Editors Guild of India also filed a writ petition in the Supreme Court seeking a court-monitored Special Investigative Team (SIT) probe into the reports of state surveillance of journalists, activists and politicians. In its plea, the organisation said: “Freedom of the press relies on non-interference by the government and its agencies in reporting of journalists, including their ability to securely and confidentially speaking with sources, investigate abuse of power and corruption, expose governmental incompetence, and speak with those in opposition to the government.”
The petition, filed through advocates Rupali Samuel and Raghav Tankha, and Lzafeer Ahmad, advocate on record, also sought court directions to the Central government to produce details of contracts entered into with foreign companies for deploying spyware for surveillance and the persons against whom such spyware was used.
John Brittas, a Rajya Sabha member from the Communist Party of India (Marxist), advocate M.L. Sharma, activist Jagdeep Chhokar and former Finance Minister Yashwant Sinha also filed petitions with similar demands.
Five persons directly affected by the Pegasus spyware intrusion also approached the apex court contending that the unauthorised hacking of their phones, as confirmed by Amnesty, had violated their constitutionally guaranteed fundamental rights. They are journalists Paranjoy Guha Thakurta, S.N.M. Abdi, Prem Shankar Jha, and Rupesh Kumar Singh, and activist Ipsa Shatakshi, Rupesh Kumar Singh’s wife.
Speaking to Frontline, Paranjoy Guha Thakurta said: “George Orwell’s 1984 is here and now, we live in a surveillance state. The way I perceive it, it is not just an infringement on my fundamental right of privacy, but it is also an attempt to stifle my freedom of expression. I have been a journalist for 44 years. The names of my anonymous sources can also be disclosed. It has a chilling effect on investigative journalism and the right to free speech. At the end of the day, it is dangerous for the future of democracy.”
He added: “Besides, I don’t agree with [Home Minister] Mr Amit Shah that this expose is an international conspiracy. More than 55,000 members in 50 countries have been on the target list. Six heads of state are involved. Are all of them conspiring against India, I really wonder. Finally, if the French and Moroccan governments can investigate the matter, then why not India?”
Paranjoy Guha Thakurta is unfazed by this attack as it is not his first brush with the powers that be. Over the years, he has received more than a dozen legal notices for his investigative journalism and is currently fighting three sets of defamation cases.
Similarly, Rupesh Kumar Singh, an independent journalist and activist from Ramgarh in Jharkhand, was earlier in the cross-hairs of the state for his work. He writes in Hindi for various widely read magazines and online portals such as Media Vigil, Gauri Lankesh News, The Wire and Janchowk. His works involves reporting on state violence against Adivasi communities in Jharkhand.
In June 2017, a story he had written for The Telegraph newspaper on the fake encounter of Motilal Baskey of Giridih in Jharkhand, a tourist porter, triggered a massive movement against state atrocities and the matter reached both Houses of Parliament. The Pegasus surveillance began within a month of that incident, he told Frontline.
In 2019, the Intelligence Bureau (I.B.) arrested him and warned him against doing “negative journalism” that encouraged the Maoists. Rupesh Kumar Singh said that he was first kept in illegal custody for two days, during which time the I.B. tried to bribe him. When he refused, I.B. officers filled his car with ammunition before his eyes and arrested him along with his driver.
Rupesh Kumar Singh was behind bars for six months before he was released on bail as the prosecution failed to file a charge sheet within the stipulated period. He is worried that some of his sources might suffer adverse consequences as a result of his phone breach. He also fears that this intrusion might stop informants and whistle blowers from exposing wrongdoings at various levels of government and, as such, have a detrimental effect on transparency in governance all over the country.
CJI Bench’s queries
On August 5, a Bench led by the Chief Justice of India heard all nine petitions filed until then and directed the petitioners to serve copies of their petitions on the government of India. The Bench observed that if the reports were true, then the allegations were serious and the truth had to come out. However, the CJI asked the petitioners why no first information report (FIR) had been filed in the matter, and why the petitions were being filed only now, since the Pegasus controversy had already arisen in 2019.
Senior advocate Arvind Datar, who appeared for Rupesh Kumar Singh and Ipsa Shatakshi, said that there was no provision for filing an FIR as it was not known who had hacked the phones and that the IT Act only referred to infringement of privacy in relation to bodily parts, which was not the case in this matter.
Senior advocate Kapil Sibal, who appeared for N. Ram and Sashi Kumar, informed the Bench that the extent of the Pegasus attack was not known until the forensic reports had been made public. Senior Advocate C.U. Singh told the court that in 2019, the names of the persons targeted were not known. Senior advocate Meenakshi Arora, who appeared for John Brittas, referred to former IT Minister Ravi Shankar Prasad’s statement in the Lok Sabha on the Pegasus issue that to the best of his knowledge, there was no unauthorised interception.
As more skeletons tumble out of the closet as the Pegasus saga unravels, it would not be out of place to turn to the American science fiction writer Philip K. Dick, who said more than 30 years ago: “There will come a time when it isn’t ‘They’re spying on me through my phone’ anymore. Eventually, it will be ‘My phone is spying on me’.” This quote aptly describes the dystopia the world has come to inherit. With technological strides opening new possibilities of infringement on people’s rights, checks and balances to prevent the misuse of such military grade spyware are the need of the hour. The Pegasus expose might be the first step in that direction.
This story first appeared on frontline.thehindu.com