All that you need to know about ‘PEGASUS’- The Spyware which everyone is talking about.
In September 2018, Citizen Lab, a laboratory based out of the University of Toronto, Canada released a report detailing the software capabilities of a “Spyware Suite” called Pegasus produced by an Israeli Tech firm namely the NSO Group. The report indicated that individuals from nearly 45 countries were suspected to have been affected. The Pegasus suite of spyware can allegedly be used to compromise the digital devices of an individual through zero click vulnerabilities, i.e., without requiring any action on the part of the target of the software. Once the software infiltrates an individual’s device, it allegedly can access the entire stored data on the device and has real-time access to emails, texts, and phone calls, as well as the camera and sound recording capabilities of the device. Once the device is infiltrated using Pegasus, the entire control over the device is allegedly handed over to the Pegasus user who can then remotely control all the functionalities of the device and switch different features on or off. The NSO Group purportedly sells this extremely powerful software only to certain undisclosed Governments and the end user of its products are “exclusively government intelligence and law enforcement agencies” as per its website.
In May 2019, the global messaging giant WhatsApp Inc. identified a vulnerability in its software that enabled Pegasus spyware to infiltrate the devices of WhatsApp’s users. This news was followed by a disclosure that the devices of certain Indians were also affected, which fact was acknowledged by the then Hon’ble Minister of Law and Electronics and Information Technology in a statement made in the Parliament on 20th November 2019. On 15th June 2020, Citizen Lab, in collaboration with the international human rights organisation, Amnesty International uncovered another spyware campaign which allegedly targeted nine individuals in India, some of whom were already suspected targets in the first spyware attack. On 18th July 2021, a consortium of nearly 17 journalistic organisations from around the world, including one Indian organisation, released the results of a long investigative effort indicating the alleged use of the Pegasus software on several private individuals. This investigative effort was based on a list of some 50,000 leaked numbers which were allegedly under surveillance by clients of the NSO Group through Pegasus software. Initially, it was discovered that nearly 300 of these numbers belonged to Indians, many of whom are senior journalists, doctors, political persons, and even some Court staff. The above reports resulted in large-scale action across the globe, with certain foreign governments even diplomatically engaging with the Israeli Government to determine the veracity of the allegations raised, while other governments have initiated proceedings internally to determine the truth of the same.[1]
TIMELINE THAT FOLLOWED THE PEGASUS CASE
July 18th, 2021: A report reveals the possibility of over 300 mobile phone numbers in India being targeted with Pegasus coming into the news.
July 19th, 2021: Centre unequivocally denied all ‘over the top allegations’ of surveillance using Pegasus.
July 19th, 2021: The NSO claimed that the allegations were false and misleading.
July 20th, 2021: Indian National Congress demands a probe by a Joint Parliamentary Committee into the Pegasus Controversy.
July 22nd, 2021: A petition was filed in the Supreme Court seeking a Court-monitored probe by an SIT and prosecution of all accused persons on ministers for buying Pegasus and snooping.
July 22nd, 2021: Amnesty International claimed that it “categorically stands by” the findings of the investigation after the BJP went on to quote that Amnesty International had said that the list of phone numbers suspected to be under surveillance was not directly related to the NSO group.
July 23rd, 2021: Congress leader Rahul Gandhi demands a judicial probe into the allegations of surveillance.
July 25th, 2021: CPI (M) Rajya Sabha member John Brittas approached the Supreme Court seeking a Court-monitored probe by an SIT in the Pegasus Spyware case.
July 27th, 2021: West Bengal Chief Minister Mamta Banerjee announces a commission of inquiry in the Pegasus Spyware case. The commission consisted of Retired Supreme Court Justice Madan Lokur and former Chief Justice of Calcutta High Court Justice (retd.) Jyotirmay Bhattacharya as members.
July 29th, 2021: Over 500 individuals and groups wrote to CJI N.V. Ramana seeking immediate intervention from the Supreme Court and also sought a moratorium on the sale, transfer and use of Pegasus spyware.
August 5th, 2021: The SC hears 8 petitions seeking an independent probe into the matter. The SC observed the allegation of surveillance through the use of Pegasus as serious. The Bench did not issue a notice back then but asked the parties to the petition to first supply copies of their petitions to the Government Counsels.
August 16th, 2021: The SC reiterated that it cannot compel the “reluctant” Centre to file a detailed affidavit on petitions seeking to know if Pegasus spyware was used. However, the Centre submitted a limited affidavit stating that it would set up a “committee of experts in the field” which will go into all aspects of the issue in order to dispel any wrong narrative spread by certain vested interests and with the object of examining the issues raised.
August 17th, 2021: The SC issued a pre-admission notice to the Centre on a batch of petitions seeking an independent probe. The Centre denied putting details in a public affidavit claiming national security implications.
September 12th, 2021: The SC reserved its interim order on petitions seeking probes.
October 27th, 2021: Ruling that the State does not get a free pass every time the spectre of national security is raised, the SC appointed a committee to conduct a “thorough inquiry” into Pegasis allegations.[2]
EVENTS THAT FOLLOWED AFTER THAT
The technical committee set up by the Supreme Court was supervised by Justice R.V. Raveendran, former Judge, Supreme Court of India, assisted by Mr. Alok Joshi, former IPS officer (1976 batch) & Dr. Sundeep Oberoi, Chairman, International Organisation of Standardisation/ International ElectroTechnical Commission/Joint Technical Committee. Other members of the committee include Dr. Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, National Forensic Sciences University, Gandhinagar, Gujarat, Dr. Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala and Dr. Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay, Maharashtra.
The committee conducted deposition hearings of experts and petitioners associated with the case including Mr. Sashi Menon, Hon’ble MP John Brittas and Mr. Siddharth Varadarajan between December 16th, 2021, and February 2nd, 2022. The Technical Committee was meant to submit its report on May 20th but was subsequently granted an extension until June 20th, 2022. The Committee finally submitted its report to the SC on August 2nd, 2022.[3]
On August 25th, 2022 a bench of Chief Justice of India (CJI) NV Ramana and Justices Surya Kant and Hima Kohli, after examining a voluminous report submitted by the three-member expert committee, noted that while some malware was found in 5 of the 29 devices, the same was not Pegasus.[4]
The Supreme Court appointed committee tasked to probe into the allegations regarding the use of Pegasus spyware by the Government of India has concluded that the spyware was not found in the twenty-nine mobile phones examined by it.
The report by the Committee recommended the enactment of a law on surveillance and improving the right to privacy, enhancing the cyber security of nations, strengthening the protection of the right to privacy of citizens, and also a mechanism for raising grievances regarding surveillance which is illegal.
It would be pertinent to note that the committee went on to quote that the Centre Government did not cooperate and assist the inquiry committee.
When the bench, on perusal of the report, said the Centre did not cooperate, Solicitor General Tushar Mehta responded by saying he was not aware of that.
“Pursuant to the order dated October 27, 2021, the Technical Committee and the Overseeing Judge have submitted their reports in sealed covers. The same is taken on record. The sealed covers were opened in the Court and we read out some portions of the said reports. Thereafter, the reports were re-sealed and kept in the safe custody of the Secretary General of this Court, who shall make it available as and when required by the Court,” the Court ordered.
The Supreme Court might upload a copy of the committee report on the website but it has been resealed and kept in the custody of the Secretary-General for now in order to check for portions that might have implications on national security and to observe what portions of the report could be shared and what portions can not be shared. The SC concluded by stating that the matter will be heard after 4 weeks.
It would be interesting to see what steps the Central Government or the Supreme Court takes on the recommendations made by the inquiry committee and to see what journey lies ahead for the Right of Privacy as a fundamental right in India.
[1] Manohar Lal Sharma versus Union of India & Ors. [Writ Petition (Crl.) no. 314 of 2021]
[2] https://indianexpress.com/article/india/a-timeline-of-the-pegasus-snooping-scandal/