For the past few days, alleged leaks related to a spyware (i.e. a malicious software designed to enter your phone or any other device) Pegasus, has been creating headlines across the world. 

As per Forbidden Stories (a France-based media house), an unparalleled leak of over 50,000 phone numbers/potential targets (including 300 verified phone numbers in India) selected for surveillance by the customers of the Israeli company NSO Group shows how this technology has been allegedly misused. 

To dig into this matter, a detailed global collaborative investigation, termed ‘The Pegasus Project’ was undertaken by more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. But despite the investigation, there are several unanswered questions that remain about this alleged mystery spying program.

What we know so far about Pegasus?

While the NSO started as a customer service start-up helping in troubleshooting smartphones, it went on to become a large cyber security firm, with 750+ employees and valuation over $1.5 billion, as per market estimates. During this course of time, Israeli officials had asked the CEO of NSO, Shalev Hulio, to also build a version of their technology for official use. 

Coming to the software in question, Pegasus, it is a surveillance tool developed by NSO. It is a military-grade spyware that infiltrates phones (be it iOS/Android) or any other device via mail or messaging platforms. 

As per reports, the spyware can be installed remotely on any device requiring no action from its owner. Once installed, it allows clients to take complete control of the device, including access to messages (allegedly even from encrypted messaging apps), steal any information on the device, turn on the microphone to record calls and other conversations, switch on the camera to secretly film the targeted person, or track him/her with GPS. 

For example, Pegasus could infiltrate a device with a missed call and could even delete the record of this missed call, making it impossible for the user to know they had been targeted. 

However, NSO proclaims that the product (i.e. Pegasus) which it sells to government clients is intended to “collect data from the mobile devices of specific individuals, suspected to be involved in serious crime and terror.” According to the company, they, along with other cyber intelligence and law enforcement agencies in the world, provide necessary cyber intelligence tools for governments to track and monitor hateful acts on instant messaging and social media, thereby, preventing and investigating terror and serious crime. 

As per NSO, they only engage with government entities and necessary approvals are sought from the export controls unit of Israel’s ministry of defence on the targeted individuals. 

NSO’s first client was Mexico, who credited the software for catching drug kingpin El Chapo twice, in 2014 and 2016.

The Pegasus Project

As per the ‘Pegasus Project’ consortium, the leaked data showed that the potential targets were in different countries including India, France, Mexico, Saudi Arabia, the United Arab Emirates, Hungary, among others. Potential targets were from different backgrounds too, and it included journalists, politicians, heads of states, lawyers, business executives, human rights activists, to name a few. This is the reason why it raises suspicion in the minds of people, because these people have nothing to do with terrorism, drug-trafficking, or any other wrong-doing. 

The consortium even met with victims from all over the world whose phone numbers appeared in the data and a forensic analyses of their phones were conducted by Amnesty International’s Security Lab and peer-reviewed by the Canadian organisation Citizen Lab, and they were able to confirm an infection or attempted infection with NSO Group’s spyware in 85 per cent of cases, or 37 in total. 

However, in a letter shared with Forbidden Stories and its partners, NSO Group contended that the consortium’s reporting was based on “wrong assumptions” and “uncorroborated theories.” 

The big question is whether the evidence of the consortium is enough? Are there enough on-the-record sources to back this data and investigation? 

Misuse of the software

In the past, the CEO of NSO has admitted that his clients have misused the software and that it was a violation of trust. NSO also claimed that it investigated 12 reports of misuse in 2020 and, between May 2020 and April 2021, “approximately 15 per cent of potential new opportunities for Pegasus were rejected for human rights concerns”. 

However, the group in a written statement to the media has stated that it cannot disclose who is or is not a client or discuss specific uses of its technology, in order to protect the ongoing public safety missions of its customers and given significant legal constraints. 

But the answers we are still searching for and not yet provided by the media consortium are about the source of the leak, the authenticity of the data as also the scans carried out to establish the integrity of the data. The consortium doesn’t state that these targeted individuals were spied on by their governments or give any evidence that one government was spying on another government or the governments are part of any global spying operation.

Concerns regarding an individual’s privacy

But the main cause of worry and the reason it has attracted so much of attention globally lies in the question – is the software being used unethically or for mass surveillance, and what safeguards (e.g. tighter controls on export of spywares) have the company put in place to avoid in any misuse of the technology? 

This gives rise to the concerns regarding an individual’s privacy and such so-called snooping activity violates human rights. Privacy is a right protected by constitutions of all civilised countries and it has to be respected unless a country’s national security is being compromised or threatened. 

It is also apt time for the Indian government to bring in a data protection law to regulate the use of surveillance technologies by its security agencies. 

On its defence, this is what NSO had to say in its official statement to the media - “Millions of people around the world are sleeping well at night, and safely walking in the streets, thanks to Pegasus and similar technologies which help intelligence agencies and law enforcement agencies around the world to prevent and investigate crime, terrorism, and paedophilia rings that are hiding under the umbrella of end-to-end encryption apps.” 

With the burgeoning controversy around privacy issues and pressure from the media and other stakeholders, Israel has established a committee to review the allegations of misuse of the NSO group’s surveillance software. Hence, it definitely merits a thorough, independent and transparent investigation. 

(Sayan Banerjee is a marketing and communications professional. The views expressed here are personal.)