THE two sets of questions in the Parliament to two different ministries on the Israeli software Pegasus being used to hack smartphones of Indian activists have drawn different replies. It makes clear that the government is hiding more than it is willing to reveal.
The Minister of State for Home, G Kishan Reddy, replying to Dayanidhi Maran’s question on whether the government “does tapping of WhatsApp calls and messages” and the “protocols being followed”, stated on November 19th that the government has powers under the Section 69 of the IT Act, “…to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted, any information generated, transmitted, received or stored in any computer resource…”. It then went on to answer the circumstances where it could exercise this power and the protocol that it would follow for such interceptions.
Simply put, it is said—without stating whether it had actually tapped the phones of activists—that it had the power do use spyware for tapping phones and the procedure it would follow. In other words, yes we can do it, and this is how we do it.
Contrast this with the IT Minister, Ravishankar Prasad’s answer on November 20th to a similar question.
- Question: Asaduddin Owasi and Syed Imtiaz Jaleel
Whether the Government has taken cognizance of the reports of alleged use and purchase of the Pegasus spyware by government agencies and if so, the details thereof along with the reaction of the government thereto;
Answer: Ravishankar Prasad, Minister IT:
Some statements have appeared, based on reports in media, regarding this. These attempts to malign the government of India for the reported breach are completely misleading. The government is committed to protect the fundamental rights of citizens, including the right to privacy. The government operates strictly as per provisions of law and laid down protocols. There are adequate provisions in the Information Technology (IT) Act, 2000 to deal with hacking, spyware etc.
In other words, not that these reports of the government buying and use of Pegasus are wrong, but misleading. Then it goes on to say what Kishan Reddy’s statement says, though in different words, that the government has powers under the IT Act to deal with hacking spyware etc., and operates as per law. To deal with spyware in Ravishankar Prasad’s language could very well include buying such spyware!
If this is not so, and if the government has nothing to hide, why were the BJP MPs in the Parliament’s standing committee on information technology, opposing taking up of this issue? The standing committee with 24 members attending split half-and-half, and it required a casting vote by Shashi Tharoor, the chairman of the committee, to resolve this issue in favour of taking it up. PDT Achary, the former secretary general of the Lok Sabha called this voting on what can or cannot be taken up as “unheard of”.
Ravishankar Prasad’s answer in Parliament quoted above also makes clear now that WhatsApp-Facebook had informed the government not once but twice this year—once in May and again in September 5—about the hacking of its software, and in its second report that at least 121 phones of its users had been hacked. The government’s response, if it was indeed innocent, should have been who are these 121 persons, reaching out to them for information and filing a First Information Report and opening criminal investigations. All this should have been done under the IT Act that Ravishankar Prasad quoted in his answer to Maran’s question. Instead, CERT-In, the IT Ministry’s arm that looks into IT security issues, asked WhatsApp some further useless questions.
The lack of any activity by the government to open investigations on this hacking, not even asking WhatsApp who are the 121, questioning if they are important functionaries of the government and an act of a hostile power, all goes to show that government was fully aware of the 121 persons whose phones had been hacked.
Reuters has reported (October 31, 2019) that Pegasus hacking tools have been used to spy on government officials in 20 countries. How was the government so sure that no phone of an Indian government official had been hacked?
In other words, the behaviour of the government in refusing to open any investigations, stonewalling the simple question whether any arm of the government had procured and used Pegasus, its opposition in the parliament’s standing committee on IT to take up this issue, all points to the conclusion that it was a government agency that had procured the Pegasus tools and used it against at least these 121 activists. How many more phones and devices have been hacked is an open question, as WhatsApp is only one of many applications that Pegasus can target. If Pegasus tools are indeed being used by a government department, then these 121 could very easily be the tip of the iceberg. And this could be the reason that government is hiding the truth of Pegasus.
The other issue which has yet to surface that even though WhatsApp has now closed this security hole it had of using a missed call, what about other security holes that still exist and other attack vectors that Pegasus is known to possess?
Let us take up first the security issues regarding the earlier WhatsApp hack, and the new one that has been now reported of using an “infected” video, opening of which leads to our phones getting hacked. Once the phone is infected, how can we clean the phone so that it is infection free and our communications are not compromised. The key issue is once an attack of the sophistication of Pegasus takes place, it is possible that it compromises the operating system of the phone. If that happens, a simple factory reset of the phone and loading the applications again, may not work. Net result is that this could be a permanent damage to our phones. If the government has wilfully damaged our smartphones and computer equipment, who pays for this damage?
The other question regarding such authorised hacking of our smartphones under Section 69 of the IT Act, is how does this section stand in relation to the right to privacy being declared a fundamental right by the Supreme Court? Can the government seize—such hacking is equivalent to a seizure—my phone in this way and without informing me?
One of the key problems of WhatsApp touting its end-to-end encryption is that it gives a false sense of security to its users. If the phone itself is infected, there is no need to break the encryption. Our phones have the de-encrypted messages anyway: both the sender’s and the receiver’s phones. This is the reason CIA and NSA in the US never spent much time on de-encrypting intercepted encrypted messages. Instead, it used backdoors that it helped create in collusion with software and equipment manufacturers so that it could hack into people’s communications.
The reality is that spook agencies do not target encrypted communications, it is much simpler for them to target the hardware and software security holes that exist. These holes are simply mistakes in programming or sloppy code, or worse, purposely created by the companies themselves for helping their home spook agencies, or for their spying on their users for commercial reasons.
While the spyware or malware created by some group of criminals and trading in the darknet, may cause damage, the much bigger damage is when major spy agencies like CIA-NSA (US), GCHQ (UK), Unit 8200 (Israel) are involved in creating spyware. As we now know, such “tools” also eventually enters the black or grey market.
In 2016, NSA’s hacking tools were dumped on the internet by a Shadow Brokers. This was followed by WikiLeaks Vault 7 documents in 2017 on CIA’s hacking capabilities. These are far more sophisticated and operate at levels that no group of criminals can reach. This is the threat in the digital century, where increasingly, all our communications are becoming digital.
This brings me to my last point. Pegasus is not a simple “security” company selling its spyware to commercial buyers. It is very much a part of the Israeli military industrial complex that in conjunction with NSA and CIA, its US allies, has created this whole box of tricks. Any country that buys or uses this software against its citizens, also provides a direct conduit to Israel and the US agencies for information; or in other words, it is simply not hacking the activists, but the IT infrastructure of countries. Using spyware from such companies, compromise far more than merely the security of the activists.