AS many as 1,400 smartphones worldwide – including 140 of Indians – have been hacked. This hack used Pegasus, the software tools from the notorious hacker-for-hire Israeli company NSO or Q Cyber Technologies. The fundamental question for us, is who-dun-it? The simple question that the government refuses to answer.
This is what political parties and others are asking: was it a government agency that bought the hacking tools from the Israeli company? And used it against its own citizens? Are we, as Justice Srikrishna said, becoming an Orwellian surveillance state? Justice Srikrishna headed the committee that gave detailed recommendations on framing a data and privacy protection law. Though its recommendations were submitted in 2018, the government has been dragging its feet over such a law protecting the privacy of its citizens.
If we listen to Ravi Shankar Prasad, the IT minister, it is either the fault of the Congress, who used to bug their opponents phones; or Facebook’s: he has asked WhatsApp to “explain” the hacks. In other words, deflect from the simple and straight forward question, did any central government agency buy or license Pegasus from the Israeli company?
Under the rules of the IT Act, ten central government agencies were notified in 2018, who have powers of interception. The home ministry’s denial on an RTI on whether Pegasus was procured by the government, was limited only to agencies under the home ministry. What about agencies such as NTRO, RAW and CBI, which are not under the home ministry? Why has the voluble Ravi Shankar Prasad, otherwise offering his opinion on everything under the sun, been so coy about providing a straight answer to this question?
The CPI(M) in a press statement raised questions, “The government needs to answer whether any of its agencies were involved in the use of this hacking software, particularly since most of the persons affected were targeted by the government in May last year. Under law, hacking peoples phones would constitute a cyber crime. If the government is not involved in the Pegasus software as it claims, why has it not filed an FIR and started criminal investigations?”
NSO, the Israeli company has claimed that they supply such software only to government agencies. If indeed the Indian government agencies are not involved, then the hacking of peoples smartphones constitute a criminal offence. Why has the government, specifically the IT ministry not filed an FIR and started criminal investigations on this? Blaming the Congress for previous misdeeds including the Emergency, does not absolve this government from performing its constitutional duties. Or is it the IT minister’s kindergarten alibi that “they did first”?
NSO has been notorious for supplying its hacking tools to governments and various spy agencies. Among its buyers have been Saudi Arabia and United Arab Emirates, who have used these tools to hack into their critics phones and computers. It was widely reported that Jamal Khashoggi’s iPhone was hacked by Saudi intelligence agencies using Pegasus, prior to his killing in Saudi’s Istanbul consulate.
The only legal step that has been taken in this hacking is Facebook, the owner of WhatsApp platform, filing a civil suit for damages against two Israeli entities, NSO and Q Cyber Technologies, in a Federal Court in San Francisco, US.
What is Pegasus “software” and how does it affect the smartphone users, particularly WhatsApp users? The Israeli company supplies hacking tools for various kinds of devices including Android based smartphones or iPhones, who between them have a near 100 per cent monopoly (or duopoly) over all smartphones. For WhatsApp, which has been widely publicising its 100 per cent end-to-end encryption, it is particularly embarrassing, as it has neglected to tell its users that such encryption does not help if the users’ phones are hacked; such information is available in unencrypted form on the users’ phones. To compound their embarrassment, the Pegasus hacking software used a security hole in the WhatsApp software.
The current security hole has been patched by WhatsApp. But this was only one such hole. There are many others which are not even known. These are called zero-day exploits – meaning that they are unknown to the supplier of such software – and are sold by criminals on the Dark Net. Even companies pay big money to hackers to learn about their security holes, quite often buying such information from the same Dark Net that criminals use.
If this buying and selling of such software are limited to only criminals or companies intent on patching their systems against vulnerabilities, the problems would have been far less than what we face today. This has been made far worse due to government’s intelligence agencies entry into this business. They bring in big bucks, large teams and tap into the leading research institutions in the name of national security.
While the US and the western media has been talking about Russia and China, they are largely silent on Israeli agencies and of course US agencies NSA-CIA, and UK’s GCHQ. These three sets of intelligence agencies have developed the most extensive suit of software tools or attack tools for penetrating computers, smartphones, the switches and routers that are a part of the telecom infrastructure of every country and even in our homes.
In this sense, hacking tools and cyber weapons are not significantly different, only their purpose is different. If anybody hacks into a computer or a phone, the hacker – and not the consumer – effectively owns the phone as they can control what the device does.
In the US, its domestic laws, permissive as they are under their so-called global war on terror, still has a modicum of protection on domestic surveillance; even under the FISA courts’ very wide latitude given to the security agencies. We know from Snowden and WikiLeaks revelations that the US had penetrated the telecom infrastructure of every country, and had backdoors to US manufactured equipment and software platform for installing its spyware.
The Israeli agencies worked closely with the US agencies. The US could not sell such software or equipment to “friendly” monarchies and fascist rulers as it comes under export control rules. In US, these software are recognised as weapons, and their exports are strictly controlled. No such controls exist for the Israelis, who use a number of companies that are very closely tied to the Israeli military and its spy agencies. NSO and other such companies are essentially the US-Israeli arm of supplying such software tools to other spy agencies of “friendly” governments.
Such sale of software tools to the government of other countries also provide the US and Israel additional intelligence feeds. The countries including India may feel that they have “bought” this software, but all such software operates based on “servers” set up by such companies, which again are linked to Israel. All this information goes back to Israel and the US spy agencies. When governments buy such software from foreign sources, they in effect, are partnering foreign agencies to spy on their own citizens; or help foreign powers shape the domestic narrative. If NTRO or RAW have indeed bought Pegasus, the narrative that such hacking can produce, can be easily manipulated by Israeli or US spy agencies. This is the risk of “outsourcing” intelligence operations and tools.
According to a Reuters report on the victims of the WhatsApp Pegasus breach, … “a ‘significant’ portion of the known victims are high-profile government and military officials spread across at least 20 countries on five continents. If the NSO’s claims of selling only to governments are correct, either the Pegasus spyware was used by governments to hack each other, or they were victims of Israeli spying. To compound the danger, the NSA’s and CIA’s spyware tools were dumped by hackers on the net in 2017 and are available to criminals. This shows how dangerous such software is for everybody, not just activists.
What make such tools particularly dangerous is that they are not the work of a few hackers but have the resources of a state behind them. These are not hacking tools but cyber weapons. This is why the governments need to sign a moratorium on developing and deploying such weapons, the same as we have on chemical and biological weapons.