Privacy in peril

When phones are hacked using spyware nothing remains private, reports Tehelka Bureau

That privacy is at peril in cyberspace came into public domain from the disclosure that an Israeli group used spyware to snoop on human rights activists and journalists in India after the Facebook-owned platform WhatsApp filed a lawsuit in a US court. The Indian constitution guarantees a fundamental right to privacy and it was upheld by a nine judge constitutional bench of the Supreme Court after Mukul Rohatgi, the then Attorney General stated that there is no constitutionally guaranteed right to privacy.

In a shocking revelation WhatsApp has said that Indian journalists and human rights activists were among the 1,400 users globally whose phones were hacked using the spyware, Pegasus. WhatsApp is owned by popular social media engine Facebook. It has sued NSO Group, an Israeli surveillance company, saying it was behind the sophisticated cyber attacks affecting users between April and mid-May.

According to experts, the spyware Pegasus can infect a user’s device either by sending a clickable link, or by just calling the phone. Even if the call is unanswered, the phone device would be hacked. Pegasus is one of the most sophisticated mobile malware ever made which allows hackers to take control of a phone by simply ringing the number of a target’s device.

Once installed, it send the targeted user’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular apps to the party that has infested the device. The malware turns the hacked phone into a spy, its camera is activated automatically and entire activity is captured live as an audio and visual. The spyware can take full control of the devices, enabling snooping as well as injection of data that can incriminate the users.

Who hacked phones?

Who used the software to hack phones in India? It is a big question. And the answer lies with NSO which has said that “it sells its spyware exclusively to government customers”. The Congress said instead of digressing from the issue by asking WhatsApp to explain, the minister should identify who authorised the purchase of the surveillance software and which government agency deployed it.

Congress in a statement said “instead of digressing from the issue of illegal, unconstitutional and unauthorised surveillance of citizens of India by asking WhatsApp to explain”, the minister should identify who authorised the purchase of the surveillance software and which government agency deployed it. Reports of snooping gave fresh ammunition to the Opposition to target the Narendra Modi government.

“Modi Govt caught snooping! Appalling but not Surprising! After all, BJP Govt- 1 fought against our right to privacy. 2. Set up a multi-crore surveillance structure until stopped by SC. SC must take immediate cognizance and issue a notice to BJP government,” Congress’s chief spokesperson said in a tweet.

WhatsApp response

This was after WhatsApp said that journalists and human rights activists in India have been targets of surveillance. WhatsApp has filed a lawsuit in a California federal court against Israeli cyber intelligence company NSO Group that has denied the allegations. However, NSO Group has in the past said that it sells its software only to government authorities and that it always requests them not to misuse it.

How Pegasus operates

Reports suggest that about two dozen journalists, activists and lawyers in India had been targeted. Globally, 1,400 was the number of such users, also including diplomats, political dissidents as well as senior government officials. Pegasus could compromise the entire cell data, including that from Skype, Telegram, Viber, SMS, photo, emails, contacts, location, files, browsing the history, besides microphone and camera recordings. Pegasus could be installed using targets’ phone numbers. It can activate targets’ camera and mic to collect data. A person’s phone number is the only requirement to install it. The most common way is through SMS or flash SMS.

The Centre in a knee jerk reaction, asked WhatsApp to respond and tried to blunt its criticism by leveling allegations against the previous Congress government alleging that snoopgate in the past was its creation. The Centre tried to address the controversy but did not come to the main issue that the Israeli firm’s claim that it sells its Pegasus spyware only to government agencies. This points of suspicion towards the government as it is yet not clear which agency in India bought it? The only action taken by the government is seeking answers from WhatsApp, which has some 400 million active users. In a statement, Union Minister for Information Technology Ravi Shankar Prasad sought an explanation from WhatsApp over the breach. In a tweet the minister said that “We have asked Whatsapp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens.” “The government is concerned. We have asked WhatsApp to explain the breach and what it is doing to safeguard privacy of millions of Indians. The government is committed to protecting the privacy of all Indians,” said Ravi Shankar Prasad, Union IT Minister. “Government agencies have a well-established protocol for interception, which includes sanction and supervision from highly ranked officials of Central and state governments, for clearly stated reasons in national interest,” Ravi Shankar Prasad said.

The government has asked Facebook-owned WhatsApp to explain the nature of a snooping operation involving an Israeli spyware on Indian journalists, activists and academics, and the Union home ministry described as “misleading” attempts to malign the government. Union information technology minister Ravi Shankar Prasad said in a statement: “The Government of India is concerned at the breach of privacy of citizens of India on the messaging platform WhatsApp. We have asked WhatsApp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens.”

Counter charges

The minister also sought to remind the Opposition, which urged the Supreme Court to step in, of earlier cases of privacy breach under Congress rule. “Those trying to make political capital out of it need to be gently reminded about the bugging incident in the office of the then eminent finance minister Pranab Mukherjee during UPA regime. Also a gentle reminder of the spying over the then army chief Gen. V.K. Singh. These are instances of breach of privacy of highly reputed individuals, for personal whims and fancies of a family,” Prasad said.

In wake of the WhatsApp snooping controversy, the Ministry of Home Affairs (MHA said that there was no information on any order being given to purchase Israeli sypware ‘Pegasus’, adding that the government will take strict action against any intermediary responsible for breach of privacy of citizens.

Targets

According to reports, 10 Indian activists confirmed receiving messages from the Facebook-owned chatting app informing them about the alleged spying. Human rights activist Bela Bhatia and Nihal Singh Rathod -a lawyer involved with the Bhima Koregaon case — have confirmed receiving alert by WhatsApp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019.

The other eight are Shalini Gera of the Jagdalpur Legal Aid Group, Dalit rights activist Degree Prasad Chauhan, academic Anand Teltumbde, Shubhranshu Choudhary from Chhattisgarh, People’s Union for Democratic Rights member Ashish Gupta from Delhi, Delhi University assistant professor Saroj Giri, journalist Sidhant Sibal and freelance journalist Rajeev Sharma, reports said.

Activists, lawyers and academics are victims of the WhatsApp hacking. Some of them were working with the most marginalised communities of Adivasis (tribals) and Dalits. Jagdish Meshram, a lawyer from the Dalit community who worked with Gadling, and one of those contacted by WhatsApp, also reported getting video calls from anonymous numbers between March and April 2019. He was in Mumbai when his phone was hacked. Human rights advocate Bela Bhatia based of Chhattisgarh also received the video calls suggesting phone and all data hacking.

Reports suggest that about two dozen journalists, activists and lawyers in India had been targeted. Globally, 1,400 was the number of such users, also including diplomats, political dissidents as well as senior government officials. Pegasus could compromise the entire cell data, including that from Skype, Telegram, Viber, SMS, photo, emails, contacts, location, files, browsing the history, besides microphone and camera recordings.

Pegasus could be installed using targets’ phone numbers. It can activate targets’ camera and mic to collect data. A person’s phone number is the only requirement to install it. The most common way is through SMS or flash SMS. WhatsApp declined to name those who were targeted, but it said that they contacted each one of them and told them about the breach.

WhatsApp action

This was after WhatsApp said that journalists and human rights activists in India have been targets of surveillance. WhatsApp has filed a lawsuit in a California federal court against Israeli cyber intelligence company NSO Group that has denied the allegations.  However, NSO Group has in the past said that it sells its software only to government authorities and that it always requests them not to misuse it.

Chequered past of Pegasus

This is not the first time Pegasus has been in the news for being used as a tool by governments to snoop on dissidents and activists. Last year, a report hinted that Pegasus was used to do surveillance of Jamal Khashoggi, a Saudi journalist murdered in Turkey by Saudi government operatives.

According to Citizen’s Lab, a Canada-based organisation that conducts researches on cyber security, Pegasus and WhatsApp hacks were used in India by a group calling itself Ganges to target journalists and activists. According to Citizen’s Lab, Pegasus and WhatsApp hacks were used in India by a group calling itself Ganges to target journalists and activists.

In 2016, Citizen Lab had unearthed an attempt by the United Arab Emirates government to infect the phone of human rights activist Ahmed Mansoor through Pegasus. In 2018, two activist friends of the Saudi journalist and Washington Post columnist Jamal Khashoggi had their devices infected by the Pegasus spyware. According to an investigation by Forbes, Saudi officials were able to ferret out crucial information from the activists that would lead to the assassination of Khashoggi in the Saudi consulate in Istanbul. Last year, a report hinted that Pegasus was used to do surveillance of Jamal Khashoggi, a Saudi journalist murdered in Turkey by Saudi government operatives.

Can you avoid snooping by quitting WhatsApp?

The answer to this question is a big no. If you think that by uninstalling WhatsApp from your phone, your privacy or personal data is safe, you are wrong because the vulnerabilities are at the level of the operating systems. Of late, WhatsApp used by more than 1.5 billion people in more than 150 countries, has been under attack for Pegasus breach and the messaging app has sued Israel’s NSO Group in a US court for violating its terms and conditions. 

In the wake of Pegasus breach, tech-savvy people have been looking at other messaging apps like Signal or Telegram or other options on WhatsApp like Viber. Are they safe? In the case of WhatsApp, the Apps video calling feature allowed the spyware to snoop because of chinks in the operating systems. With WhatsApp officially confirming that its software was used to install spyware on phones, many users have deleted the WhatsApp.

Addictive users are joining messaging platform Rakuten Viber, which is also end-to-end encrypted. The platform claims a 30-35 per cent jump in installations recently.  Another messaging app that has caught the fancy of people is Viber, which was founded in Israel in 2010 as an alternative to Skype. Rakuten Viber claims over a billion users across the globe out of which about 50 million are in India itself.

Now there is another hacking coming on. If you have received an MP4 video on WhatsApp, you could be a victim of snooping because another malicious spywares has sneaked into your phone. The Parliament was rocked over the burning issue on November 19, 2019. However, the Indian Government was equivocal in its response when it was posed with a seven-part question on whether it used the malicious Israeli spyware Pegasus to tap citizens’ phones in the country. The written response was given by Minister of State for Home Affairs G Kishan Reddy to a question posed by DMK MP Dayanidhi Maran in Parliament on November 19, 2019. 

The government just said in a statement that Section 69 of the Information Technology Act, 2000, empowers the Central Government or a State Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence. 

The government also stated that multiple agencies could be authorized by a competent authority to intercept and decrypt in India — Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Cabinet Secretariat (RAW), Directorate of Signal Intelligence and Delhi’s Commissioner of Police. The answer does not explicitly touch upon the questions posed by the Member of Parliament pertaining to Pegasus at all.

Parliamentary panel on IT expresses ‘grave concern’

The Standing Committee on Information Technology issued a circular to its members on November 5, 2019 seeking their comments on a statement issued by Chairman of the Committee, Dr Shashi Tharoor. The statement says that government “demanding explanations from WhatsApp, which considers itself a victim of the hack, and not from NSO, which appears to be the perpetrator, seems to serve little purpose”. While seeking comments of the members, it says that the committee will be deliberating on this matter at their next sitting on November 20, 2019 while taking up the subject  ‘Citizen Data Security and Privacy’.

The statement says that “as Chairman of the Parliamentary Standing Committee on Information Technology, I have received a number of requests for comments on the recent disclosure of “snooping” on Indian citizens using WhatsApp, through a software installed by an Israeli firm, the NSO Group. The media has released several names of Indian citizens who appear to have victims of this. It also seems that the list released through media is not complete and that the interceptions may be larger in number”.

Recent press reports claim that a software known as Pegasus was used on a number of Indian citizens. Those reports also state that WhatsApp has contacted a number of activists and lawyers (who they believe were not on any known criminal or national security threat list) who were victims of data interception. Pegasus relied on a vulnerability in the video calling mechanism of WhatsApp to gain access to a user’s device. The Government of India has announced that it has demanded an explanation from WhatsApp, which itself has taken legal action against the NSO Group.

The statement adds that “there is no indication that the Government has written or complained to the NSO Group about its action in installing the hack required to intercept communications. This is all the more curious, since reports suggest that the NSO Group only provided this technology to governmental bodies and not to private citizens. Demanding explanations from WhatsApp, which considers itself a victim of the hack, and not from NSO, which appears to be the perpetrator, seems to serve little purpose”.

While expressing concern over the action by the government, the statement observes that “before passing any judgment, we must ascertain the veracity of the information reported in the media. These reports, and the alleged use of the technology,area matter of grave concern”.

Therefore, the Standing Committee will consider this matter at its next meeting, scheduled on November 20th. If these allegations are true, it is extremely important to confirm whether the use of such data interception technology happened lawfully at the behest of the Indian Government and following due process of law.

The statement issued by the Chairman Standing Committee on Information Technology says that “it is equally important to ensure that it did not happen by (i) foreign entities (whether governmental or otherwise); (ii) domestic entities (illegally or unlawfully); (iii) miscreants who may have misused such technology acquired by the Government. As elected representatives, it is our responsibility to ensure that these principles are upheld in the actions of the executive. We must use this opportunity to also deliberate on the rules around interception, monitoring and decryption of information. As a democratic republic, we must ensure adequate safeguards to prevent any misuse of the executive’s powers in an unauthorized manner or for extraneous purposes”.

The Supreme Court of India has clearly recognized the fundamental right to privacy, and the need to analyze the legality, legitimacy, necessity and proportionality of any action that infringes on this right. The statement concludes that “in the Standing Committee of Information Technology, members from both the ruling party and the opposition must work together to safeguard the fundamental rights of our citizens”.