TECH
01/11/2019 11:03 AM IST | Updated 01/11/2019 5:12 PM IST

Indian Govt. A Likely Culprit in WhatsApp Snooping Scandal, Pegasus Documents Show

Court documents submitted by Facebook indicate the Pegasus software, developed by the NSO Group, could only be sold with the approval of Israel’s Ministry of Defence, and required significant local infrastructure and support.

Anushree Fadnavis / Reuters
WhatsApp representational image.

NEW DELHI — On October 30 2019, Facebook confirmed that Pegasus, a sophisticated snooping software developed by Israel’s NSO group, was used to target Indian lawyers, and Dalit and Adivasi rights activists. Facebook is suing NSO for hacking into WhatsApp to infect phones with Pegasus.

To be sure, NSO has refused to name its clients. Yet, among the documents filed by Facebook in a California court is a signed contract with Ghana’s National Communications Authority that states the software could be deployed only with written sanction from Israel’s Ministry of Defence. The NSO group has long maintained it sells its software exclusively to governments.

Further, the system requires an estimated 4 weeks of testing on local networks — suggesting the company would need ready and prolonged access to local mobile and internet networks to work properly.

This suggests two troubling scenarios: The first is that the Indian government is the culprit behind the snooping in India. On October 31, HuffPost India revealed that the software — which lets a trained operator hijack the microphone, camera and GPS tracker of a targeted phone, read all messages, and snoop on all calls — had been deployed to snoop on activists, lawyers and public intellectuals involved in the Bhima-Koregaon case.

The second equally troubling scenario is that a group of Indian lawyers, activists and intellectuals were spied on by a foreign government, with the knowledge and sanction of Israel’s defence ministry, and with ready and prolonged access to Indian mobile networks.

For the latest news and more, follow HuffPost India on TwitterFacebook, and subscribe to our newsletter.

“This kind of spyware or malware which the Israeli government uses can only be used by governments,” said Prashant Bhushan, a lawyer at the Indian Supreme Court, adding that this was clearly something that the Indian government wanted to do. 

“It’s totally illegal. It’s a gross violation of the right to privacy of the people,” Bhushan told HuffPost India.

The Indian government has neither confirmed nor denied its purchase and use of Pegasus. In a statement posted on Twitter Union Minister for Law & Justice, Communications, Electronics & Information Technology Ravi Shankar Prasad simply said that his government had a “well established protocol” for snooping on citizens.

“Israel doesn’t address questions regarding specific export control licenses,” a spokesperson for the Israeli Embassy in New Delhi told HuffPost India. ”The Israeli export control system includes a robust licensing process, which operates in accordance international export control standards and principles.”

The Ghana contract

In December 2015, the documents show, Infralocks Development Ltd, a Ghanain subsidiary of Israel’s NSO group, signed an agreement to sell the Pegasus software to Ghana’s National Communications Authority for a fee of $8 million, along with a service contract worth $1.76 million a year.

The provisions listed in the contract could only be fulfilled by a nation state, or a non-state actor with close ties to the Israeli government.

The company also demanded an “untraceable payment method” comprising of a credit card with a $4000 balance linked to a passport, a prepaid untraceable SIM card, and a utility bill with an address linked to the passport.

As a precondition to the sale, Ghana’s National Communication Authority had to provide a certificate of approval from Israel’s Ministry of Defence. 

“For the avoidance of any doubt, no products, licenses, equipment or services shall be provided by the Company under this Agreement until the certificate is delivered to the System Provider and the Approval is obtained,” the contract stated. If the Israeli government denied approval, the contract states, “the Company shall have the right to terminate this agreement”.

NSO said it would provide a two week training course, and a one-week on-site handover. But first, the Ghanain government had to provide an office with a dedicated server room, a 1000 sq foot operator room, and postpaid SIM cards that were mandatorily untraceable to either NSO or the Ghanian authorities. These provisions are also mentioned in the NSO user guide.

The company also demanded an “untraceable payment method” comprising of a credit card with a $4000 balance linked to a passport, a prepaid untraceable SIM card, and a utility bill with an address linked to the passport.  “The passport, credit card and utility bill should not be linked to the organisation,” the contract stated.

Deploying on local infrastructure

An NSO user guide, also included in Facebook’s suit, suggests that installing Pegasus is a labourious, expensive and time-consuming process.

The Pegasus deployment plan described  in the user guide states the entire process can take up to 15 weeks including installation, testing and deployment. In the first phase, spanning seven weeks, four of these weeks are spent on “Local Network Adjustments”.  To quote from the guide, “When required, the Pegasus system is integrated with local infrastructures and systems.”

This suggests that NSO technicians would need to spend a significant amount in India to get the system to a point where it could reliably break into phones on Indian mobile networks.

Those targeted by Pegasus said they felt frightened and violated when they learnt their phones had been compromised. 

“This is really frightening,” said Shalini Gera, a lawyer who works with victims of state-sponsored violence in Central India. “My phone was completely vulnerable. They could switch on the microphone and camera at will.”

Gera, who is also the Chhattisgarh Secretary of the People’s Union for Civil Liberties, declined to be drawn into who she felt was behind this. 

“But for context, our former Secretary — Sudha Bharadwaj was jailed last year,” Gera said, referring to the Bhima-Koregaon case, in which nine lawyers and rights activists have been jailed by the Pune police. “If they have access to our phones and computers, can they also plant evidence? After all, digital evidence from phones and computers is the only thing keeping nine vibrant activists in jail.”

(With inputs from Akshay Deshmane)

This story was updated on Nov 1 2019 to include a comment from the Israeli Embassy in New Delhi.