Why in the news?
More than 50,000 phone numbers were attacked by spyware manufactured by NSO group which is an Israeli based surveillance company, according to the Pegasus Project, an international media consortium investigation. Paris-based media like Amnesty International and Forbidden Stories were part of this consortium.
The Security lab of Amnesty International inspected in toto 67 suspected smartphones. Out of these, 23 were found to be successfully infected whereas 14 revealed the attempts of penetration. And for the rest 30, the results were inconclusive due to varying reasons.
There were 300 verified phone numbers in India on the list, including that of ministers, opposition leaders, journalists, sitting judges, businesspeople, and activists.
Other prestigious newspapers and media houses like Washington Post and 16 others claim that according to the investigation, smartphones were hacked to gather sensitive and confidential information.
The developers of the software actually licensed it to the governments for tracking criminals and terrorists.
This is not the first time when such a mishap is occurring. In the year 2019 too, there was chaos all over India and many other countries when the renowned texting and calling app, WhatsApp confirmed the attack of spyware on a few of its users. It was done through its video calling feature.
The list was comprised of various scholars, journalists, and activists. State agencies were the prime suspects of the involvement in such a breach. It was observed that the software was capable of performing surveillance on 3 levels:
- Passive Monitoring
- Initial Data Extraction
- Active Collection
It intruded smartphones using Android, BlackBerry, and iOS operating systems. Without going into too many technicalities, it can be said that it did a perfect job at spying by not leaving any traces. It was designed in a way that it used minimal battery and data and had a self-destruct button usable at any time.
Coming back to 2021, where the country is still fighting with corona, unemployment and inflation, this new allegation has disrupted the peace of the citizens all over again. If the report is true then no one is safe in this country anymore.
Although it is not out yet that from where did this new list came from, who bought the software and what is the exact number of phones being compromised, people are anxious for their right to privacy.
It is being said the software is being used for smashing dissent or against the so-called enemies of the ruling party. The people whose privacy has been breached are the ones who are not supporters of the BJP.
The developer has denied any involvement in the same just like they did in 2019, claiming that the allegations put forward lacks any factual basis and are really far from reality.
It claims that the software is intended to be used against terrorists and criminals and is provided exclusively to law enforcement or intelligence agencies, military or governments of countries that have good human rights track records.
According to BBC, a spokesperson of the firm says that the firm will investigate the credible claims thoroughly and take justified actions based on the outcome of the same
It is a flagship Spyware of the Israel-based NSO Group, which describes itself as the world leader in precision cyber intelligence solutions for the sole use of Vetted-and-approved, state-administered intelligence and law enforcement agencies.
Pegasus is apparently one of the most powerful spyware that has ever been created. It is designed for the infiltration of smartphones and turning them into surveillance devices.
It is reported that the company has 60 Government Customers in 40 Countries and offices in Bulgaria and Cyprus while it is majority-owned by Novalgina capital, a London- based private equity firm.
Between the years 2016 to 2021, the spyware has upgraded itself and has evolved to become much more powerful and an instant attacker. It can now execute a Zero-click attack, which means that it can infiltrate a phone with practically no action from the target.
Suppose, if a person gets a WhatsApp call, the software will be downloaded on the target’s phone even if they do not pick the call. Technically, it can be injected into the target phone just by calling on its number.
It can use the phone’s microphone to record calls and other conversations, secretly film the target with its camera, or track the location with GPS.
Not just android, but even iOS can be attacked by it. Even iOS, which is renowned for its safety features is not spared. It is installed illicitly to the target’s phone, then Pegasus will take the credentials from the phone after commencing the WhatsApp call and the credentials will be sent to the server.
Thereafter, the server retrieves the data from the target’s cloud and information like messages, phone calls and other personal data can be easily retrieved. That is how easy it is for the spyware to get the hoard of information.
Indian population falling prey to such firms puts the future of the whole country at risk. It is quintessential that the government take appropriate steps to safeguard the personal information of its citizens and that too very soon since we have a majorly digital-oriented and exceptionally large population.
Breach of Right to Privacy:
The Software ridiculously breaches the right to privacy of a person which is an overly critical ingredient of his/her life and is granted to them as a right by our very Constitution.
The Supreme Court described privacy and its importance in the incredibly famous right to privacy case, K.S Puttaswamy Vs. Union of India (2017). It is a fundamental and inalienable right and it is attached to the person for all the information about him/her and the choices that he/she makes.
It is protected as an intrinsic part of the right to life and personal liberty under Art -21, and as a part of the freedoms guaranteed by part III of the Constitution.
There are certain initiatives taken by the Indian Government to make sure that the right to privacy is safeguarded like:
- Draft personal Data protection Bill 2019: This talks about the processing of the individual data whatever data is been generated by an individual it should be processed only after the consent of an individual.
- Information Technology Act, 2000: it provides certain safeguards with respect to the usage of a computer system and safeguarding the confidential information inside the computers and also has certain penalties.
Only making laws cannot ensure that the privacy of the individuals is protected. I am not even talking about Pegasus. The privacy of any given individual is being exploited every day in our country. The source is obviously the smartphones.
The Google Play Store and the Apple App Store have thousands of Apps with undiscovered vulnerabilities that could potentially be exploited by firms such as NSO (there are many similar institutions) to target individual users.
In June 2020, the Government of India banned approximately 60 Chinese apps to ensure that the privacy of an individual especially concerning national integrity, sovereignty and security is safeguarded.
We have extremely poor legal machinery for dealing with cases of breach of data. Not just this, the lack of awareness and specialists in digital security makes it even more vulnerable. Terrorists and other anti-social elements have started using cyberspace which provides them with more getaways.
What Centre has to say?
The Centre disapproves of all the allegations of surveillance by the government on the targeted category of people. It says the people alleging has no proof or any factual basis and all of this is being done just to distort the image of the government and India on the International level.
In India, there is a well-established system for legitimate electronic communication and interception by agencies at both state and central levels with the aim of national security, specifically in the event of public interest, public safety, and public emergency.
Requests for legitimate communication, interception or surveillance can be done following the applicable requirements outlined in section 5(2) of the Indian Telegraph Act of 1885 and section 69 of the Information Technology (Amendment) Act, 2000.
The relevant authority, namely the Union Home Secretary must authorize each case of monitoring, decryption, or interception. According to the IT (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, these capabilities are also available to the responsible authority in state governments.
A review committee, chaired by the Union Cabinet Secretary, has been constituted as an oversight tool. Such instances are assessed by a committee chaired by the Chief Secretary in the case of state administrations.
Supreme Court once said in a case, “You may be two or three trillion-dollar company, but people’s privacy is more valuable.” This same privacy is being violated repeatedly and is resulting in the fading trust of the citizens. People are feeling unsafe in their own nation.
The instances of surveillance clearly point out either illegitimacy or recklessness of the government.
Illegitimacy, in case, that they are the ones who used this software for intrusion. If the government is indeed pretending to know nothing about such massive scale hacks, it is failing miserably at governing a democratic nation.
And recklessness in case all of this is happening under the nose of the clueless and helpless government.
Talking about solutions, the most effective would be that government ensures the prohibition of such software in the country. But since that is not in our hands, let us talk a bit practically.
What one can do is, staying updated with each update of the operating system and security patch of one’s phone released by the manufacturer. It can significantly cut down the risk of infection. Funny, how we are more scared of this infection than the coronavirus itself.
Anyway, another one could be, if the person is rich and have a lot of money, to frequently change the phone. This can help as the spyware infects the hardware; therefore, the attacker will have to infect the new device every time the phone is changed.
These are not at all permanent solutions, the only one being an honest and responsible government that take steps to end these types of intrusions than denying them.