Pegasus Spyware- A threat to privacy and cyber security

Reading time : 6 minutes

Table of Contents

  1. Introduction
  2. What is Pegasus spyware?
  3. Recent controversy of Pegasus in India
  4. Indian legal provisions for Surveillance
  5. Some eminent case laws
  6. A Major concern for privacy
  7. Conclusion

Introduction

The Pre-Budget session was marked by the protest of the Member of opposition parties and the opposition parties outside the Indian Parliament. A New York times article published on 28th of January brought shocking revelations about the Indian Government’s use of the Pegasus spyware. This made all the opposition parties align together and protest against the government. This article defines and describes all about the Pegasus spyware controversy from recent to past, How it works and from what it is comprised of all the past- instances of it. The most used term Spy-Tech Zero-Click technology which is used in many cyber frauds and it is a most discussed thing nowadays. It’s technique of hacking the phone by just giving a Whatsapp missed call made it one of the most dangerous cyber weopon. Legal provisons such as The Telegraph act,1885 and IT Act, 2000 are some of the laws that deals with the cybercrimes. In this research article, the author will discuss about the Pegasus spyware, legal provisions related with cybercrimes and eminent case laws related with it and How Pegasus is a major concern for the democracy as well as the individual. 

What is Pegasus spyware?

Pegasus is a spyware programme created by NSO Group, an Israeli firm that specializes in so-called “cyber weapons.” It originally made headlines in 2016, when an Arab activist became suspicious after receiving a threatening message. Pegasus was thought to be targeting iPhone users. Apple published an updated version of iOS, a few days after it was discovered, apparently patching the security flaw that Pegasus was exploiting to hack phones.

Pegasus, however, was discovered to be similarily capable of infecting Android Phones a year later by security researchers. More information and security fixes trickled in. After that, in 2019, Facebook sued NSO Group for investing Pegasus. Pegasus was being pursued by Facebook security experts across their networks, and they discovered that the malware was causing problems. The security researchers at facebook were chasing Pegasus across their systems, and they found that the software was used to infect several journalists and activists in India. This Pegasus spyware is not a new concern for privacy and cyber security from 2019 to 2021 the spyware has been called “the most sophisticated” phone hacking tool ever and because it has been used so frequently that we are still hearing stoies about its victim. It is worth noting that NSO Group has confirmed the existence of Pegasus. However, the Israeli company has also said that it sells the tools only to governments and that it is not responsible for its misuse.

How does Pegasus spyware work?

Pegasus takes advantage of Android and iOS flaws that have yet to be disclosed. This means that even if a phone has the most recent security patch installed, it could be infected. A previous version of the malware, which was released in 2016, targeted devices using a tactic known as “spear-fishing,” which involved sending text messages or emails to the target that contained a dangerous link. It was predicated on the target clicking the link—a requirement that was removed in later versions. Pegasus could penetrate a device with a missed WhatsApp call in 2019 and even wipe the record of the missed call, making it hard for the user to realize they were being tracked. Pegasus used a weakness in WhatsApp’s code to infect over 1,400 Android phones and iPhones, including those of government officials, journalists, and human rights activists, according to WhatsApp in May of that year. It quickly fixed the problem. Pegasus also takes use of flaws in iMessage, providing it backdoor access. 

What can Pegasus do?

Pegasus can intercept and steal almost any information on a phone after it is installed, including SMS-es, emails, contacts, call history, calendars, emails, and browsing histories. It can record calls and other conversations using your phone’s microphone, can record your video with the help of camera, and follow you using your GPS.

What does Pegasus comprises of?

Pegasus connects to the attacker’s Command and Control (C&C) servers after installation to receive and execute instructions and transmit back the target’s personal information. Passwords, contact lists, text messages, and live phone calls are all examples of this type of information (even those via end-to-end-encrypted messaging apps). The attacker can control the phone’s camera and microphone, and use the GPS function to track a target. Pegasus only transmits scheduled updates to a C&C server to avoid consuming a lot of bandwidth and alerting a target. The spyware can elude forensic investigation and anti-virus programme detection. When and if necessary, the attacker can also uninstall and deactivate the spyware.

Past Instances of Pegasus Spyware

Pegasus was first discovered on the Smartphone of human rights activist cum promoter Ahmed Mansoor in 2016 by researchers from the Canadian cyber security organisation The Citizen Lab. In September 2018, Pegasus is being used in 45 nations, according to a research published by Citizen Lab. India was featured in the list, as was the case with the most recent revelations. In October 2019, WhatsApp revealed that Pegasus operators were spying on journalists and human rights activists in India. In July 2021,Various nations utilised the software to spy on government officials, opposition politicians, journalists, activists, and others, according to the Pegasus Project, an international investigative journalism endeavour. Between 2017 and 2019, the Indian government allegedly utilised it to eavesdrop on about 300 people, according to the report. According to a report released in 2020, government officials used Pegasus to infiltrate the phones of Al Jazeera and Al Araby workers.

Spy-Tech and Zero-Click

NSO began developing Pegasus as a surveillance option for intelligence agencies and law enforcement organisations. The story they created was that it would be used by government agencies to combat terrorism, drug trafficking, and other crimes. But its first known state client, Mexico, went above and beyond the script, arming itself with cyber-espionage capabilities to combat drug trafficking. Between 2016 and 2017, Mexican agents targeted more than 15,000 phone numbers, according to Forbidden Stories. Those who were close to then-candidate Andres Manuel Lopez Obrador, now President of Mexico, as well as journalists, dissidents, their coworkers, and family members, were among them.

This propelled NSO Group to the forefront of the spy-tech sector, displacing heavyweights like European firms Hacking Team and Fin Fisher.

Pegasus has been using attack vectors like malicious URLs in e-mails and SMS till then. When the link was clicked, the malware was installed, allowing the hacker complete control of the device without the target’s awareness. It then advanced to zero-click infections. End-user intervention is not required for such viruses, which are utilised in WhatsApp and iMessage hacks. A missed call on WhatsApp’s voice call feature inserted a malicious code onto the smartphone. With iMessage, a brief message preview sufficed.

Recent Controversy of Pegasus in India

A New York times article published on 28th of January brought shocking revelations about the Indian Government’s use of the Pegasus spyware. The article exposed the sale of Pegasus to the Indian Government in 2017 as a part of a $2 Billion arms deal in order to carry out targeted surveillance on citizens, claiming that the high-level visits by Prime-Minister Narendra Modi and Former Israel Prime minister Benjamin Netanyahu and even an U.N. vote on a Palestinian organisation was part of a larger backroom deal. The revelations that come from that article of NYT provided fresh ammunition to the opposition parties to corner the government on the issue. NYT’s reporters named several countries including India, UAE, Hungary, Poland and Mexico on the list of those who had purchased the spying software, and said that they had not just strengthened ties with the Netanyahu government, but had shifted on support to Palestine and muted opposition to Israel at the United Nations. In June 2019, India voted in support of Israel at the U.N’s Economic and Social Council to deny observer status to a Palestinian human rights organization. According to the report of the wire over 300 Indian phone numbers were found on the list of project Pegasus which includes ministers, members of oppositions, journalists, judicial members etc. Name of few potential targets from India were; Rahul Gandhi along with his 5 close associates, Prashant Kishore, Abhishek Banerjee nephew of Mamta Banerjee, Prahlad singh Patel (Current minister of state for jal Shakti), Praveen Togadia, Former CJI Ranjan Gogoi and many others except them phone number of 40 journalists were also mentioned in the list. The opposition parties attacked the government, accusing it of ‘misleading’ parliament and the Supreme court. The Congress party said the alleged use of spyware on opposition leaders, Supreme Court judges, Journalists and activists was an “act of treason”. The investigation over whether the Modi Government bought the Pegasus spyware, and used it to hack the phones of a number of citizens not wanted in any criminal cases and carryout illegal surveillance on them is  with the Supreme Court, which appointed a special Committee headed by Justice (Retd) RT Raveendran on October 27, and scheduled another hearing “after eight weeks”, which  has not been listed at present. Due to the article published in NYT, Mallikarjun Kharge, leader of opposition in Rajya Sabha, said, “Parliament was deceived by the Modi government. It is clear that the supreme court was also duped by the Modi government. It is also clear that the people of India were lied to by the Modi government and its ministers.” The clash of against ideas paved the way for forming an anti-government and strengthen the opposition more as it was from farmer laws or the lakhimpuri accident against the minister’s son and forming a more stable anti-government alliance. In a tweet from its official account Trinamool Congress called the Pegasus Report proof of “State sponsored Surveilance” that “blantantly abused the rights of Indians.” The Pegasus controversy catalysed the chaos and agitation against the government and made a stronger argument for the opposition to protest and question the government in its role. This agitation against the government would harm them in their upcoming elections in five states including Uttar Pradesh which is the most significant state in Upcoming lok sabha elections in 2024.

Indian legal provisions for Surveillance

The law of observation in India is beginning when it concerns progressed reconnaissance innovations like Pegasus. In any case, the current legitimate system gives a few shields to the elemental right to protection, permitting proportionate criticism as it were in national, not in private, intrigued. This piece contends that the national security vindication is infructuous within the Pegasus outrage. The government ought to follow to worldwide majority rule standards administering observation innovation.

The laws authorizing interception and monitoring of communications are:

  1. Section 5 (2) of the Indian Telegraph Act, 1885
  2. Section 69 of the IT Act, 2000
  3. IT Rules
  4. Section 5(2) of the Indian Telegraph act, 1885: This act deals with the interception of phone calls. Section 5(2) of this act provides the provision that mentions certain situations under which the central & state government can conduct the surveillance i.e., in case of ‘Public Emergency’or in the interest of ‘Public Safety’. But there are certain grounds available for such surveillance which can be also considered as the reasonable restriction;
  5. When there is threat to the sovereignty and integrity of the India
  6. For the Security of the state
  7. For the friendly relationship with foreign states
  8. If there is a threat on law and orders or in the interest of public order
  9. For immediate incitement of the commission of an offence.

On these grounds and conditions the Indian government is allowed to caught portable phones. In spite of the fact that the act has moreover given certain shields arrangements with regard to securing the basic rights to free discourse for each writer.

  • Section 69 of the IT Act, 2000: This act bargains with the observation of all sorts of electronic communication. Sec 69 of the act gives the arrangements within the favour of Indian government with regard to any electronic observation within the nation. It states almost the interferences, checking of computerized data for the reason of examination of an offense. These arrangements don’t say any grounds related to open security or crisis. Section 69 of the IT Act, 2000 enables competent specialists, with reasons for capture attempts recorded, to put an capture attempts gadget, given, “it is fundamental or practical so to do within the interface of the sway and astuteness of India, the security of the State, neighbourly relations with outside states or open arrange or for anticipating prompting to the commission of an offence”. In any case, Section 69 does not approve any office to introduce spyware to hack a versatile gadget for this. In reality, Section 66, perused with Section 43 of the IT Act, 2000, criminalises the hacking of a gadget.
  • IT Rules: The government re-examined the IT Rules in December 2018 on the affection of moving forward straightforwardness and responsibility and handling wrongdoing and fear based oppression. Through a Statutory Arrange, the government assigned 10 central offices as “security and insights agencies” and approved them to captured, screen and decode “any data produced, transmitted, gotten or put away in any computer”. The State draw rules to choose how a particular arrangement within the essential statute will be worked. These rules ended up the appointed enactment made by the State. The government utilized this inborn control to change the IT Rules, 2009; downsized the shields for individual’s protection; made all-encompassing definitions approving the utilize of hacking apparatuses like Pegasus and gave cover reconnaissance powers to organizations that are not indeed capable for national security, e.g., the Delhi Police and the Directorate of Income Insights. These offices presently collect information without administrative or legal oversight beneath the powers conferred in Segment 69 (1) of the IT Act, 2000, perused with Run the show 4 of the IT Rules, 2009.

The government changed the reason and objective of the law within the statute book and the setting in which it is actualized and presently utilizing these changed rules as a lawful reinforcement for reconnaissance of citizens through hacking devices like Pegasus.

 Some Eminent Case laws

The Indian Courts Interpreted the above mentioned laws several times. We would study some case laws related to the legal provisions mentioned earlier. These are some cases as follows:

  1. People’s Union for Civil liberty vs Union of India: In this case the arrangements of Telegraph Act, 1885 were challenged, and the Supreme Court had expressed the significance of the proper to individual’s personal security. It was held in this case that government observation can undermine the security of an person . This case advance announced the proper to protection as a principal right. Further, within the year 2007 the Run the show 491 had been included within the Telegraph Rules which states that any order related to the interferences of any portable phone ought to come from the Domestic Secretary conjointly specify the foundation of a audit committee to audit an arrange issued by the domestic secretary.
  2. K.S Puttaswamy vs Union of India: On August 23rd 2017, the Supreme Court unanimously recognised privacy as a fundamental right guaranteed by the Constitution:

In 2012, Justice K S Puttaswamy, a retired judge of the High Court, filed a writ petition in the Supreme Court challenging the constitutional validity of the Aadhaar scheme introduced by the UPA Government. On August 11th 2015, a Bench comprising of three judges to decide the matter of fundamental right to privacy. This matter was first placed before a Five Judge Bench headed by then CJI Khehar. Subsequently, the matter was referred to a nine Judge Bench on July 19th 2017 and concluded on August 2nd 2017. In a historic decision delivered on August 24th 2017, the bench unanimously recognised a fundamental right to privacy of every individual guaranteed by the Constitution, within the Article 21 in particular and part 3 on the whole. Since the 2017 judgement, the fundamental right to privacy has been cited as precedent in various landmark judgements.

A  Major Concern for Privacy

After knowing all about the Pegasus spyware, How it is comprised, What is the legal basis of it and the controversies from past to the most latest one now we will know how it affects individuals privacy and the grounds on which the restrictions of government should be laid. Before knowing about How does Pegasus threats to the Privacy of the person knowing the term privacy becomes more eminent.

So, According to Constitutional law, Privacy means the right to make certain fundamental decisions concerning deeply personal matters free from government coercion, intimidation or regulation. In simple terms there are certain things that the Individual needs to keep it confidential and that nobody can force them to knew about that. The Indian Law  gives certain provisions related to the fundamental right to privacy from the eminent case of K.S Puttaswamy vs. Union of India where it was stated in this case the breach of individual’s privacy can only be done on the following grounds; First the state must be sanctioned by law, there should be test of necessity & proportionality, there must be some legitimate state aim for such actions and there should be a procedural gurantees against the abuse of such power. It was this case which mentioned where clearly the right to privacy is integral to the right to life conferred under article 21.

Pegasus spyware is a big threat to a certain individual as it can record data, spy the person’s confidential and the personal matters without the acknowledging the person with whom the data is going to be spyed upon. It is direct attack towards the democracy also as the opposition leader are also being spyed upon, the fourth pillar of democracy Media also gets affected from this as the journalists, Human rights activists and many more are also affected by it. The Government can also not directly conduct surveillance as there are reasonable restrictions to it also.  It also Violates Article 19 of the Indian Constitution which Gives freedom of speech and expression. If a person’s privacy is breached it is a direct attack towards the Individual’s Human rights and the rights conferred to him under various Indian laws. 

There are lot of vague and ambiguous perspective on How to Curb the Menance from Pegasus. These are some smalls tips which can be useful to prevent the device from the spyware such as:

  1. Reboot Daily
  2. Disable iMessage
  3. Disable Facetime
  4. Don’t ever click on links received in messages.
  5. Keep the mobile device up to date; install the latest iOS patches as soon as they are out.
  6. Browse the Internet with an Alternate browser such as Firefox Focus instead of Safari or Chrome.
  7. Always use a VPN that masks your traffic.

Conclusion

Pegasus is a spyware programme created by NSO Group, an Israeli firm that specializes in so-called “cyber weapons.” It came in the limelight when the one of the most popular American based daily newspaper New York Times published an article where it revealed that Indian Government purchased the Pegasus spyware to spy upon the Leaders of Opposition, Journalists, writers, Human rights activists etc. It created a lot of ruckus and chaos all over the country against the government during the Budget session. After discussing about all the important legal provisions of The Telegraph Act, 1885 and The IT Act,2000 and some important case related to fundamental right to privacy such as K.S Puttaswamy vs Union of India,2012 which stated that individual’s privacy can’t be breached at any cost Though there are certain reasonable restrictions which are necessary for the state to do so. One of the most important thing is the Right to Privacy which is violated by this spyware and how this harms an individuals rights and what certain measures that need to be taken up to prevent it and till how much it can affect any individual’s privacy as well as democracy also.

REFERENCES

Author: Aditya Pandey, NMIMS, Hyderabad

Editor: Kanishka VaishSenior Editor, LexLife India

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s