Govts Deployed Pegasus Spyware on People: NSO Group Tells US Court

Israeli cyberweapons company, NSO Group, whose Pegasus spyware was used to hack into the phones of at least 121 Indian citizens in 2019, has told a California court that the attacks were carried out by its government clients.

Pegasus, a spyware built by the NSO Group, was found to have infiltrated the phones of 1,400 individuals globally, including human rights activists, lawyers and activists in India. WhatsApp had sued the Israeli company in October 2019 for exploiting a vulnerability on its platform to carry out these remote surveillance attacks.

Responding to allegations by WhatsApp of the NSO Group’s involvement, the Israeli company has stated in its submission that “there is no dispute the alleged use of Pegasus to message 1400 foreign WhatsApp users in April and May 2019 was done by sovereign governments in foreign countries.”

WhatsApp had described the Pegasus breach as a “cyber attack”. The Israeli company has strongly denied allegations that it controlled servers in the United States to implement the attack.

The company has stated that it only played “a tech-support role as the sovereigns’ agent” while the actual deployment of the spyware was carried out by the sovereign governments.

Electronics & IT Minister Ravi Shankar Prasad had told Parliament on 28 November, 2019, that there had been “no unauthorised interception” of citizens’ phones by the government.

However, Former home secretary GK Pillai had told The Quint on 1 November, that he is aware that Israeli tech firm NSO had been operating in India – and that it had sold spying software to private firms and individuals in the country.

Among the 121 Indian citizens who were victims of surveillance are Bhima Koregaon lawyer Nihal Singh Rathod, Elgar Parishad accused Anand Teltumbde, Bastar-based human rights lawyer Bela Bhatia, jailed activist Sudha Bharadwaj’s lawyer Shalini Gera, Gadchiroli-based lawyer Jagdish Meshram among others.

They had also written to the government on 7 November, seeking an answer from the government about whether it was aware of any contract between its ministries or any state government with the NSO group.

NSO Group’s Stance

In its latest submission in the Northern District court in California, the Pegasus-maker company has claimed that the “Court lacks subject matter jurisdiction because foreign sovereigns committed the acts Plaintiffs challenge, with NSO taking a tech-support role as the sovereigns’ agent.”

WhatsApp has alleged in new court filings that the Israeli company had controlled United States servers to deploy its spyware, Pegasus, in mobile phones of 1,400 individuals across the world, including over 121 Indians, The Guardian reported.

The NSO Group has maintained since the news of the spyware attack first broke that it sells licenses of its products only to governments, law enforcement agencies and state actors.

In response to a list of questions on whether it entered into an agreement with any Indian government agency, the NSO responded saying: “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies.”

The company's official response also stated two significant policy measures.

First, the company “considers any other use of our products than to prevent serious crime and terrorism a misuse” and such use as witnessed on Indian citizens, “is contractually prohibited.”

Second, NSO Group also specifically stated that “we take action if we detect any misuse.”

While the NSO group’s statement on the issue did not address the India incident specifically and instead highlighted the lawsuit against it by WhatsApp owner Facebook, the response provides clarity on the company’s stance on the ongoing ‘snoopgate controversy’.