Cameraperson: Zijah Sherwani
Video Editor: Ashutosh Bhardwaj
At least 1,500 people spied on.
Human rights activists, journalists, lawyers defending the vulnerable, elected officials, specifically targeted.
The Whatsapp Pegasus Spyware Row has confirmed the worst fears of privacy advocates and cyber security experts, that any of us can be hacked – remotely, without any way to protect ourselves. Our data, our messages... nothing is private.
But even now, we’re still not getting clear answers from any of those involved.
Here are some of the questions we absolutely need some answers to.
Questions For WhatsApp
How many people in India have been affected by the malware? Initial reports said two dozen. Then it was 41. Now Indian Express is saying 121. While you don’t need to make public who exactly these people were, you do need to give us an exact number, so we can understand the true magnitude of this all.
And as this vulnerability was only discovered after an individual made a complaint – what proactive steps are you taking to ensure you’re able to detect this kind of breach?
Questions For Google, Telegram, Facebook, Skype, Apple & Other Tech Companies
Pegasus does not just target Whatsapp.
The lawsuit filed against the NSO Group in California relies on reports that say it can infect any Apple or Android phone, and can target other communication apps as well, like Facebook Messenger, Skype, Telegram, Gmail, etc.
Are all these companies investigating whether a similar vulnerability was exploited by Pegasus?
What’s their plan of action to deal with Pegasus and other such spyware, like for example Verint?
Questions for NSO Group
You have told us that your technology is not designed or licensed for use against human rights activists and journalists.
You have said that “any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse.”
So, even though you cannot tell us who your clients are, will you be filing cases against whoever is using your software against human rights activists and journalists in India?
Have you taken any such action in Morocco or Rwanda, where it has been revealed that your software has been misused the same way? What about Saudi Arabia?
Questions For the Government of Israel
The State of Israel issues export permits for sales by the NSO group and other such companies.
Such permits are supposed to be contingent on this tool not being used in an illegal manner,
But an investigation by Haaretz has revealed Pegasus and other such tools have been sold to countries like Bahrain, Mexico and Azerbaijan where they’ve been used to target protesters, human rights activists and even the LGBT community.
And of course, Saudi Arabia, who used it to track Jamal Khashoggi.
What kind of oversight and regulation does the Israeli government maintain for Pegasus and other such spywares?
Will the Israeli Ministry of Defence start cancelling export permits as requested in the Israeli courts?
Questions for the Indian Government - Part I
Now that we’ve dealt with everyone else, let’s get to the elephant in the room, via your phone, the Indian government.
NSO says they only sell their product to government agencies, so does that mean Indian government agencies purchased this spyware?
The government has had three opportunities to deny this outright: in Minister Ravi Shankar Prasad’s statement, a statement released by the Ministry of Home Affairs, and a response to an RTI.
There was no denial in any of these, only some waffle about how the government follows the law.
The Quint has been informed by a former Home Secretary and ex Intelligence Bureau officers that it is in fact common for the government to procure this kind of spyware from foreign firms.
So, can we now get a straight answer from them? Did any of our government agencies purchase this tool? It’s a yes or no answer, and allows us to figure out how to address this fiasco.
Questions for the Indian Government - Part II
Coming back to that MHA statement about following the law. If the govt did in fact purchase this tool and use it, does this mean the government is saying they used it legally?
Cyber law expert Pawan Duggal explained to The Quint that the usage of this spyware seems to be beyond “the four corners of the law” on lawful surveillance, allowed under Section 69 of the Information Technology Act 2000.
Access Now policy director Raman Chima also notes that what Pegasus does, by accessing people’s mobile systems without authorisation, constitutes hacking and therefore cannot be legal under the current Indian legal regime, which does not create any exceptions for government.
Questions for the Indian Government - Part III
If it wasn’t the Indian government that purchased it, it doesn’t mean the Indian government is off the hook.
Former Home Secretary GK Pillai told The Quint he was aware of NSO selling its wares to people in India, including private individuals. WhatsApp informed the government about the Pegasus hack in May and again in September, but the government did nothing.
And please, don’t insult our intelligence by pretending CERT-IN couldn’t understand the “technical jargon” in the notification.
The Hindustan Times has even reported that the Threat Assessment Unit sent out details about Pegasus to government departments, so, it’s clear they knew.
What is the government doing then to stop other actors from using spyware like Pegasus in India?
Why are they wasting time asking questions from WhatsApp rather than the NSO Group?
And when will we have a proper cyber security framework to ensure victims of this kind of illegal snooping have some redress?
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)