Skip to main content

The Pegasus plot thickens

India Today

The government staunchly denies allegations of having used foreign malware to snoop on private Indian citizens. But the controversy has raised major concerns about violations of individual privacy and effective checks to prevent misuse of state power

Illustration by Nilanjan Das

Is the Indian state running a mass surveillance programme, keeping tabs on journalists, human rights activists and opposition leaders along with its own ministers and key officials? This is the charge made by French news organisation Forbidden Stories and Amnesty International on July 18 in their serialised revelation of spying activities carried out by countries across the globe.

The ‘Pegasus Project’, a global consortium of 17 media organisations including Indian news website, suggests India is among the 45 countries using a malware developed by the Israel-based NSO group. The purported snoop list includes 50,000 people and has phone numbers linked to at least 14 heads of state, like French president Emmanuel Macron and Pakistani prime minister Imran Khan.

According to The Washington Post, more than 1,000 phone numbers from India appeared on the list. The first list of names had 40 Indian journalists (including this writer) covering politics, foreign affairs and defence. A second list had the names of Opposition leaders like Rahul Gandhi, election strategist Prashant Kishor, newly-appointed IT minister Ashwini Vaishnaw and top virologist Gagandeep Kang. Vaishnaw has denied the allegations, calling them “an attempt to malign Indian democracy and its well-established institutions”. In a statement in the Lok Sabha on July 19 he maintained that, “When we look at this issue through the prism of logic, it clearly emerges that there is no substance behind this sensationalism.”

So, where did the database originate? There are no answers yet. On July 20, Laurent Richard, founder of Forbidden Stories, told India Today TV that the “numbers were entered in the system by NSO”.

The list by itself is not conclusive proof of surveillance. Amnesty International has clarified that “the presence of a phone number in the data alone does not reveal whether a device was infected with Pegasus or subject to an attempted hack”. The consortium believes the data is “indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts”. The project adds that forensic examination of a cross-section of phones found traces of the spyware on 37 phones on the leaked list.

A July 18 statement by the NSO group says the Forbidden Stories report is “full of wrong assumptions” and “uncorroborated theories” that raise serious doubts about the reliability and interests of the sources.



Surveillance by state and central agencies in India is not illegal. Section 69 of the Information Technology Act, 2000, allows “the interception, monitoring and decryption of digital information in the interest of the sovereignty and integrity of India, of the defence of India”. A list of 10 central agencies, including the Intelligence Bureau and the Research and Analysis Wing (R&AW), are authorised to tap telephones. RTI revelations in 2013 pointed to interceptions being done on a ‘staggering scale’—5,000 to 9,000 lawful interception orders were being issued by the central government on a monthly basis. Even the Right to Privacy Bill, yet to be passed, does not give Indian citizens blanket immunity from surveillance.

The Pegasus Project’s implications, of citizens placed under surveillance by military-grade cyber weapons, are alarming but not entirely unexpected. The existence of this malware was revealed in 2016 (see On the Data Trail) when the Canada-based Citizen Lab, which conducts R&D in cyberspace, global security and human rights at the University of Toronto’s Munk School, discovered it in the phone of a UAE dissident. Its potential use in mass surveillance was divulged on October 29, 2019, when WhatsApp and its parent company Facebook took NSO to court in California for infecting around 1,400 mobiles phones worldwide via WhatsApp.

Digital surveillance is globally rampant. In 2013, former National Security Agency (NSA) employee Edward Snowden leaked top secret documents confirming the existence of a pervasive all-intrusive western global surveillance regime where spy agencies like the NSA had ‘backdoored’ Google and Facebook. (A ‘backdoor’ accesses a computer system or encrypted data, bypassing the system’s security mechanisms.) The US snooped even on its own allies, like on German chancellor Angela Merkel. India, interestingly, was fifth on the list of the NSA’s most spied-upon countries.

What the Israelis had done, as the Citizen Lab investigations seem to suggest, was level the playing field by hocking smaller versions of those powerful surveillance tools to the rest of the world. Pegasus’ allure lies in its deniability and lethality. It is designed to self-destruct, leaving few traces behind. It can be remotely injected into a smartphone through a ‘zero click attack’, where the malware gets embedded in the phone without the target clicking on a link. Once embedded, it captures the phone, ferreting out messages, photos, text messages, passwords and even turning the camera and microphone on. It is why Israel mandates its sale be cleared by its defence ministry.

This, however, was not what Pegasus was developed for. An Indian security consultant, requesting anonymity, says the malware, as the NSO insists, was indeed developed for counter-terrorism applications. “In a Mumbai 26/ 11-like hostage situation, it can be injected into the phones of the terrorists to let security forces know what is going on inside, or the target’s phone data can be extracted or manipulated to confuse them.” The government of India has so far not denied the purchase of Pegasus. Sources indicate that a more advanced level of the malware has also been purchased and at least one Indian state government is believed to have purchased the spyware around 2017.

Proving that a government has snooped on its citizens is a tough ask because of the deniability and lack of traceability of the Pegasus malware. One former IPS officer, who wished to not be named, says he does not expect these revelations to make any headway because “we are confusing a moral issue with a legal issue”. “If you cannot trace something as basic as the origin of a WhatsApp message, then how will you prove a sophisticated malware attack on a smartphone?” he asks.

The Big Picture

There are larger and far more worrisome implications of the potential mass surveillance. There are justifiable fears that engaging with foreign malware providers could amount to outsourcing of a sovereign function—intelligence gathering operations. On July 15, just three days before the Pegasus Project revelations, Microsoft had announced that it had disrupted the use of “cyberweapons” developed by an Israel-based private sector offensive actor that it called ‘Sourgum’. It was aided in its investigation by The Citizen Lab.

A senior Microsoft executive wrote in a blog post that “these agencies chose who to target and ran the actual operations themselves” and added that the malware was targeting over 100 victims around the world, including politicians, human rights activists, journalists, academics, embassy workers and dissidents.

NSO’s Pegasus has a similar attack profile. It infects smartphones and extracts information from them. But could the overseas developer also have access to that raw data? If so, then the Indian state may have unwittingly allowed data of key government officials and politicians to be leaked overseas. “Using a foreign-developed malware is worrisome because it allows a foreign country to understand who our intelligence agencies are interested in and gives them access to damaging data on a wide range of citizens in positions of power and influence,” says Bengaluru-based information warfare expert Pavithran Rajan. Such data could be intelligence gold. Indian cyber analysts say the raw data could potentially be accessed, manipulated or, worse, trafficked to other countries. “We have always spoken against the use of any foreign technology and tools, especially in telecom, defence and power sectors. The reliability and security of the technology or tools provided by foreign vendors is a very high-risk proposition and can pose a security risk to India,” says Jiten Jain, director of cyber intelligence firm Voyager Infosec.

The NSO has said it does not access the data from its customers and The Citizen Lab’s 2018 investigation hints that the Pegasus servers being installed in India is one way of ensuring that the data collected is localised. However, a former intelligence official, on condition of anonymity, says: “If I was the malware developer, I would be a fool to not instal a backdoor.”

What prevents Indian agencies from developing similar capabilities in-house? Time and money, says the officer. He narrates how his request to develop a certain software application was overruled because a superior officer couldn’t “wait till the cows come home”. This is where Israeli firms like NSO step in with instant off-the-shelf surveillance products. Israel’s monopoly over the Indian security software industry today matches its two-decade monopoly on India’s military drone market.

The allure of Israel’s over-the-counter malware is irresistible. It gives governments the enormous power of information. But these are short term benefits that could prove dangerous in the long run. It works like “crack cocaine”, says the former intelligence official. “Once a government is hooked onto the product, it can be sold a steady line of increasingly sophisticated versions to break into more advanced versions of smartphone operating systems,” he says. The seller has a foot in the door—its government has leverage over the Indian government and both, potentially, have access to a vast trove of raw intelligence harvested from Indians in positions of power. Gathering intelligence in the digital world is never a one-way street.

On The Data Trail

Aug. 24, 2016

Phone of UAE activist analysed by the University of Toronto’s Citizen Lab; finds NSO developed malware Pegasus

June 2017

Citizen Lab finds multiple users across the globe. It finds five operators focused on Asia, including one it dubs “Ganges”, which became active in June 2017


Citizen Lab identifies suspected use of Pegasus in 45 countries

Oct. 2019

WhatsApp and Facebook take Israeli firm NSO to a US district court, accusing them of sending malware to over 1,400 WhatsApp accounts worldwide, including some in India

Nov. 1, 2019

IT minister Ravi Shankar Prasad responds to Pegasus revelations, says India concerned at breach of privacy but denies any unlawful interception

July 18, 2020

Forbidden Stories and Amnesty International Investigation in world media; puts out list of 50,000 phone no. that may have been identified as people of interest

July 20, 2021

Ruckus in Parliament after it is revealed that opposition leaders, including Rahul Gandhi, an SC judge, a former election commissioner and a cabinet minister are in a new list


Popular posts from this blog

Menon meets Karzai, discusses security of Indians

Kabul/New Delhi/Washington, March 5 (IANS) India Friday said that the Feb 26 terror attack in Kabul will not deter it from helping rebuild Afghanistan as National Security Adviser Shivshankar Menon met Afghan President Hamid Karzai in Kabul to review the security of around 4,000 Indians working in that country. Menon, who arrived here Friday morning on a two-day visit, discussed with Karzai some proposals to bolster security of Indians engaged in a wide array of reconstruction activities, ranging from building roads, bridges and power stations to social sector projects. The Indian government is contemplating a slew of steps to secure Indians in Afghanistan, including setting up protected venues where the Indians working on various reconstruction projects will be based. Deploying dedicated security personnel at places where Indians work is also being considered. Menon also met his Afghan counterpart Rangin Dadfar Spanta and enquired about the progress in the probe into the Kabul atta

Iran is losing the game to regional actors in its strategic depth

Rethink before It’s Too Late Iran is losing the game to regional actors in its strategic depth –Afghanistan. By Houman Dolati It is no more a surprise to see Iran absent in Afghanistan affairs. Nowadays, the Bonn Conference and Iran’s contributions to Afghanistan look more like a fading memory. Iran, which had promised of loans and credit worth five-hundred million dollars for Afghanistan, and tried to serve a key role, more than many other countries, for reconstruction and stabilization of Afghanistan, is now trying to efface that memory, saying it is a wrong path, even for the international community. Iran’s empty seat in the Rome Conference was another step backward for Afghanistan’s influential neighbor. Many other countries were surprised with Iran’s absence. Finding out the vanity of its efforts to justify absence in Rome, Iran tried to start its

Pakistani firm whose chemicals were used to kill US troops seeks subsidy for Indiana plant

By Jennifer Griffin, Justin Fishel Published March 22, 2013   A Pakistani fertilizer maker whose chemicals have been used in 80 percent of the roadside bombs that have killed and maimed American troops in Afghanistan is now seeking U.S. taxpayer subsidies in order to open a factory in Indiana.  The request appears to be on hold pending further review, but the situation has stirred outrage in Congress, where some accuse the Pakistani government of halting efforts to clamp down on the bomb-making.  For the past seven years, the U.S. government has known that the raw material calcium ammonium nitrate, or CAN, is making its way across the border into Afghanistan where the Taliban use it to fuel their most deadly weapons, namely the improvised explosive device. IEDs have long been the number one killer of U.S. and coalition troops.  The material largely comes from Pakistani fertilizer maker the Fatima Group. But the Pakistani government has stymied attempts by the Pentagon to stop the