RIGHT ANGLE – Will the Supreme Court-appointed Committee to find out the truth of the Mission Pegasus prove to be much ado about nothing?
For instilling faith in the judicial system of the country, the Supreme Court has done well in setting up a panel to probe the alleged use of spyware Pegasus, developed by the by the Israeli firm NSO group, on Indian politicians, journalists, activists, businessmen and judges.
But will it be a case of “Much Ado About Nothing”?
There are reasons why such a possibility cannot be ruled out. And if that turns out to be the case, then much jubilations over the Apex Court’s decision, particularly by the habitual critics of the Narendra Modi-led central government, may well be short-lived.
Going by the terms of the reference that the Supreme Court has framed, it is obvious that it is not concerned about the purchase of the spyware for the national security purposes. It is only interested in finding out “whether Pegasus was acquired by UoI, or any state government, or any central or state agency for use against Indian Citizens (emphasis added) or, and this important, “if any domestic entity or person has used this spyware on Indian citizens, is such use authorised?”
The central government has already told the Court and clarified in Parliament that it has not used any spyware against the citizens. Obviously, now it is up to the Committee to establish whether or not the government is speaking the truth.
Similarly, it will be interesting to know how the Committee finds out the answer from the state governments and authenticate them. But what will be the Herculean task of the Committee is to prove if any private individual or entity had procured the spyware to scoop on the adversaries, something that is not authorised by any laws or governmental rules (the Court wants to know if there are any such provisions of the government authorising some private persons/entities).
It will be really interesting to find out that if anyone other than a government can afford the mindboggling costs of Pegasus spyware. No wonder why the NSO says that it only sells its products to the vetted governments. According to its price list of 2016, the NSO Group charged its customers $650,000 to infiltrate 10 devices (iPhone and Android users); $500,000 for five BlackBerry users; and $300,000 for five Symbian users. On top of these, there is the flat setup or installation fee of $500,000. For 100 additional targets, it will cost $800,000; 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000. Then there is an annual system maintenance fee of 17 per cent of the total price every year. However, for the newer versions now that have “zero-click” abilities to infiltrate a phone without any action (such as clicking a link) by a targeted user, the price is said to have gone up manifold.
Now comes the real challenge before the Committee to ascertain the authenticity or merits in the versions of the international entities involved in the Project Pegasus, on the basis of which this entire controversy in the country has arisen. This Project, as is known, is a collaborative effort of Paris-based NGO “Forbidden Stories”, Amnesty International, Citizen Lab and 17 media houses from the 10 countries, including the Wire news-portal of India.
Project Pegasus has said that approximately 50,000 phone numbers appeared on a surveillance hacking list in at least 50 countries, containing business executives, human rights activists, journalists, politicians, and government officials.
Three facts here are noteworthy:
First, the list of the disclosed telephone numbers that is shown under the suspected surveillance is not the current list. The list covered the period mostly up to the year 2018-end. Besides, it is said that the holders of these numbers were “potential targets”. What it means is that all of them were not actually under surveillance.
Secondly, the Project Pegasus has not authenticated the data to protect the safety of its source. They have refused to reveal the source of their list. They say it is genuine and was prepared on the basis of the customers that Pegasus had prepared.
They are also not disclosing where in these 50 countries, the list was leaked. What is said is that the Amnesty collected the data and the Citizen Lab vetted Amnesty’s methodology for confirming Pegasus’ infections and deemed it sound.
Thirdly, the Amnesty has clarified that a phone number’s presence in the data does not necessarily mean an attempt was made to hack a device. Digital forensics conducted by Amnesty International’s Security Lab has not conclusively found in the phones that it tested that those were compromised by Pegasus spyware.
Of the smart phones of 67 people (from the list of 50,000) that Amnesty was able to examine on the list, it found only 23 infected, with 14 phones showing signs of attempted intrusion. Test scan on the remaining 30 smart phones remained inconclusive.
As regards India, if we go by the Wire-stories, 161 Indians were “targets or potential targets” for surveillance by clients of the NSO Group. Of these, phones of 10 Indians were forensically examined, all of which showed signs of either an attempted hack or a successful compromise.
Given the above background, any fair investigation must find out the seriousness of the allegations, authenticity of the number of targets, how the targets were found out and the efficacy of the forensic examination that concluded the successful compromise of the hacked phones.
And that means officials of Forbidden Stories, Amnesty International and Citizen Lab must be summoned by the Committee to hear them, something that has not been done so far in any country where the allegations of hacking have been made. We only have heard their one-sided versions. Truth can come out only after their cross-examination.
Every responsible citizen of a democratic country needs the protection of her or his privacy. There cannot be any compromise on that, unless the national security dictates otherwise. So the Committee must find out the guilty and recommend their due punishment. But before that it must be seen to do a fair investigation. It is all the more so when in this case, the actors involved in the Project Pegasus are not exactly known for their impartiality or unbiased agendas.