The views expressed are personal.
By Harsh Dabas
“Listen to me, the computer is tracking us right now, take the stuff and throw it out of Window”- screamed Shaw, “What are you talking about?!”- replied Agent Morgan, “you need to take your cell phone, pager, walkie, anything which receives a signal, just throw it out of the window!”
These were a few lines from the 2008 Flick “Eagle Eye”, in which the computer software (named ARIIA), was tracking the duo above, with the objective of stopping them from reaching the White House to shut it down, and was employing dangerous means to stop them.
ARIIA had access to cameras, lights, traffic grid, drones, microphones, computers and much more in the movie, which was quite terrifying and astonishing for viewers, as it breached privacy like cutting a cake.
But, it did propel a debate once regarding the Spyware-Technology and the Digital Vulnerability of Citizens, as the world was already a global village, connected virtually with each other and cyber-security was a big deal back then, and various forms of spyware were infecting the cyberspace.
Question and Answer;
In other words, the question that came to viewer’s mind was- could they also be monitored with such ease (if not like ARIIA).
The answer came in 2016, an astounding YES, and in the most terrible way ever. Christened the name- Pegasus, it was developed in Israel by a Private Tech Firm.
One may link the name- Pegasus, to the legendary flying equine immortalised by popular Greek Culture, however this Spyware is not remotely related to the legend at all.
It’s existence was detected for the first time when an installation attempt on an Arab Human rights activist went KAPUTZ (failed), and was reported to an Investigation Agency named-Citizen Lab, who traced back the origins of the attempt and hence, came to know about this for the first time.
Origins and Abilities;
It was developed by Niv Shalev Omri Group, popularly referred as NSO group, with the founder’s initials as the name of the venture.Based in Israel, it was formed just a little over a decade ago, in 2010.
Their now-headline-hitter product, Pegasus, is quite a game changer in the list of existing spy-wares, due to it’s unique, sophisticated method of bypassing every possible cyber-security and without even the slightest of knowledge to the target.
Now, there are several spy-wares that breach Extensive Security and that too in a sophisticated way, but what sets Pegasus apart, is that it behaves as an amalgam of all the possible vulnerabilities that a spyware could exploit.
In other words, spy-wares use only one or two vulnerabilities to get access to the system, but Pegasus exploits all possible vulnerabilities to enter the system.
Once entered the system, it receives further commands from servers and starts extracting information, no matter how extensively encrypted and locked the latter is.
It’s infection vectors include links/images received through E-Mails, Web-Pages and through applications such as iMessages, PhotosApp and iMusic (on iOS).
And it’s scope is not only limited to Apple iOS, but also to Android OS.
Again, one may argue that ordinary spy-wares use the same path, but Pegasus sets this bar higher by using Zero-Click Exploits, i.e, even if the target doesn’t interact or clicks the link, the target’s system will get infected regardless of any interaction, that’s also why it is also said that this virus can be sent “flying through the air.”
It can extract out contacts, images, videos, call logs, passwords, fingerprint authentication, browsing history, and messages.Here too, Pegasus goes a mile ahead as it can open Camera, microphone and location at command and that too, clandestinely.
It has been specially designed to evade detection too, as it has various self-destruct contingencies once under the Threat of Detection and also leaves no trace for the same
This is worrisome as this breaches the whole concept of privacy- be it professional or private.
At a further look at their website, the firm cites their technologies as a tool to exterminate terrorism, prevent gun violence, suicide bombings and save thousands of lives all over the world and this Technology is exclusively for governments.
A Possible One-Way ticket? and Reality;
On the bright side, this technology can be a harbinger of quick justice and harmony, as it can effectively act as an efficient Evidence-finder, and also find lost children.
Sounds just a technological advancement we needed, right?
However, In reality; just like Nuclear Energy, this technology was grossly misused to serve political interests round the globe as various journalists, political figures, NGOs, judges and opposition leaders were the real targets.
Cut to last year, a Massive investigation for the same kicked off and was carried out by Prestigious News Organisations such as Guardian, TheWashingtonPost, and 16 other firms all over the world. They managed to get their hands on a “leak”, which was provided by a Paris-based non-profit organisation Forbidden Stories and Amnesty international.
The leak was huge, as it included phone numbers of 50,000 individuals from countries such as Bahrain, Morocco, Mexico,India and a few more.
300 of them were Indian, and the Indian targets included Rahul Gandhi, Abhishek Bannerjee (nephew of Mamata Bannerjee , W-Bengal CM), Political strategist Prashant Kishor, also the woman who accused Former CJI Gogoi of sexual misconduct, along with her 11 direct family members were also on the list.
Several Journalists of reputed Indian Media Publishers such as TheHindu,TV18, TOI, Hindustan Times, and much more were also on the list and several activists jailed/free were also present on the leak.
The irony of the fact is that Ashwini Vaishnav, the recently-appointed IT minister initially denied claims of existence of Pegasus, but his name was on the list. Also Prahlad S Patel, who is currently the minister of Food processing industry was also spotted on the list.Former Election commissioner Ashok Lavasa, was on the list along with a few NGOs operating in India.
All this got a massive uproar from all sections of society as they pointed the fingers at the current establishment, for this gross misuse of technology.
The government response was quite a head-turner too, as instead of directly answering to the RTI Application, they stated that “no unauthorised surveillance has been done on citizens”, leading to more fury breaking loose on the former.
One thing to also keep in mind is- the presence of the phone numbers is not a sure-shot evidence that all these numbers were snooped upon, but precursor of the fact that all those numbers were “targets of interest” as identified by the “clients” I.e the present establishments.
This matter was immediately taken up in the Apex-Court and hearings for the same commenced without further ado, with an independent research group to investigate the same.
This matter, at hand, has more links to Legal Aspect than you may wonder!
For starters, it breaches the Section-69 of the IT Act 2000, which defines hacking as an entry of virus in the system.Also the Section-5(2) of the Telegraph Act also gets breached which provides for phone-tapping.
Moreover, Pegasus’ hacking of devices breaches the provisions of Section-66, 66(B), 66(E) and 66(F), which is punishable by means of either imprisonment or fine or even both.
The key breach is the Right to Privacy, which is enshrined in one of the prime articles- Article 21.
Various precedents set by the Supreme Court, have placed Right to Privacy as a fundamental right and the likes, such as cases like K.S Puttuswamy, Anuradha Bhasin v. Union of India and a few more.
Various Iterations of Personal Data Protection bills (2018,2019), were formulated keeping Privacy and Security in mind, however, all these bills got bypassed in the most sophisticated bills ever.
This expose is worrisome as in the Covid-halted world, populations have turned to their devices from paying bills to working from home, and this breach is undoubtedly unconstitutional and what’s more troubling is that democratically-elected governments are the clients of such technology, citing a dark phase for democracies ahead, as this Privacy Breach is one of the precursors of dictatorship.
Stricter Enforcement of Laws is not the only way to prevent such breaches from happening again, the IT Heads must optimise and test their software and hardware such that minimum vulnerabilities are present for spy-wares to exploit.
The media applications such as FaceBook (now Meta), Twitter, Instagram, and the respective softwares must be regularly optimised so that to prevent glitches and vulnerability to cyber-attacks. The occurrence of such a situation indicates a complete overhaul of the cyber-security framework and surveillance regulations in the country