On 31 October 2019, when the news first broke out in India, it was indeed more than just “breaking news”! As the facts were slowly revealed on the electronic media and with banner headlines, the next day, in the major dailies of the country it was certain that some of the leading human rights activists , lawyers, academicians and journalists using ' WhatsApp' were being snooped upon. An Israeli spyware ' Pegasus' was being used to infect the phones and access vital information from these instruments from those who dared take on the Government. In a fact that is noteworthy it was used primarily in the run-up to the 2019 General Elections in India!
The news broke out world –wide sometime in May when ‘WhatsApp’ sued Israel’s NSO Group, accusing it of helping clients break into the phones of roughly 1,400 users - including diplomats, political dissidents, human rights activists, journalists, military and government officials - across four continents. This revelation was made thanks to some painstaking research done by ‘Citizens Lab’ of the University of Toronto, Obviously, NSO denied the allegations immediately saying that it sells its technology to governments to counter-terrorism. India apparently is WhatsApp’s biggest market with over 400 million users- and still counting.
One needs to understand, in an uncomplicated way, at first how ‘Pegasus’ as a spyware actually operates. Pegasus is a targeted individual hack that seeks to break the protections built into computer and phone operating systems. All hacks like this follow the same method. They rely on finding what are known as “zero day vulnerabilities”, namely bugs in a software that even the developer does not know about (hence “zero day”, as in zero days of warning).This bug is then used to infiltrate the operating system of the phone or computer, and from there to monitor and attack other software. Use of zero days makes Pegasus-style attacks almost impossible to stop in advance.
In order to monitor a target, a Pegasus operator must convince a target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control servers to receive and execute operator commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity. In the latest vulnerability, the subject of the lawsuit, clicking the ‘exploit link’ may also not be required and a missed video call on WhatsApp will have enabled opening up the phone, without a response from the target at all.
The ‘spokespersons’ of the Government of India, in keeping with their normal stance has gone into the denial mode about this latest revelation. No one of course believes the Governments. All Governments are known to ‘spy’ or ‘snoop’ on people for whatever the reason. At most times, they justify these acts for ‘the good of the country’ ; innocuous words like ‘intelligence’ and ‘counter-intelligence’ are used; they go on to add that they need to curb any ‘subversive’ activity or any act of ‘terrorism’ . Fascist regimes are known to go ten steps more; because of their own insecurity and the constant threat that their own wrongdoings will be exposed they use every possible method to find out what their opponents are doing, what they are saying/ writing , whom they speak to , where they go etc. In doing so they try to falsely ‘build up a case’ against their opponents. They have the help of the law and order mechanism namely the CBI, the police and sadly even the judiciary today, to “prove” their point. We see all this happening repeatedly in India today!
Last week in an open letter addressed to Prime Minister Narendra Modi, a group of Indians who are targets of this latest snooping scandal demanded that his government must explain whether it had mounted the surveillance on them. In a strongly-worded letter they said “It is a matter of public concern whether Indian tax payer money has been spent on this kind of cyber surveillance. We seek an answer from the Government of India about whether it was aware of any contract between any of its various ministries, departments, agencies, or any State Government, and the NSO Group or any of its contractors to deploy Pegasus or related malware for any operations within India?"
Will Cathcart (head of WhatsApp, which is owned by Facebook) wrote a couple of weeks ago, a powerful but transparent op-ed in the ‘Washington Post’ (30 October 2019). It is important to quote at length from this timely article, Cathcart writes, “ Democracies depend on strong independent journalism and civil society, and intentionally weakening security puts these institutions at risk. And we all want to protect our personal information and private conversations. That’s why we will continue to oppose calls from governments to weaken end-to-end encryption.
Second, technology companies must deepen our cooperation to protect and promote human rights. App developers, device manufacturers and those who maintain the security of operating-systems providers need to share information to build safer systems. Just as users expect our products to work seamlessly, so too they expect we will work to guard against common threats and to hold attackers accountable.
This includes publicly explaining significant attacks to increase resilience and working with security researchers who can play a crucial role in that. We’re grateful to experts at the Citizen Lab at the University of Toronto for their work in this regard. They volunteered to help us understand who was affected by the attack and engaged with journalists and human rights defenders to help them better protect themselves in the face of these threats.
Third, companies simply should not launch cyberattacks against other companies. Responsible actors report vulnerabilities when they are found; they do not use their technology to exploit those vulnerabilities. Likewise, companies should not sell services to others engaged in such attacks.
Lastly, far more needs to be done to define what amounts to proper oversight of cyber weapons. NSO said in September that “human rights protections are embedded throughout all aspects of our work.” Yet it maintains that it has no insight into the targets of its spyware. Both cannot be true. At a minimum, leaders of tech firms should join U.N. Special Rapporteur David Kaye’s call for an immediate moratorium on the sale, transfer and use of dangerous spyware.
The mobile phone is the primary computer for billions of people around the world. It is how we have our most private conversations and where we store our most sensitive information. Governments and companies need to do more to protect vulnerable groups and individuals from these attacks. WhatsApp will continue to do everything we can within our code , and within the courts of law, to help protect the privacy and security of our users everywhere “.
It is anyone’s guess whether those who are at the head of this snooping regime will care to read this brilliant op-ed. In all likelihood it will be a “surely no!” But two parliamentary panels headed by Congress leaders have recently decided to examine the WhatsApp snooping case and will seek details from top government officials including the Home Secretary. Congress leader Shashi Tharoor, who heads the parliamentary standing committee on information technology, said in a letter to his panel members that alleged use of the technology for snooping on Indian citizens was a matter of “grave concern” and it would be discussed at the Committee’s next meeting on November 20. Whether these Parliamentary Committees will have the teeth to take on the fascism that is mainstreamed in the current political regime is a matter of conjecture. The Government has enough of ‘flak’ on several of those who dare oppose them. It is common knowledge, as is blatantly seen that if you toe the Government line – even if you are the most corrupt person in the country, the worst murderer or rapist or for that matter the worst plunderer of natural resources than nothing will happen to you!
The last fortnight has been hectic in the country; electronic and print media have had other headlines to flaunt and talk about! Among those that have hogged the headlines have been the Ayodhya verdict, the Maharashtra elections and the subsequent political drama still being played, the Rafale scam judgement, the transfer of power from one Chief Justice to another, the opening of the Kartarpur corridor etc. Perhaps “reasons” enough for ‘snoopgate’ being swept under the carpet.
However this does not mean key issues/questions sacrosanct for a vibrant and participative democracy can be swept under the carpet; these include:
· The Right to Privacy: does the Government have the right to spy/snoop/intrude into the private life of a citizen
· The Right to Freedom of Speech and Expression: we are already witnessing how it is being systematically curbed and even denied in India; do we continue to allow it?
· The right to dissent: human rights defenders, academicians, journalists, intellectuals, every ordinary citizen has the fundamental right to disagree with the Government and the policies; this is the essence of democracy!
‘Snoopgate’ is about all the above and more. In the past several Governments have fallen across the globe for their immoral act like spying on their own citizens! We experience it unfolding in different parts of the world today! Will ‘snoopgate 2019’ be the waterloo of this fascist regime? We the citizens of India, if we want democracy to continue in our country, must wake up now!
(*Fr Cedric Prakash SJ is a human rights & peace activist/writer. Contact: firstname.lastname@example.org)(Published on 18th November 2019, Volume XXXI, Issue 47)