Pegasus Attack- A Threat To Cybersecurity?

Author: Drishti Banerjee Student, Amity Law School, Kolkata

Spyware are dangerous software viruses that secretly get into the e-devices like smartphones and computers and maliciously transfer the data to outside sources.

Recently, the Spyware called Pegasus is in news and it is argued to be the greatest threat to privacy and cybersecurity.

This Spyware has allegedly attacked as many as 50,000 devices all over the world, including 300 verified Indian mobile numbers. It is used for targeted surveillance (and not mass surveillance). Once installed, it is capable of accessing any file and gather any information from the device and serve it to third parties.

What is the Pegasus Spyware?

Pegasus is an extremely sophisticated, technologically advanced malicious software created by Israel-based cyber intelligence firm called the NSO Group.

How does Pegasus infect the devices?

1. In 2016 when it was first detected, it used the spear-phishing method to infect the device. It would send text messages or emails to the target to trick him to click on an attached link.

2. Using latest technology, the Spyware now infects devices using zero-click vulnerability. It means that the infection can be done by simply giving a missed call on the number or through a mere WhatsApp message, whether or not the user engages with it. Therefore, things are becoming way too complicated for the target to notice.

3. If the above stated two methods fail, Pegasus can be installed by a wireless transceiver situated near the target.

Functioning

The Spyware can attack both iOS and Android devices, but has widely targeted iphones.

Once it has infected the phone, it can virtually do anything, including recording calls, observing the call log, reading WhatsApp chats and SMS, accessing the photos in the gallery, secretly switching on the phone’s microphone or camera for spying, getting the user’s location by tracking the GPS, accessing all the passwords, etc.

Basically, the attacker can do everything the user of the device can do. This is called root privileges or administrative privileges.

Why was this Spyware made?

The NSO Group claims to have made this Spyware for aiding Law Enforcement and Government Intelligence Agencies to counter crime and terrorism. For instance, the Mexican drug lord El Chappo was arrested by the government using this Spyware.

However, the usage of this Spyware has not been as noble as it appears to be.

In 2019, WhatsApp blamed Pegasus to have infected about 1400 phones. Of late, it has allegedly snooped into the phones of some eminent personalities including senior journalists, human rights activists, world leaders and politicians.

Who have been attacked?

The Spyware was said to have attacked the phone of Amazon Chief Jeff Bezos, Princess Latifa and French President Emmanuel Macron over the years.

 Congress leader Rahul Gandhi, Election strategist Prashant Kishor, present IT Minister Ashwini Vaishnav, TMC leader and nephew of West Bengal CM Abhishek Banerjee, senior CBI Officer Rakesh Asthana, former election commissioner Ashok Lavasa, etc. are some famous Indian names whose phones were allegedly targeted between 2017-2019.

Report by Forbidden Stories

In the current expose, the Pegasus Spyware Attack has been revealed by a France-based NGO, Forbidden Stories, with the technical support from Amnesty International. It has been termed as the Pegasus Project and includes 80 journalists from 70 media organisations across 10 countries to investigate the truth of the allegations. Their investigation has brought to light various hidden aspects of the attack.

India is one of the NSO Clients among eleven countries enlisted by Forbidden Stories. It is the country which tops the list in terms of democratic index (53). Other clients include Morocco, Rwanda, UAE and Saudi Arabia.

Actions taken

At the wake of the Pegasus Spyware Attack Issue, Apple, Google, WhatsApp, etc. have begun to patch their security loopholes that Pegasus was exploding. Concern has been expressed by other business organizations as well regarding the security of their confidential business data.

In Binoy Viswan v. RBI and Others, 2020 (PUBLIC INTEREST LITIGATION W.P. (C) NO. 1038 OF 2020), the matter of Pegasus spying on WhatsApp was brought before the apex court along with other data privacy issues.

As pleas have been filed recently before the Supreme Court by two senior journalists N Ram and Sashi Kumar regarding the issue, a need of a detailed, impartial and high-level investigation is felt to decide the authenticity of the issue.

The West Bengal Government has constituted a commission headed by retired Justice Madan Lokur in order to probe this scandal.

Nevertheless, in spite of the potential threat posed by the Spyware that may harm the country’s integrity and sovereignty, no Central level large scale action or investigation has been conducted yet and there is no announcement regarding any in the near future. Such an indifferent attitude has been criticised widely by the Opposition.

A Threat To Rights

This issue is not only a threat to data privacy, but also a threat to the freedom of speech and expression as guaranteed by Article 19(1)(a) if the Constitution. This is because private messages and call records can be tapped using Pegasus.

Article 21, which includes the Right To Life And Personal Liberty, is inclusive of Right To Privacy (Puttuswamy v. Union of India, AIR (2017) 10 SCC 1). In the said case, it was held that this fundamental right protects an individual from being scrutinized by the State in their home (i.e., in the constraints of his private life).

However, this Right is subjected to reasonable restrictions like

1. Existence of a law justifying an encroachment on privacy;

2. A legitimate State objective that assures that the law fits within the test of reasonableness and protects against arbitrary State action; and

3. The State’s measures are appropriate and proportional to the aims and needs sought to be met by the law.

However, in the instant case, these elements are absent. There can be no reasonable grounds to prove why the government would tap the phones of people like senior journalists and bureaucrats. Neither a proper law nor a particular need sought by it may justify this arbitrary State action.

These digital attacks are also a threat to the cybersecurity provided by the IT Act of 2000, whereby e-resources are protected from unauthorised users.

In addition, there is a risk of Business organizations losing key business information assets and Banking institutions losing confidential data.

This targeted surveillance is done on people who are neither suspected terrorists nor criminals that such a drastic step would be required. Spying on journalists and activists cannot be called a legitimate criminal investigation, but rather a violation of human rights.

The Way Forward

Urgent action is required to develop the cybersecurity laws in India. The IT Act, 2000 (as amended by the Information Technology Amendment Act, 2008); Information Technology Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (SPDI Rules); etc. are some of India’s cyberspace security laws that need to be applied and updated in step with the current global threat posed by the Pegasus Spyware.

The modifications require to strike a balance between individual rights and the rights of the government through proper legal frameworks. That is to say that the government at some point needs Spywares to check terrorism and other criminal activities. Nevertheless, this should not become a tool in the hands of the government officials to be used for personal purposes.

 This can only be checked by a well-regulated legal framework and subsequent modifications in the existing laws that define the limits to the power of the government to spy on its citizens.

Conclusion

The way Pegasus functions cannot guarantee the honest intentions of its clients. Moreover, usage and exploitation of such a software is not exclusive to any one party.

Allegations regarding tapping the phones of eminent personalities like election commissioners and CBI officers raise serious questions regarding the democratic functioning of the government and separation of powers. The Spyware can be used to muffle the free voices in a democratic country like India.

It can therefore be concluded that the recent developments with regard to the Pegasus Spyware are indeed a threat to cybersecurity and privacy laws not only in India, but globally.

References

1. https://www.indiatoday.in/technology/news/story/apple-condemns-pegasus-spyware-attack-says-it-is-working-on-added-protection-1830399-2021-07-20

2. https://indianexpress.com/article/india/pegasus-spyware-senior-journalists-move-sc-seeking-independent-enquiry-into-govt-snooping-allegations-7424690/

3. https://m.thewire.in/article/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance

4. https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus

5. https://amp.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones

6. https://www.mondaq.com/india/privacy-protection/625192/supreme-court-declares-right-to-privacy-a-fundamental-right

7. https://m.economictimes.com/news/india/post-pegasus-big-companies-tighten-cyber-security-measures-to-ward-off-snooping/articleshow/84665652.cms

For daily Updates Do Follow Us on Facebook Instagram LinkedIN Twitter YouTube

To read more blogs click here