The Pegasus Project, as it is being called now, has blown the lid off of the Pandora’s box of fears and doubts. Since Edward Snowden blew the whistle on the predatory nature of the alleged surveillance capacities and practices of the American and the British intelligence agencies in 2013, we have seen truckloads of new literature (both fiction and non-fiction) on cybersecurity and espionage. Hollywood has also let its imagination and paranoia run wild. And since 2013, technology has grown more powerful, internet speeds much faster, the storage capacity of each device and batteries attached much bigger. Cameras on each device alone have grown much wilder. And then there is the issue of cloud services. Unless you change the settings on your smartphones and other smart devices their data is automatically backed up on cloud servers. Once this information is imprinted on internet servers despite all assurances from the vendors this data for all practical purposes becomes non-fungible. But let us not get ahead of ourselves.
Let us first take a look at the scandal so far. NSO Group, an Israeli software company, sells snooping software to several governments in the world. These governments then deploy it to spy on groups and countries they have an adversarial relation with. Given that the software is military-grade the Israeli government strictly controls who gets access to it and who doesn’t. Except this responsibility until a few months ago was shouldered by none other than Bibi Netanyahu’s government. This may explain why he was so adamant about not leaving power or even the prime minister’s residence once out of power.
This software infects the target phones through phishing scams that get to you through SMS, WhatsApp messages, iMessage or an unknown vulnerability in certain phones. Once it infects the phone it can harvest your text, WhatsApp and email messages, access your photos and videos, your phone book, your GPS data, your calendar, passwords, record your calls, activate your camera and microphone at will. As its technology has improved the NSO Group can now install the said software even without you clicking a link.
In 2020, Forbidden Stories, a non-profit project primarily focusing on publishing stories which the traditional media for some reason does not carry, got ahold of a target list of 50 thousand phone numbers. Amnesty International’s cybersecurity team examined some of the target phones and found out that half of them had traces of the Pegasus Trojan software. As many as 17 media outlets, including Washington Post, then came together to further probe the matter. And the revelations since then have been startling. The list included 3 presidents, 10 prime ministers and one king apart from various individuals in the public eye like journalists, civil society activists, dissidents and government officials. Of these 10 prime ministers, one is Imran Khan. Without forensic analysis, it is hard to say if all these numbers were effectively hacked. But it is clear that at some point these were considered potential targets. France’s President Macron, for instance, made it to the list and since then has reportedly changed his phone but apparently was not spied on.
Perhaps the most interesting case is of India. Of all the client countries it is perhaps the only one with well-established democratic credentials. Democracies as a matter of principle do not spy on their citizens. Snowden’s revelations might have shaken faith in this precept a bit but since then the democratic institutions have visibly reasserted themselves ensuring that intelligence agencies do not spy on their citizens. But not in India. The Pegasus Project revelations show that India’s current government spied on opposition leaders like Rahul Gandhi, hacked into the phone of election strategist Prashant Kishor as he was advising West Bengal’s leading party during recent state election, in addition to many other civil society and media functionaries. It did not even spare its own cabinet ministers and office-bearers. Presently the Indian government is pretending that it did nothing wrong and hopes that like the dead bodies in water during the Covid crisis media will soon get over it. It may have to reconsider this position for three reasons. One, like the Covid crisis this scandal has already done considerable damage to its international image. Two, this is the kind of scandal that tends to grow because of the sheer number of high-profile victims. Three, there might be more whence all this came.
Prime Minister Khan’s phone was also on India’s target list along with a host of other high-profile officials. Pakistan government says it will litigate the matter. This will be an interesting development and many like me will watch it closely. But as a rule of thumb, unless the domestic technology has grown sufficiently to ensure total security for the use of such high placed officials, it is strongly advised that they do not use smartphones at all. There are many reasons for it. But this time they might have been lucky and this scandal was caught quite early. Who knows how many other software and companies are out there doing exactly that or even a better job of not getting caught? And don’t forget each smartphone’s own firmware and the apps you use in such phones. Despite their bonafides, these companies also routinely harvest your data.
On books at least the software is only meant to target terrorists and criminals. This obviously wasn’t the case and therefore the incumbent Israeli government claims to be conducting a thorough investigation into the matter. The NSO Group also claims that the software cannot be traced back to the spying government. This obviously proved wrong and with every passing day, more damning evidence is surfacing. Even if an inquiry doesn’t close this company, this scandal will ensure that it soon goes out of business.
But for an ordinary smartphone user here is the bottom line. Kiss your privacy goodbye. It is funny how so many people refuse Covid vaccines after listening to baseless conspiracy theories about privacy but happily buy expensive smartphones with open mics and two opposite high-powered cameras, if not more, always connected to the network.
Black Code: Inside the Battle for Cyberspace by Ronald J Deibert does a great job of summarising how privacy in this age is a myth. The number of internet chokepoints like the physical locations called IXPs (internet exchange points) alone provides an infinite number of opportunities to snoop on your data. Until better devices come, cover the cameras and pretend you are not being watched. Or convince yourself that you are not important enough.
Published in The Express Tribune, July 31st, 2021.