A spyware is any malicious software designed to enter your computer device,
gather your data, and forward it to a third-party without your consent. Pegasus,
developed by NSO Group, is perhaps the most powerful spyware ever created. It is
designed to infiltrate Smartphone's - Android and iOS - and turn them into
The Israeli company, however, markets it as a tool to
track criminals and terrorists - for targeted spying and not mass surveillance. NSO Group sells the software to governments only. A single licence, which can be
used to infect several Smartphone's, can cost up to Rs 70 lakh. According to a
2016 price list, NSO Group charged its customers $650,000 to infiltrate 10
devices, plus an installation fee of $500,000.
Pegasus is a spyware developed by NSO Group, an Israeli surveillance firm, which
helps spies hack into phones. In 2019, when WhatsApp sued the firm in a U.S.
court, the matter came to light. In July 2021, Amnesty International, along with
13 media outlets across the globe released a report on how the spyware was used
to snoop hundreds of individuals, including Indians.
While the NSO claims its
spyware is sold only to governments, none of the nations have come forward to
accept the claims. Human rights and press freedom activists are up in arms about
a new report on NSO Group, the notorious Israeli hacker-for-hire company. The
Pegasus Project, an investigation by an international media consortium, has
revealed that more than 50,000 phone numbers were targeted by a spyware created
by NSO Group, an Israeli software company.
On the list were 300 verified phone
numbers in India, including those of ministers, opposition leaders, a sitting
judge, more than 40 journalists, and several activists and business persons.
The report, by a global media consortium, expands public knowledge of the target
list used in NSO's military-grade spyware. According to the report, that now not
only includes journalists, rights activists and opposition political figures,
but also people close to them, the groups have decried the virtual absence of
regulation of commercial surveillance tools.
A number of reports on Pegasus Spyware in India indicate that at least 1,000
Indian phone numbers are in a list of potential targets of surveillance using
the Pegasus spyware. An Israeli company, the NSO Group, sells the Pegasus
spyware to vetted governments. The evidence is strong that Indian citizens
were indeed targets of a vicious and uncivil surveillance campaign by a
government entity, Indian or foreign.
What can it do?
Once installed on a phone, Pegasus can intercept and steal more or less any
information on it, including SMS, Contacts, Call History, Calendars, Emails and
Browsing Histories. It can use your phone's microphone to record calls and other
conversations, secretly film you with its camera, or track you with GPS.
Brief history of Pegasus 2016:
Researchers at Canadian cyber security organisation The Citizen Lab first
encountered Pegasus on a Smartphone of human rights activist Ahmed Mansoor.
The Citizen Lab published a report that identified 45 countries in which Pegasus
was being used. As with the latest revelations, the list included India.
WhatsApp revealed that journalists and human rights activists in India had been
targets of surveillance by operators using Pegasus.
The Pegasus Project, an international investigative journalism effort, revealed
that various governments used the software to spy on government officials,
opposition politicians, journalists, activists and many others. It said the
Indian government used it to spy on around 300 people between 2017 and 2019.
How does it work?
Pegasus exploits undiscovered vulnerabilities, or bugs, in Android and iOS. This
means a phone could be infected even if it has the latest security patch
A previous version of the spyware - from 2016 - infected smart phones using a
technique called spear-fishing: text messages or emails containing a malicious
link were sent to the target. It depended on the target clicking the link-a
requirement that was done away with in subsequent versions.
By 2019, Pegasus could infiltrate a device with a missed call on WhatsApp and
could even delete the record of this missed call, making it impossible for the
user to know they had been targeted. In May that year, WhatsApp said Pegasus had
exploited a bug in its code to infect more than 1,400 Android phones and iPhones
this way, including those of government officials, journalists and human rights
activists. It soon fixed the bug. Pegasus also exploits bugs in iMessage, giving
it backdoor access to millions of iPhones. The spyware can also be installed
over a wireless transceiver (radio transmitter and receiver) located near a
All about the Pegasus Project
Pegasus is a type of malware classified as a spyware. Pegasus enables law
enforcement and intelligence agencies to remotely and covertly extract data
from virtually any mobile devices
The Spyware Pegasus can gain access to devices without the knowledge of users.
After this, it can gather personal information and relay it back to whoever is
using the software to spy.
A zero-click attack helps spyware like Pegasus gain control over a device
without human interaction or human error. Pegasus can infect a device without
the target's engagement or knowledge. So, all awareness about how to avoid a
phishing attack or which links not to click are pointless.
The Israeli firm NSO Group (set up in 2010) developed the Pegasus spyware. Since
then, NSO's attack capabilities have become more advanced.
What really does Pegasus comprises of?
Upon installation, Pegasus contacts the attacker's Command and Control (C&C)
servers to receive and execute instructions and send back the target's private
data. This data can include passwords, contact lists, text messages, and live
voice calls (even those via end-to-end-encrypted messaging apps).
The attacker can control the phone's camera and microphone, and use the GPS
function to track a target.
To avoid extensive bandwidth consumption that may alert a target, Pegasus sends
only scheduled updates to a C&C server. The spyware can evade forensic analysis
and avoid detection by anti-virus software. Also, the attacker can remove and
deactivate the spyware, when and if necessary.
Pegasus: The beginnings
According to a profile of the NSO Group published by the French non-profit
Forbidden Stories, which has published the 'Pegasus Project' along with its
media partners, the company were started by Shalev Hulio and Omri Lavie, friends
who started out with a product placement start up Media and in the early 2000s.
The startup was all but washed out by the recession of 2008, but Hulio and Lavie
found an opportunity in the 2007 launch of Apple's iPhone. It marked a watershed
moment - people began to use handheld devices for more than just calling and texting at scale.
Hulio and Lavie launched Communitake, Forbidden Stories reported, which allowed
users to take control of any Smartphone from a distance. This was originally
meant for mobile operators, who would want to take control of devices to provide
tech support. But as the use of smart phones spread and the need arose for
providing security features like encrypted messaging services, this presented a
challenge for law enforcement and intelligence agencies.
So far, intelligence agencies would intercept a message or call while it was in
transit on networks of telecom companies. But encrypted services meant that
without the encryption key, they couldn't access the message anymore - unless
they accessed the device itself and decrypted the communication.
Spy - Tech and Zero - Click
From here on, NSO started focusing on building Pegasus as a spying solution for
intelligence agencies and police forces. The narrative they built was that
government agencies would use it to tackle terrorism, drug-trafficking, etc. But
its first known state client - Mexico - then equipping itself with
cyber-espionage tools to fight drug trafficking, went beyond the script.
Forbidden Stories reported that more than 15,000 numbers were selected for
targeting by Mexican agencies between 2016 and 2017. Among these were those of
people close to then candidate Andres Manuel Lopez Obrador, now Mexican
President, besides journalists, dissidents, their colleagues and family members.
This catapulted NSO Group to a leader in the spy-tech industry, leaving behind
then heavyweights such as European companies Hacking Team and Fin Fisher.
Until then, Pegasus was utilising attack vectors such as malicious links in
e-mails and SMS. Once clicked, the link would install the spyware, giving the
hacker complete access to the device without the target's knowledge. Then, it
leapfrogged to zero-click infections.
Such infections, used in WhatsApp and iMessage hacks, do not require any
intervention from the end-user. On WhatsApp, a missed call on the voice call
feature would insert a malicious code into the device. With iMessage, a short
message preview did the trick.
Pegasus Spyware Earlier Controversy
Researchers discovered the earliest version of Pegasus in 2016. This version
infected phones through what is called spear-phishing text messages or emails
that trick a target into clicking on a malicious link.
In 2019, WhatsApp blamed the NSO Group for exploiting vulnerability in its
video-calling feature which secretly transmitted malicious code in an effort to
infect the victim's phone with spyware without the person even having to answer
In 2020, a report showed government operatives used Pegasus to hack phones of
employees at Al Jazeera and Al Araby.
Recent Pegasus Spyware Attacks in India
Human Rights activists, journalists and lawyers around the world have been
targeted with phone malware sold to authoritarian governments by an Israeli
surveillance firm. Indian ministers, government officials and opposition leaders
also figure in the list.
In India, several opposition leaders including Rahul Gandhi were on the leaked
potential targets' list. Smartphones of Politicians, Journalists were hacked for
gathering confidential information. This is the first time in the history of
this country that all pillars of our democracy - Judiciary, Parliamentarians,
Media, Executives and Ministers - have been spied upon.
The Indian government has denied any wrong doing or carrying out any
unauthorised surveillance. However, the government has not confirmed or denied
whether it has purchased or deployed Pegasus spyware.
Issues with Government's surveillance
In 2012 in Himachal Pradesh, the new government raided police agencies and
recovered over a lakh phone conversation of over a thousand people, mainly
political members, and many senior police officials, including the Director
General of Police (DGP), who is legally responsible for conducting phone taps in
In 2013, India's current Home Minister Amit Shah was embroiled in a controversy
dubbed Snoopgate, with phone recordings alleged to be of him speaking to the
head of an anti-terrorism unit to conduct covert surveillance without any legal
basis (as there was no order signed by the State's Home Secretary which is a
legal necessity for a phone tap).
The UPA government in 2009 said that the CBDT had placed a PR professional,
under surveillance due to fears of her being a foreign spy. Later on, the CBDT
did not prosecute the person.
Such examples of unlawful surveillance which seem to be for political and
personal gain are antithetical to the basic creed of democracy. Consequently,
they also bring up the need for ensuring that the surveillance is necessary and
Legislations on Surveillance
The laws authorizing interception and monitoring of communications are:
- Section 92 of the Criminal Procedure Code (CrPC)
- Rule 419A of the Telegraph Rules
- The rules under Sections 69 and 69B of the IT Act
The Telegraph Act
Section 5(2) of the Telegraph Act of 1885 provides the basis for interception of
telephone calls, or phone-tapping as it is colloquially called. The
constitutionality of this was challenged in the Supreme Court by the People's
Union for Civil Liberties, and in a judgment dated December 18, 1996, the
Supreme Court upheld the constitutionality of the provision, subject to certain
procedural safeguards which were later codified in Rule 419A of the Telegraph
The suggestion that since Phone - Tapping is permitted under Section 5 of the
Telegraph Act, this means Pegasus can also be procured and put to use under the
said provision, is a lazy analysis not only of the law but also of Pegasus,
which is by no means a mere tool for the interception of messages.
The scope of Section 5(2) of the Telegraph Act is to prevent transmission, carry
out interception and ensure disclosure of message(s).
The term 'message' is defined in Section 3(3) of the Telegraph Act to mean:
communication sent by telegraph, or given to telegraph officer to be sent by
telegraph or to be delivered.
Thus, at best, Section 5(2) can be resorted to in order to authorise
interception of messages including multimedia messages sent (or received) by a
device to (or from) another device. It does not envisage constant surveillance
by the electronic device including of all multimedia files which were created in
the device and not sent by telegraph to anyone else, nor does it envisage
recording people's real-life interactions that take place in the vicinity of
their device but not through it.
This concept is better understood once the term interception has
Information Technology Act
The Minister of Electronics and Information Technology, Ashwini Vaishnaw, on
July 19, 2021, stated in parliament with regard to the allegations of the use of
Pegasus that, In India, there is a well established procedure through which
lawful interception of electronic communication is carried out
This begets the question what is the scope of the term interception?
The answer to this lies in Rule 2(f) of the Information Technology (Procedure
for Safeguards for Interception, Monitoring and Decryption of Information)
Rules, 2009, which were passed in furtherance of Section 69 of the IT Act which
provides power to issue directions for interception, decryption or monitoring of
Interception is defined to mean the acquisition of the contents of any
information so as to make the contents of the information available to any
person other than the sender, recipient or intended recipient of the
communication. Thus, it is amply clear that 'interception' can only be done of
the contents of information that forms part of some 'communication' through a
computer resource, and not of actions and conversations that simply happen to be
near a computer resource.
In simpler words, this implies that lawful interception means that the
government can have eyes and ears on messages and media shared through
electronic devices, but it cannot weaponries the device itself to be an eye and
an ear to what happens around it as opposed to in it.
Intercepting messages does not mean turning phones into spy-cams
In effect, interception of messages and information under the Telegraph Act and
the IT Act only applies to 'communication' made through telegraph or computer
resources, which is very different from the wide arsenal of surveillance that is
offered by Pegasus once it infects a phone.
The use of someone's mobile phone's microphone or camera to record her actions
or conversations which take place in their daily lives, and not over their
electronic device, is thus not authorised by either Section 5(2) of The
Telegraph Act or Section 69 of the Information Technology Act.
To argue the contrary is to fundamentally fail in understanding the difference
between surveillance by lawful interception and illegal surveillance by unlawful
hacking of electronic devices.
The law allows the state, under certain circumstances, to keep an eye on our
devices, but that does not permit the state to turn the device itself to its
eyes to record things and actions that do not use the electronic device. It is
that jump from surveillance over electronic devices to surveillance by
electronic devices which makes Pegasus alien to the scheme of the Telegraph Act
and the IT Act, and it travels from the field of interception to that of illegal
hacking, which attracts the penalties listed under Chapter IX of the IT Act.
In light of the Pegasus spyware scandal, what are the checks and balances to
prevent abuse of procedures?
An international group of news publications are reporting that a spyware known
as Pegasus has been used to spy on Politicians, Journalists, and Activists,
primarily in 10 Countries. The need for parliamentary debates is rooted not only
in the desire to iron out creases in draft legislation, but also to address
issues of public importance and inform citizens on state policies and clarify
issues that may emerge from time to time.
It is precisely this function which
parliament failed to fulfil, for one reason or another, in the abruptly
concluded Monsoon Session. The Modi Government chose not to make clear and
categorical statements regarding the serious allegations of the use of Pegasus
Spyware to snoop on the Opposition, Journalists and Human Rights activists.
While the government is suggesting that any public discussion on the use of
Pegasus may pose a threat to national security the CJI has said that the court
will be mindful of this that in itself does not prevent a discussion on the
legal regime of surveillance in India and whether the use of Pegasus would fall
within or without the confines of the law.
Simply put, spyware like Pegasus cannot be lawfully used in India as it is not
only unconstitutional but also does not have legal sanction.
How can we fight terrorists then?
It cannot be argued against lawful interception of messages and information sent
or communicated over electronic devices.
The law clearly allows for that, and that gives ample ammunition to the
intelligence and law enforcement agencies to track terror activity. Any messages
or information sent from one device to another can be lawfully intercepted by
state agencies. Thus, if any terror outfit sends any messages or information to
one of its sleeper cells, such messages can be intercepted under the law without
even resorting to use of deeply pervasive software like Pegasus.
The use of Pegasus allows interception and much more, and it is in this domain
of what more Pegasus offers its clients which are of alarm and concern, and
which travels far beyond the realm of lawful interception carried out in the
interest of the State. The argument of need for Pegasus to intercept terrorism
related messages is premised on the notion that lawful interception cannot be
done by any other means, and that the use of Pegasus will be limited to
interception only and nothing more, although there is no way to presently gauge
its use and keep a check.
The government of India has not placed any material in the public domain to
justify either of these two notions.
Incompatible with India's constitutional democracy
One of the essential limbs of the test of proportionality is that state action
must have a legitimate aim which is permissible in a democracy, and that it must
also be the least invasive means to achieve the state's goal.
The use of a Pegasus-like spyware which provides remote access not only to the
electronic device but also to the life and activity around the device, exposes
journalists and political opponents of the government and leaves them vulnerable
to excesses. One can imagine that if the government has eyes and ears on the
whereabouts of all potential whistleblowers, then not enough whistles will get
blown, which is detrimental to a functional democracy.
A deafening silence of state-controlled media would overpower public narratives
and dissenting voices would find it impossible to exercise their constitutional
rights if all their conversations and actions are under constant watch and
scrutiny, even if it is carried out in the purported privacy of one's home.
A deeply pervasive spyware like Pegasus, which effectively turns an electronic
device into a spy cam, can never be permitted as an investigative or security
tool which is deployed in use against India's own citizens be it journalists,
social activists, politicians, lawyers, court officers, judges, or victims of
sexual harassment at the hands of mighty men.
The distinction between intercepting messages or information sent over
electronic devices vis-a-vis an electronic device working as a spy cam to record
one's actions and communications which were not carried out through the said
device, is critical to the issue of illegality of Pegasus.
The law may permit the state to look through an individual's phone for
information, but it definitely does not permit the state to constantly look at
the individual through his phone.
For instance, if I am wondering somewhere, and send a picture of it to my friend
through my phone, the interception if carried out for one of the legitimate
grounds listed under Section 69 of the IT Act would result in the state learning
that I sent a picture of myself wondering to my friend. However, if I don't
wonder and take no picture of it and tell nobody, yet if the state uses my
mobile which was placed with me at every instance to turn the camera on through
Pegasus and Record me wondering, then such a recording is not lawful
interception but illegal hacking which breaches the fundamental core of my
privacy and my intimate life.
This example would hold true for anything one does without using their
electronic devices, which the state captures an image, audio or video of, using
Pegasus on people's phones. Concepts of spousal privilege and lawyer-client
confidentiality, the right to silence and the right against self-incrimination,
would all stand in jeopardy under the glare of Pegasus.
The inner core of privacy, intimacy and human dignity would stand shredded if
Pegasus was sanctioned by law, and that is why it is argue that such a software
would not be constitutionally compatible in India, even if new legislation is
attempted to be brought in to protect it, as it would be an unreasonable and
disproportionate restriction on the fundamental right to privacy and human
The Pegasus Project is a collaborative investigation that involves more than 80
journalists from 17 news organizations in 10 countries coordinated by Forbidden
Stories with the technical support of Amnesty International's Security Lab.
Who can conduct Surveillance under Indian Law?
A limited number of agencies are provided powers to intercept and monitor. In
2014, the Ministry of Home Affairs told Parliament that nine central agencies
and the DGPs of all States and Delhi were empowered to conduct interception
under the Indian Telegraph Act.
In 2018, 9 central agencies and 1 State agency were authorized to conduct
intercepts under Section 69 of the IT Act. The Intelligence Organizations Act,
which restricts the civil liberties of intelligence agency employees, only lists
four agencies. However, the RTI Act lists 22 agencies as intelligence and
security organizations established by the central government that are exempt
from the RTI Act.
K.S. Puttaswamy judgment, 2017 regarding Surveillance
The K.S. Puttaswamy judgment, 2017, made it clear that any invasion of privacy
could only be justified if it satisfied three tests:
- The restriction must be by law
- It must be necessary (only if other means are not available) and
proportionate (only as much as needed)
- It must promote a legitimate state interest (e.g., national security)
The judgement held that privacy concerns in this day and age of technology can
arise from both the state as well as non-state entities. As such, a claim of
violation of privacy lies against both of them.
The Court also held that informational privacy in the age of the internet is not
an absolute right and when an individual exercises his right to control over his
data, it may lead to the violation of his privacy to a considerable extent.
It was also laid down that the ambit of Article 21 is ever-expanding due to the
agreement over the years among the Supreme Court judges. A plethora of rights
have been added to Article 21 as a result.
The court stated that Right to Privacy is an inherent and integral part of Part
III of the Constitution that guarantees fundamental rights. The conflict in this
area mainly arises between an individual's right to privacy and the legitimate
aim of the government to implement its policies. Thus, we need to maintain a
balance while doing the same.
Various recommendations in the past regarding Surveillance
In 2010, then Vice-President called for a legislative basis for India's agencies
and the creation of a standing committee of Parliament on intelligence to ensure
that they remain accountable and respectful of civil liberties.
The Cabinet Secretary in a note on surveillance in 2011 held that the Central
Board of Direct Taxes having interception powers was a continuing violation of a
1975 Supreme Court judgment on the Telegraph Act.
In 2013, the Ministry of Defence-funded think-tank published a report which
recommended that the intelligence agencies in India must be provided a legal
framework for their existence and functioning; their functioning must be under
Parliamentary oversight and scrutiny.
In 2018, the Srikrishna Committee on data protection noted that post the K.S.
Puttaswamy judgment, most of India's intelligence agencies are potentially
unconstitutional. This is because they are not constituted under a statute
passed by Parliament - the National Investigation Agency being an exception.
Written By: Bhaswat Prakash, Student at Ajeenkya DY Patil University, Pune