Pegasus, the iconic white winged horse of Greek mythology, was almost unknown in India. That name has suddenly become famous, as a piece of crafty spyware that snooped on Indian citizens. On November 1, the Indian Express reported that the Israeli spyware Pegasus was used to snoop on at least two dozen Indian journalists, activists and others, via their phones.
WhatsApp and its parent Facebook were suing the spyware’s creator NSO Group Technologies of Israel in a federal court in California, for hacking 1,400 smartphones via WhatsApp servers. They had traced the source of an extraordinary cyberattack detected and blocked in May 2019, that targeted over 100 human-rights defenders, journalists and others across the world.
Wait, isn’t WhatsApp securely encrypted, end to end? Yes: others can’t snoop on a message en route to your phone. But on your handset, the message is decrypted for you to read. Spyware on your phone can intercept your display or keyboard, camera or mic, and listen to your calls, or to conversations in your room.
Spyware usually depends on you to click a link in a message. Pegasus did not: it exploited a WhatsApp vulnerability (fixed in May) that allowed malicious code to be installed on a handset by simply initiating a video call to it. You wouldn’t even need to answer: the missed call was enough for the spyware to download, instal, and “root” your phone-make changes that exploited weaknesses in the Android or iOS software, to override restrictions such as requiring permissions for access to the mic or camera. Pegasus could then do anything you could do, including read messages, turn on camera or microphone, add and remove files, and manipulate data.
In the first few days of November, journalists tracked down over two dozen people who had been contacted by WhatsApp to say their phones were hacked. Activists, journalists, lawyers, an opposition politician. All critics of the government, or lawyers representing critics.
The NSO Group says Pegasus is sold only to government agencies, and is not for use against journalists and rights activists. This “lawful intercept” tool is available to governments, including those with questionable human rights records. Saudi Arabia famously used the spyware to snoop on Saudi dissident Jamal Khashoggi, whom they later killed.
Back in 2016, NSO reportedly charged customers $650,000 to hack 10 devices, in addition to a $500,000 installation fee. So which government on earth would spend that kind of money to snoop on Indian critics, dissidents, journalists? It doesn’t take Sherlock Holmes to figure that the likely candidates are in India.
Totalitarian regimes love spyware like Pegasus that can help them track (and eliminate) dissidents
Our government denied it and lashed out at WhatsApp, demanding to know why it hadn’t informed it earlier. But it had. The website of the government agency for cyber security, CERT-IN, itself showed that. That note, dated May 17, was briefly removed from the website, even as government sources suggested to media that WhatsApp’s note had been way too technical for CERT-IN to understand.
WhatsApp then said it had informed the government a second time, in September, in a letter in plain English, mentioning that Pegasus had targeted 121 Indians. Government officials told media that the timing of all this, and the US lawsuit, were suspicious: just as the Indian government was trying to change the law on intermediaries, to demand the traceability of social media messages.
Why does the government want to trace WhatsApp messages? Because forwarded fake news has caused deaths. Starting with seven men killed in Jharkhand in 2017 over forwarded rumours, over 50
Your data is not your data
India’s IT Act and rules provide that an ‘intermediary’ is not liable for any third-party information or content hosted by it, as long as it cooperates with lawful requests. The government will now revise those rules by next January, because it says intermediaries need to do more to prevent the spread of misinformation.
The government wants WhatsApp and other platforms to monitor messages, trace the original sender of a forwarded message on demand, and take down specified content. But WhatsApp is encrypted. No third party, not even the company itself, can read those messages or intercept calls (without spyware on the handset). That’s why so many use the app even for phone calls, including many in the government and the ruling party.
To comply, WhatsApp will need to abandon encryption. That would open up its 400 million users in India, and indeed its 1.5 billion users worldwide, to potential snooping and harassment by agencies or their staff without the protection of a privacy law. Yes, China does that. It monitors and censors WeChat messages, and dissidents disappear. No, India is not China, though it is often inspired by its neighbour.
It isn’t just WhatsApp: a very wide range of platforms are classified as intermediaries, and for many, other agencies also demand data. The Reserve Bank of India suddenly mandated in April 2018 that all payments data of Indian users be stored only in India, with access given on demand. Without a privacy law, payments data can be weaponised. Rights activist and government critic Teesta Setalvad was attacked in 2014 over her credit card bills, which allegedly showed she had bought “personal items such as sanitary napkins” using foreign funds, a home ministry order revealed in disingenuous detail.
Multiple ministries, agencies and regulators in recent years have demanded control over the data of citizens: its location, access, ownership. And all this with no protection from a privacy law.
That’s right, India does not have a privacy law, two years after the Supreme Court said in a landmark ruling that privacy was a fundamental, constitutional right. It’s work in progress. A 10-member committee submitted a draft privacy bill in July 2018. That bill may be tabled in Parliament in the next session, but we have been hearing that for a year now. The privacy committee’s report was titled ‘A Free and Fair Digital Economy’; only the second line mentioned privacy. No surprise: the digital economy comes first. Privacy is a nuisance to be tackled after that inconvenient Supreme Court ruling.
The draft privacy bill allowed the state sweeping exemptions for data collection and processing, and even mass surveillance. The home ministry wasn’t satisfied, and pushed for even more powers and exemptions for government agencies. So, when we do have a privacy law, government agencies could well be exempt from its controls. And it proposes that all ‘sensitive personal data’, be stored in India, includingpasswords. Think about your Gmail, Facebook, or web hosting service. How would you feel about your passwords being stored in India, for the State to access on demand? (Actually, passwords aren’t really ‘stored’ anywhere.)
More data brought onshore and made accessible to government agencies will leave the citizen dangerously vulnerable. Imagine if Gmail were forced to store Indian citizens’ emails in India (even if it could find and segregate them). All subject to a simple request from a police station head, using the cops’ favourite tool-a CrPC Section 91 request.
The internet is a global network of networks, with users accessing any information from anywhere. Now we are building up a balkanised new-age, nationalist internet, with borders and boundaries. Where does this stop?
In Uttar Pradesh? Which wants to become the first Indian state to “protect the data of its citizens”, according to a news report, by asking Facebook, Amazon, Twitter, WhatsApp, Flipkart and others to store data of UP residents in data centres in Noida. For easy access by UP police and the state government.
And then there is the vulnerability of the new, poorer, low literacy users. The move from cash to digital payments, a high priority for the Modi government, could hit black money. But it has opened up new internet users to potential scams, schemes and losses.
Then there is Aadhaar, which has led to a wide set of concerns-from data leaking (always from private, non-state actors, says UIDAI), to exclusion and denial of service, to simply doing what it is supposed to do: identify people accurately by the thousands every second. There are states with databases that can let police or government users enter a village name and get, for example, a list of Muslim or Sikh residents. Your faith is a private matter, but we have no privacy law. If we did, the state would likely be exempt. And it would say: your data is not your data.
It is a national asset that the government holds in trust, said a draft national e-commerce policy paper titled ‘India’s Data for India’s Development’ from the Ministry of Commerce in February this year. It was more about “data, the new oil” than about commerce. India’s Economic Survey 2018-19 had a chapter titled ‘Data of the People, By the People, For the People’, which said that data, a public good, could be sold to the private sector. In the Rajya Sabha, the government said in reply to a question on July 8 that it had sold, for Rs 65 crore, access to India’s car registration and driving licence databases-to 87 private and 32 government entities.
That is chicken feed compared to what good data is worth to political parties. With the right algorithms, data can help game democracies. That game has a mascot: Cambridge Analytica, the British political consulting firm that used Facebook and big data and analytics with strategic communication to influence the US elections and the Brexit vote, with promised outcomes.
If fake news had an invaluable role in India’s elections, so did hard data and analytics targeting voters. For instance, the decision by the ruling party to reach out to 220 million beneficiaries of government schemes just before the elections. Can you visualise 220 million little dots of different colours on a big screen, all turning saffron?
Yes, the powerful voter, sine qua non of democracy and never before as vulnerable as now, is one of a billion coloured dots on the digital dashboard of dystopia, waiting for analytics and AI algorithms to sweep across and change its colour. I algorithms to sweep across and change its colour.
Prasanto K. Roy is a tech writer and policy consultant