New Delhi: A leaked database of thousands of phone numbers allegedly listed by several government clients of an Israeli surveillance technology firm includes more than 300 verified Indian mobile phone numbers, including those used by ministers, officials of opposition, journalists, the legal community, businessmen, government officials, scientists, rights activists and others, according to a survey by Thread and 16 media partners.
Forensic testing as part of this project on a small sample of phones associated with these numbers revealed clear signs of Pegasus spyware targeting on 37 phones, including 10 Indian phones. Without subjecting a phone to this technical analysis, it is not possible to conclusively state whether it has witnessed an attempted attack or has been successfully compromised.
NSO Group, the Israeli company that sells Pegasus around the world, says its customers are confined to “controlled governments”, which are said to number 36. Although it refuses to identify its customers, this claim rules out the possibility that ” a private entity in India or abroad is responsible for infections that Thread and its partners confirmed.
The leaked database was viewed by Paris non-profit media Forbidden Stories and Amnesty International and shared with The Wire, Le Monde, The Guardian, Washington Post Die Zeit, Suddeutsche Zeitung and 10 other Mexican, Arab and European press organizations as part of a collaborative investigation called the âPegasus Projectâ.
Forbidden Stories, which accessed the data, says it includes records of phone numbers selected as targets by NSO’s customers, a claim the company has formally denied while conceding that its customers could have used those numbers at ” other purposes “.
The majority of the numbers identified in the list were geographically concentrated in 10 groups of countries: India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the Emirates. United Arabs.
Each of these countries has been identified in the past by experts at Citizen Lab – a University of Toronto-based digital surveillance research organization that laid the groundwork for WhatsApp’s 2019 lawsuit against the NSO group – as having has been a region of interest for Pegasus operators.
Working with Amnesty International’s tech lab, a team of more than 80 journalists coordinated by Forbidden Stories sought to identify and verify the people to whom these numbers belong, and then perform a forensic examination of the phones they have. used during the data period, which in the Indian case was approximately between mid-2017 and mid-2019.
The Indian Telegraph Act and the Information Technology Act prescribe procedures to be followed for lawful interception. Different countries have different laws, but the use of hacking to provide surveillance spyware in India by any individual, private or official, is an offense under the Computer Act.
Thread will unveil the names she was able to verify in different categories, step by step with her partners over the next few days.
The number of people in the database includes more than 40 journalists, three major opposition figures, a constitutional authority, two sitting ministers in Narendra Modi’s government, current and former heads and officials of security organizations. and dozens of businessmen.
The presence of a number in the database indicates its likely selection as a surveillance target, but whether a phone has actually been hacked and infected can only be established through a forensic examination of the device – more easily if l The instrument in question is an iPhone.
Among the numbers in the Project Pegasus database is one that has been registered in the name of a sitting Supreme Court judge. however, Thread was unable to confirm whether the number, which the judge dropped before being added to the list, was still being used by him for WhatsApp and other encrypted messaging apps when the number was selected. Until we are able to establish the actual user of the number during the period in question, we withhold the judge’s name.
Thread and its partners will also not reveal the identity of names that appear to be the subject of counterterrorism or state-to-state espionage, except for 13 heads of state or government around the world.
Committed to the right to privacy, says Indian government
In a response to detailed questions sent by project partners Pegasus to the Prime Minister’s Office earlier this week, the Department of Electronics and Information Technology said, âIndia is a strong democracy that is commits to guaranteeing the right to privacy to all its citizens as a fundamental right “and that” allegations of government surveillance on specific persons have no concrete basis or truth associated with them “.
Without specifically denying that Pegasus is used by the government, MEITY’s response stated: âEvery case of interception, surveillance and decryption is approved by the appropriate authority … The procedure therefore ensures that any interception, surveillance or decryption of all information via any computer resources are carried out in accordance with due process.
Indeed, the lawful interception procedure implies not only a written authorization and limited in time in each case, but also the use of the intermediary in telecom or IT resources, which is supposed to allow the interception, and does not cover not the activities prohibited by Article 43 of the Law on Information Technology under the definition of “piracy”.
Hacking an individual’s smartphone is a necessary step to subject an individual to the surveillance of spyware such as Pegasus.
NSO says data “may be” linked to its customers
Although the NSO Group insists the leaked database is “not a list of numbers targeted by governments using Pegasus,” he said. Thread and Project Pegasus partners in a letter from his lawyers that he had “good reason to believe” that the leaked data “may be part of a larger list of figures that could have been used by NSO Group clients for other purposes “.
When asked what these “other purposes” might be, the company changed its tactics and claimed that the leaked tapes were based on “open and publicly available sources such as the HLR Lookup service” – and that ‘they had no “impact on the client’s list”. targets of Pegasus or any other NSO product â.
HLR lookup services are used to test whether a phone number of interest is currently on a network.
If the leaked numbers represent the output of an HLR search service, as NSO itself suggests, the fact that data from countries known to have been a region of interest for Pegasus operators in the past raises two questions: were they all generated by the same service provider? Were they all grouped together and kept in one place for a common purpose?
While HLR research has obvious business relevance to telemarketers, telecommunications security experts say it may well be an integral part of spyware-based surveillance. “This is the most important reason you would use HLR research,” Karsten Nohl, chief scientist for Security Research Labs in Berlin, told the Pegasus Project. âYou would know the phone is onâ – and therefore available for hacking.
NSO disputes the suggestion that Pegasus could have been used to target 50,000 people, implying that the targeting scale on all government clients is around 5,000 per year.
The sensitivity of the information involved – governments that select high-profile individuals for potential hacking and surveillance would hardly want the details or metadata of their targeting known to a foreign government or private entity – further adds to questions the database leaked and NSO’s firm denial that this had anything to do with the Pegasus increase.
None of the governments concerned are urged to shed light on the matter. However, in countries governed by the rule of law, the possibility of a massive and illegal surveillance program being used to target prominent figures from all walks of life – including political opponents and journalists – poses a clear threat to democracy. and will increase demand for an independent probe.
Read coverage of The Wire as part of Project Pegasus here.