Malware Found In India Supreme Court Snooping InvestigationJustices Say Pegasus Not Confirmed and Government Did Not Cooperate
An investigation into alleged use of Pegasus spyware on Indian citizens identified malware on five of the 29 volunteers who submitted their devices for forensic examination.*
India's Supreme Court ordered the investigation in October 2021 after privacy advocates and opposition parties filed petitions demanding an independent probe into alleged government use of Pegasus. The petition followed reports from international investigative consortium the Pegasus Project that hundreds of prominent Indian politicians and activists may have had their phones targeted for infection with the advanced spyware, made by NSO Group. Among them, political opposition figure Rahul Gandhi (see: Leak of 50,000 Contact Details Tied to Spyware Targeting).
The high court in a Thursday session did not disclose details about the nature of the malware found during the course of the investigation but Chief Justice of India N.V. Ramana said New Delhi did not cooperate with investigators. India's national government previously filed an affidavit with the court asserting it cannot disclose what software or hardware it uses as a "matter of national security."
Union Minister of State for Electronics and Information Technology Rajeev Chandrashekhar told the Indian Express Friday that the central government has a right to intercept communications "in terms of national security to curb terrorism and other activities.”
Gandhi took to Twitter to denounce the government for not being more forthcoming with investigators, saying it shows "they had something deeper to hide."
Sushant Singh, a senior fellow at the non-partisan Center for Policy Research and a former Indian Express journalist allegedly targeted with Pegasus also tweeted criticism. "The simplest and the most direct thing in the Pegasus case was for the Supreme Court to insist on an affidavit from the government whether it bought Pegasus from Israel and used it against Indian citizens. A failure to answer the question should have been taken as a Yes," he wrote.
The investigation's conclusion comes at a moment of heightened scrutiny of commercial spyware apps with intelligence agency-level capabilities, and in particular NSO Group. Backlash and declining revenue led the Israeli company earlier this month to lay off more than one in ten of its employees while it also fights lawsuits from Facebook and Apple (see: Seeking a Buyer, NSO Group Announces Fresh CEO Plus Layoffs).
Estimates are that at least 30 vendors of advanced spyware targeting mobile users now exist worldwide. The NSO Group's Pegasus spyware is allegedly capable of infecting a smartphone without the user having to click on a malicious link, forcing defenders to take potentially extreme measures to make devices less vulnerable (see: Apple Lockdown Mode Aims to Prevent State-Sponsored Spyware).
The three-member Supreme Court panel skimmed through the report submitted by the committee, which was overseen by former Justice R.V. Raveendran. The panel said the reports consists of three sections, says Anandita Mishra, an associate litigation counsel and part of the Internet Freedom Foundation group that represents five Indian journalists allegedly targeted with Pegasus.
The first two parts relate to investigation. The third section contains observations recorded by Raveendran, Mishra tells Information Security Media Group.
Justices said the report contains some critical information that can be detrimental to national security, Mishra says.
In response, counsel for the petitioner Rakesh Dwivedi, requested the Ramana-led bench to make redacted copies of the report available to petitioners. The court said it will examine what parts of the technical committee report might be made public. The court did not set a timeline for such a review but the next hearing will take place in four weeks.
The committee devised a three-pronged approach that includes: inputs from petitioners, victims and experts; isolating the malware and devising techniques to identify it; and securing necessary material from the likes of Amnesty International, NSO group, Apple, and other experts who have worked on previous Pegasus investigations elsewhere.
The committee said it did not have a controlled sample of the malware but was writing its own code that could "be used to identify specific aspects of the malware beyond what is already in the public domain.
The Supreme Court did reveal recommendations made by the committee. Those are:
- Amending the existing surveillance law to incorporate right to privacy;
- Enhancing cybersecurity laws;
- Taking steps to ensure Indian citizens are not spied upon and their privacy is respected;
- Establishing a mechanism to raise grievances related to surveillance and privacy;
- Set up an independent agency to investigate the cyberattacks.
The government of Indian Prime Minister Narendra Modi unexpectedly withdrew earlier this month a personal data protection bill in the works shortly after the Supreme Court in 2017 declared privacy to be a fundamental right under India's constitution. Government officials have said they will instead propose a "comprehensive framework" for tech regulation that includes privacy (see: India Government Withdraws Data Protection Bill).
*Correction Aug. 29, 2022 08:25 UTC: Corrects the number of devices infected with malware.