On 20 December 2024, United States District Judge of the Northern District of California Phyllis J Hamilton upheld the allegations levelled by WhatsApp Incorporated (the encrypted messaging service that is part of the larger Meta conglomerate that includes social media platforms like Facebook and Instagram) against NSO Group Technologies Limited (the Israeli manufacturer of the spyware named Pegasus). The court held that NSO Group had exploited a technical loophole and hacked into the WhatsApp accounts inside the personal electronic devices of around 1,400 persons, of which some 300 users are believed to be from India.
The crucial questions are:
whether our country’s Supreme Court will ask the Indian government if it has purchased Pegasus – often described as the most dangerous spyware known to humankind; and
whether this has been misused to spy on the government’s critics and political opponents, as well as certain insiders including Union Ministers.
The US District Court has judged that NSO Group was liable for violating the Computer Fraud and Abuse Act by accessing WhatsApp’s computers without authorization and that the privately-owned Israeli firm had the intent to defraud WhatsApp. The court also ruled that NSO Group had violated California state’s Comprehensive Computer Data Access and Fraud Act.
Judge Hamilton’s 16-page judgement ruled that NSO Group had intentionally destroyed evidence and/or concealed evidence. Her court then imposed sanctions on NSO Group and stated that it would start hearings on damages to be imposed on the company from 24 January 2025 onwards.
On 10 December 2024, a two-judge bench of the Supreme Court of India comprising Justices Surya Kant and Ujjal Bhuyan ordered that the case on alleged misuse of Pegasus by the government, which has been pending from August 2022, be heard on 7 March 2025.
“Several petitions have been filed in the country’s apex court, including one by the writer of this article, alleging that Pegasus has been used in an illegal manner against journalists, lawyers, civil society activists, judges, government officials and politicians, among others.”
Pegasus is the name of a mythical winged horse that figures in Greek mythology. It is considered to be the world’s most powerful cyberweapon, a zero-click-bait spyware that can be misused to listen to, read, and view conversations, text, and audio messages as well as videos over electronic mail and text communications on cellular phones. Unlike in the past when the user of a mobile phone had to click on a link to enable malware to enter the user’s device, a person whose phone has been infiltrated by Pegasus is completely unaware if, how, when and where the phone has been “infected” or “compromised.”
Pegasus has reportedly been deployed to track not just the political opponents of those in power, but also those within reigning governments who rulers want to spy on. It has reportedly been used on heads of government such as France’s President Emmanuel Macron and the former Prime Minister of Pakistan, Imran Khan, and their aides.
Several governments including those in France, Spain, Germany, Poland, Hungary, the United States and even, Israel (when Prime Minister Benjamin Netanyahu’s predecessor Naftali Bennett was in power in Tel Aviv) have formally investigated whether Pegasus was illegally used in their respective countries. But not the government of India. Why?
The alleged misuse of Pegasus in this country and many other countries across the world, including Mexico, Hungary, France, Morocco, Azerbaijan, Turkey, Saudi Arabia, Iran and Pakistan, was first exposed by the Paris-based international non-government organization, Forbidden Stories, which received a data leak of some 50,000 phone numbers that had apparently been infected by Pegasus. Amnesty International joined Forbidden Stories in its investigation.
“These phone numbers were shared with more than 80 journalists working in 17 media organizations in different countries, including The Wire in India. Whereas many of the users of the phones that were allegedly infected were unwilling to have their phones forensically examined, some (including this writer) agreed. The information inside the phones were scrutinized by technical experts in Europe (engaged by Amnesty International) and in Canada (at the Citizen Lab in Toronto). The worldwide investigation took more than three months to complete and its findings were disclosed in July 2021.”
After several petitions were filed in the Supreme Court here, the then Chief Justice of India (CJI) N V Ramana asked the Solicitor General of India Tushar Mehta, who represents the Union government, to answer a simple and straightforward question. CJI Ramana asked if any agency or department of the Indian government (or, for that matter, a state government) had purchased or used Pegasus. Instead of answering “yes” or “no” Mehta said he would not answer the question because national security interests could be jeopardized.
On 27 October 2021, CJI Ramana constituted a three-member committee to examine the issue. The committee was headed by retired Supreme Court judge, Justice R V Raveendran, and comprised Alok Joshi, former Director of the Research and Analysis Wing (R&AW) in the Cabinet Secretariat and a 1976 batch officer of the Indian Police Service; and Sundeep Oberoi, Chairman of the sub-committee of the International Organisation of Standardisation, International Electro-Technical Commission, and its Joint Technical Committee.
The committee was supported by another panel of three technical experts: Naveen Chaudhary, a professor of cybersecurity and digital forensics at the National Forensic Sciences University, Gujarat; Prabaharan P, an expert on cyber security and a professor at the Amrita Vishwa Vidyapeetham University, Kerala; and Ashwin Anil Gumaste, a professor of computer sciences and engineering at the Indian Institute of Technology Bombay.
“A day before CJI Ramana retired on 26 August 2022 he observed in the open court that the Indian government had not cooperated with the panel he had appointed. He wryly remarked: “We will say one sentence – the government did not cooperate with the technical committee on scrutiny of the devices for Pegasus spyware.”
CJI Ramana was presiding over a three-judge bench alongside Justices Surya Kant and Hima Kohli. He opened the voluminous three-part report in court and stated the technical committee had examined 29 phones and found malware in five of them but could not conclusively state if the malware was indeed Pegasus. CJI Ramana said the Raveendran committee’s report would be uploaded on the Supreme Court’s website but that the technical committee’s report would be uploaded after redacting certain portions, as committee members had requested that personal data not be disclosed.
CJI Ramana said the Raveendran committee had recommended changes in the existing law on surveillance and also suggested that the protection of privacy be enhanced “along with the cyber secrecy of the nation.” The CJI said the committee’s recommendations and observations could be made public.
The bench stated: “Such a course of action taken by the respondent – Union of India, especially in proceedings of the present nature which touches upon the fundamental rights of the citizens of the country, cannot be accepted…The mere invocation of national security by the State does not render the Court a mute spectator.”
“Despite CJI Ramana’s public statements, late at night on August 25, 2022, the report was “re-sealed” and kept in the custody of the Secretary General of the Supreme Court. The Leaflet website commented: “The decision to keep the two reports under wraps, despite the CJI’s oral commitment to upload them on the Supreme Court’s website, disappointed those who expected some degree of transparency from the highest court.”
Former CJI Ramana said the case was to be heard after a month. It was not. Two Chief Justices (U U Lalit and D Y Chandrachud) were appointed and then they retired.
Meanwhile, in September-October 2023, several MPs, politicians opposed to the Narendra Modi government and the ruling Bharatiya Janata Party, individuals working in the office of Rahul Gandhi, the leader of the Opposition in the Lok Sabha, and journalists, received an “alert” on their iPhones by Apple that read: “State-sponsored attackers may be targeting your iPhone … These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.”
The government claimed that this alert was part of a global move by Apple.
The Indian Telegraph Act of 1885 specifies the circumstances under which the Union government and state/provincial governments can intercept or tap telephones in the event of a “public emergency” or in the “interest of public safety” as per Section 5(2) of the Act. Such tapping or interception can also take place in the “interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence.”
“There are certain safeguards that protect a citizen from misuse of the interception process. In 1997, in the case People’s Union for Civil Liberties versus the Union of India, the Supreme Court observed that the right to have a telephone conversation in the privacy of one’s home or office is part of each citizen’s right to life and personal liberty (as enshrined in Article 21 of the Constitution of India), which cannot be curtailed except according to the procedure established by law.”
The Court clarified that this section does not confer unguided and unbridled power on investigating agencies to invade a person’s privacy and laid down the following safeguards: The tapping of telephones is prohibited without an authorizing order from the Secretary, Ministry of Home Affairs, government of India or the Home Secretary of the concerned state government, and that this order, unless renewed, shall cease to have authority at the end of two months from the date of issue and cannot remain in operation beyond six months. All copies of the intercepted communication are supposed to be destroyed as soon as their retention is considered not necessary.
In pursuance of the Supreme Court judgement, the Indian Telegraph (First Amendment) Rules, 1999, were framed and notified and a similar notification titled, the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules were notified a decade later in 2009.
These laws and rules may appear adequate but the terms and definitions mentioned are open to interpretation and misuse/abuse by law-enforcing agencies and those in positions of power and authority. That’s essentially the problem with a government that, contrary to its claims, does not want transparent governance or wishes to protect the human rights and civil liberties of its citizens, in the opinion of this writer.
A spokesperson of the Indian National Congress Randeep Singh Surjewala has demanded that WhatsApp disclose the names of the 300-odd Indians whose phones were allegedly infected by Pegasus. But will the multinational technological giant headed by 40-year-old Mark Zukerberg oblige? Your guess could be as good as mine.
Portions of this article have been based on an earlier article titled “Indian Supreme Court’s Silence on Pegasus Legitimizes Spying on Critics” written by the author and published in the website of the Washington D C based Centre for the Study of Organized Hate on 8 December 2024. The link to the article: https://www.csohate.org/2024/12/08/indian-use-of-pegasus/
(The writer is an independent journalist, author, publisher, documentary film-maker, music video director, and a teacher. He can be contacted at paranjoy@gmail.com. His personal website is www.paranjoy.in and his YouTube channel is Paranjoy Online.)