Saturday, April 13, 2024

Line-by-line verification of IT Minister’s statement on Pegasus hacks

Ashwini Vaishnaw

In this piece, Internet Freedom Foundation, a New Delhi based NGO that conducts advocacy on digital rights and liberties, has conducted a line-by-line verification of the Minister for Electronics and Information Technology, Ashwini Vaishnaw’s statement on the Pegasus revelations, made in the Lok Sabha on July 19, 2021.

Background

A report dated July 18, 2021, published by The Wirerevealed how the Israeli organisation NSO Group’s spyware, Pegasus, was able to successfully compromise the devices of several Indian citizens, including journalists like former Indian Express journalist Sushant Singh, former EPW editor Paranjoy Guha Thakurta, former Outlook journalist S.N.M. Abdi and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu. Further reports revealed that the potential target of the attack included politicians like Rahul Gandhi, Ashwini Vaishnaw and the woman who accused the former CJI, Ranjan Gogoi of sexual harassment.

On July 19, 2021, the Minister of Electronics and Information Technology, Ashwini Vaishnaw, presented his statement in response to the Pegasus Project revelations in the Lok Sabha, which was also presented in Rajya Sabha. This statement follows a previous statement made by then Minister of Electronics and Information Technology, RS Prasad, in 2019 wherein he had also stated that “no unauthorised interception has been done“.

Below is the full text of Minister’s statement:

“Hon’ble Speaker Sir,

I rise to make a statement on reported use of spyware Pegasus to compromise phone data of some persons. A highly sensational story was published by a web portal yesterday night. Many over the top allegations have been made around this story.

Hon’ble Speaker Sir, the press reports have appeared a day before the Monsoon session of Parliament. This cannot be a coincidence.

In the past, similar claims were made regarding the use of Pegasus on WhatsApp. Those reports had no factual basis and were categorically denied by all parties, including in the Supreme Court. The press reports of 18th July 2021 also appear to be an attempt to malign the Indian democracy and its well established institutions.

We cannot fault those who haven’t read the news story in detail. And I request all Hon’ble Members of the House to examine the issues on facts and logic.

The basis of this report is that there is a consortium which has got access to a leaked database of 50,000 phone numbers. The allegation is that individuals linked to these phone numbers were being spied upon.

However, the report says that:

The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack. Without subjecting a phone to this technical analysis, it is not possible to conclusively state whether it witnessed an attack attempt or was successfully compromised. Therefore, the report itself clarifies that presence of a number does not amount to snooping.

Hon’ble Speaker Sir, let us examine what NSO, the company which owns the technology has said. It said:
NSO Group believes that claims that you have been provided with, are based on misleading interpretation of leaked data from basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products.

Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies as well as by private companies worldwide. It is also beyond dispute that the data has nothing to do with surveillance or with NSO, so there can be no factual basis to suggest that a use of the data somehow equates to surveillance.

NSO has also said that the list of countries shown using Pegasus is incorrect and many countries mentioned are not even our clients. It also said that most of its clients are western countries.

It is evident that NSO has also clearly rubbished the claims in the report.

Hon’ble Speaker Sir, let us look at India’s established protocol when it comes to surveillance. I’m sure my colleagues in the opposition who have been in Government for years would be well aware of these protocols. Since they have governed the country, they would also be aware that any form of illegal surveillance is not possible with the checks and balances in our laws and our robust institutions.

In India, there is a well established procedure through which lawful interception of electronic communication is carried out for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States. The requests for these lawful interceptions of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act,1885 and section 69 of the Information Technology Act, 2000.

Each case of interception or monitoring is approved by the competent authority. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, monitoring and Decryption of Information) Rules, 2009.

There is an established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of state governments, such cases are reviewed by a committee headed by the Chief Secretary concerned. The law also provides an adjudication process for those adversely affected by any incident.

The procedure, therefore, ensures that any interception or monitoring of any information is done as per due process of law. The framework and institutions have withstood the test of time.

Hon’ble Speaker Sir, in conclusion, I humbly submit that:

The publisher of the report states that it cannot say if the numbers in the published list were under surveillance.

The company whose technology was allegedly used has denied these claims outrightly.

And the time-tested processes in our country are well-established to ensure that unauthorised surveillance does not occur.

Hon’ble Speaker Sir, when we look at this issue through the prism of logic, it clearly emerges that there is no substance behind this sensationalism.

Thank you Hon’ble Speaker Sir.”

Verification of the Statement

  1. On the factual and credible standing of the Pegasus reports

Ashwini Vaishnaw: Those reports had no factual basis and were categorically denied by all parties, including in the Supreme Court. The Press reports of 18th July, 2021 also appear to be an attempt to malign the Indian democracy and its well established institutions.

Verification: While the Minister has not specified which Supreme Court matter he is referring to, the use of Pegasus on WhatsApp was brought up recently before the Supreme Court in Binoy Viswam v. RBI and others, where the counsel for WhatsApp denied such claims. No government official or agency denied the claims before the Supreme Court. Further, the reports do not name the Indian government or any government official. The report only points out that “NSO Group, the Israeli company which sells Pegasus worldwide, says its clients are confined to “vetted governments”, believed to number 36. Though it refuses to identify its customers, this claim rules out the possibility that any private entity in India or abroad is responsible for the infections which The Wire and its partners have confirmed.”

2. On the number of individuals who were spied upon

AV: “The allegation is that individuals linked to these phone numbers were being spied upon.”

Verification: The report states that over 300 verified Indian mobile telephone numbers are included in the leaked database. Out of these, in only 10 phones were clear signs of targeting by Pegasus spyware revealed.

3. On whether snooping took place

AV: “The report itself clarifies that presence of a number in the list does not amount to snooping”

Verification: This statement is true but it fails to mention that in the same report contains the results of the technical analysis conducted by Amnesty International’s Security Lab which has found evidence that Pegasus was used to target 10 phones.

4. On unverified statements attributed to the NSO Group

AV: “Now let us examine what NSO, the company which owns the technology, has said. I quote:

“NSO‍ Group‍ believes‍ that‍ claims‍ that‍ you‍ have‍ been‍ provided‍ with‍ are based on misleading interpretation of leaked data from basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products. Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies as well as by private companies worldwide. It is beyond dispute that the data has nothing to do with surveillance or with NSO. So, there can be no factual basis to suggest that use of the data somehow equates to surveillance.””

Verification: The last two sentences of the statement above cannot be verified through media reports.

5. On whether there are checks and balances in place to protect Indian citizens against such snooping

AV: “Any form of illegal surveillance is not possible with the checks and balances in our laws and our robust institutions. In India, there is a well-established procedure through which lawful interception of electronic communication is carried out for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States.”

Verification: Surveillance by its very nature is illegal. Surveillance measures undertaken by the government, whether authorised by law or not, violate the fundamental rights of citizens including their right to free speech and right to free association under Article 19, and right to privacy under Article 21. All decisions relating to surveillance are taken within the Executive branch of government, and there are no parliamentary or judicial checks and balances. Surveillance of computer resources under the IT Act is not limited to national security, occurrence of public emergency or in the interest of public safety. In fact, no reasons are required to be provided for ordering surveillance under the IT Act.

6. On the competent authority responsible for deciding who may be surveilled and why

AV: “Each case of interception or monitoring is approved by the competent authority.”

Verification: “The “competent authority” is an officer of the Executive branch of the government. The existence of a “competent authority” by itself does not provide Indians any protections against illegal surveillance.”

7. On the oversight mechanism for surveillance on the people of India

AV: “There is a very-well established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of a State Government, such cases are reviewed by a committee headed by the Chief Secretary concerned.The law also provides an adjudication process for those people who are adversely affected by any such incident.”

Verification: The review committee consists of officers of the Executive branch of the government. The oversight committee, to enable a working separation of powers, must consist of other branches of government, i.e. the legislative and the judiciary. Further, neither the IT Act, nor the 2009 Interception Rules provide a grievance redressal mechanism for surveilled persons. Further, due to the strict confidentiality provisions, surveilled persons will find it impossible to ascertain and prove whether they were being surveilled.

8. On the longevity of legal provisions for surveillance in the country

AV: “The framework and institutions have withstood the test of time.”

Verification: Several writ petitions are pending before the Supreme Court challenging the constitutional validity of Section 69 of the IT Act and the 2009 Interception Rules. The Supreme Court in PUCL v. Union of India laid down guidelines for wiretapping under the Telegraph Act, 1885. There have also been several sustained calls for surveillance reform from civil society organisations.

9. Concluding remarks about the individuals surveilled using Pegasus

AV: “In conclusion, I humbly submit that: 1. The publisher of the report states that it cannot say if the numbers in the published list were under surveillance.”

Verification: The publisher of the report has, in detail, shown how a small number of numbers from the published list have shown evidence of being targeted via the Pegasus software with the help of a technical analysis conducted by Amnesty International’ Security Lab which was confirmed by CitizenLab in a peer review.

10. Concluding remarks about the procedures of law to safeguard the fundamental rights of Indian citizens against attacks and surveillance, such as Pegasus

AV: “In conclusion, I humbly submit that:… 3. And the time-tested procedures of our country are well-established to ensure that unauthorised surveillance cannot occur.”

Verification: Indian law does not provide a grievance redressal mechanism to the victim of unauthorised surveillance, nor does it provide sufficiently clear and detailed punitive measures for the perpetrators of unauthorised surveillance. The IT Act and rules made thereunder are ill-equipped to prevent and punish unauthorised surveillance.

spot_img

Don't Miss

Related Articles