Recent reports by Amnesty International and Citizen Lab have evidenced the presence of large-scale phishing, and spyware hacking scams in the country. A joint report by Amnesty International and Citizen Lab has reported on how a Spyware software was used to spy on various Indian civil rights activists, journalists and lawyers. Another study by Citizen Lab brings to light the presence of a New Delhi-based hacking firm that has targeted advocacy groups, journalists, elected government officials, and multiple industries on six continents. More credence is lent to such claims, now that the MeitY’s own nodal agency, CERT-in has come out with an advisory warning people about an impending large-scale email phishing attack in major Indian cities. Amidst such blatant attacks against privacy, autonomy, and liberty, we wrote to the Committee on IT to take note of these important developments. We also wrote to the Hon’ble Speaker of the Lok Sabha and the Hon’ble Chairman of the Rajya Sabha making a case that moving legislative business to virtual platforms is not only urgent, but that the existing rules can be used to easily make this change.
Well, what is “Phishing” and “Spyware”?
We know you probably know that, “phishing”, and, “spyware” attacks are something to guard against but what are they exactly? Also, why are they such a grave threat to your cyber security and privacy?
- Phishing or Spearphishing is defined by Kaspersky as, ‘an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer’. In other words, it is a fraudulent technique through which the receiver of an electronic message like an email or a message is made to visit a fraudulent website by clicking a link. Through this they may be tricked into divulging sensitive information like passwords, financial information and other personal information. This can take place either directly, through fake versions of popular websites like Twitter, Facebook or Google or indirectly, through deployment of a Spyware software that secretly gets installed on the victim’s system via this link.
Spyware is defined as, ‘software that’s designed to gather data from a computer or other device and forward it to a third party without the consent or knowledge of the user. This often includes collecting confidential data such as passwords, PINs and credit card numbers, monitoring keyword strokes, tracking browsing habits and harvesting email addresses.’ Simply put, it is a family of softwares aimed at stealing information about a person or a group of persons without their knowledge and sending it to another entity. Spyware often operates by gaining control of the victim’s computer without consent and then relaying gathered information like internet activity data and passwords via cookies, which are usually consented for. Phishing and Spyware can work in tandem– a phishing email can lead to the installation of a spyware software on the victims’ computers.
Massive Cybersecurity Threats in India
Over the past few weeks two international organisations – Amnesty International, and Citizen Lab, an interdisciplinary research group at the University of Toronto, Canada have published detailed reports establishing a concrete idea about the serious nature of cybersecurity threats, and data privacy breaches that the country is facing.
- Cyber Attack on the Bhima Koregaon 11 : First one of these is a joint report by Amnesty International and Citizen Lab detailing how a commercially available Spyware called NetWire was deployed via phishing emails to spy on 9 civil rights activists, journalists and lawyers. Their computer systems were hacked into to monitor their actions and communications, which is a direct violation of their right to freedom of expression, and the right to privacy guaranteed by the Indian Constitution. Incidentally, 8 of the 9 victims of this spyware attack have been demanding the release of the Bhima Koregaon 11, a group of human and social rights activists currently under arrest amidst a pending trial. Furthermore, at least 3 of these 9 victims were also targeted by the widely discussed NSO’s Pegasus spyware in 2019.
- A homegrown blackhat phishing firm: Second is an investigative report by Citizen Lab revealing the presence of an internationally active hacking firm in New Delhi. This firm, named BellTroX InfoTech Services has been mentioned in the report in relation to providing services to clients that aimed at hacking individuals, organisations and industrial entities on six continents. It has been reported that these victims include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. More specifically, the group was behind the phishing of organizations working on net neutrality advocacy. Also, American organisations working on the #ExxonKnew campaign, which claimed that Exxon Mobil held back evidence on climate change and global warming for decades were targeted by BellTroX.
- You could be next: The serious implications of these findings gain more credence in light of an advisory (CIAD-2020-0040, dated 19 June 2020) by the Indian Computer Emergency Response Team (CERT-In), an official government agency, which asserts that nearly 2 million Indian email addresses are vulnerable to an impending phishing attack. It is suggested that such an attack can be carried out under the pretext of providing receivers help by posing as ‘...government agencies, departments, and trade associations who have been tasked to oversee the disbursement of government fiscal aid’. Added to this is the fact that the email might be from an ‘official sounding’ email address like ‘[email protected]’, which makes it even more dangerous and harmful for the citizens.
Here is what the malicious email can look like:
It is clear that such cybersecurity threats, which clearly put the privacy, security, and freedom of expression of the citizens at risk, cannot be treated as rare incidents anymore and need to be dealt with with a robust framework in place.
Therefore, IFF sent a letter to the members of the Parliamentary Committee on IT requesting them to take note of these recent findings and urging them to further the cause of restoring legislative business through virtual committee meetings. However, it does not help that there is a severe lack of legislative discussion around these issues. Furthermore, the possibility of such a discussion has been stymied by the fact that the Parliament has been reluctant in adopting remote conferencing platforms for carrying out legislative business, especially the standing committee meetings.
Absence of Legislative Action
The urgent need for Parliamentary debate on such issues that directly endanger autonomy, privacy and liberty of all Indian citizens is an undeniable fact.
We were disappointed to know that the meeting of the Parliamentary Committee on Information Technology, which was scheduled to be held on 10 June, 2020 was called off by the Hon’ble Speaker of the Lok Sabha. Even though in-person attendance could not have been ensured amidst the rising cases of COVID-19, the reluctance in adapting to remote conference technologies is disappointing.
Regarding this, the Hon’ble Chairperson of the Committee on IT, Dr. Shashi Tharoor tweeted (quoting the Hon’ble Speaker) that the meeting cannot be held virtually without the rules being amended, in a process that involves agreement of the Rules Committee and a vote in the House.
So, pressing for action, we wrote to the Hon’ble Speaker and the Hon’ble Chairman of the Rajya Sabha making a case that the corresponding Rules of Procedure and Business do provide enough power to the Hon’ble Speaker and the Hon’ble Chairman to constitute these changes, if they will.
We pointed out that specifically, Rule 331K of the Rules and Procedure and Conduct of Business in the Lok Sabha and Rules 275 and 81 of the Rules of Procedure and Conduct of Business in the Council of States do pave way for adoption of remote conferencing tools with their consent.
We, at IFF, believe that as the world’s largest democracy and one of the biggest powerhouses in Information Technology, India has both the reason and the technical know-how to effortlessly bring this change to fruition. The reason for pushing for this transition becomes even stronger when such pressing issues like autonomy, dignity, privacy and freedom of expression are at stake. It is also interesting to consider that countries like Canada, the United Kingdom, France, Brazil and New Zealand among others have duly incorporated online conferencing tools to conduct their legislative business. This fact has been highlighted well in these Op-eds by M.R. Madhavan and Chakshu Roy, the President, and the Head of Civic and Legislative Engagement at PRS, respectively.
We intend to follow up and will keep urging all our parliamentary institutions to take clear steps to protect your digital rights.
1. Our representation to the Standing Committee on Information Technology highlighting evidence on recently uncovered cybersecurity and privacy threats in the country dated 23 June 2020. [link]
2. Our letter to the Hon’ble Speaker of the Lok Sabha making a case for moving essential legislative business, especially the standing committees to remote conferencing platforms dated 23 June, 2020. [link]
3. Our letter to the Hon’ble Chairman of the Rajya Sabha making a case for moving essential legislative business, especially the standing committees to remote conferencing platforms dated 23 June, 2020. [link]
4. Committee on IT : Get up! Stand up, for our privacy rights! dated 8 May, 2020. [link]