Statement: One year of inaction, delay and evasion on the NSO-Pegasus hack #SaveOurPrivacy

Donate to help sustain our work

One year ago on 30 Oct 2019, news first broke that at least two dozen human rights defenders in India including activists, academics, journalists and lawyers were targeted using a highly sophisticated spyware called Pegasus which was developed by Israel based NSO Group. Pegasus targeted users by exploiting a vulnerability in WhatsApp and it could gain complete access to a device by getting the user to click on a link or through a missed call. The revelations led to widespread outrage especially since the targets of surveillance were human rights defenders and the NSO Group claims that it only sold Pegasus to vetted government entities.

While the central government has evasively denied any involvement with the Pegasus hack, there has been no independent investigation into the matter. After the Pegasus hack became a subject of discussion in Parliament, the Minister of Electronics and Information Technology stated that CERT-IN intended to audit WhatsApp’s systems and had sent a notice to the NSO Group on 26 November 2019 but there have been no further updates from CERT-IN about the status of the investigation. It should be noted that CERT-IN had been alerted by WhatsApp about this security problem in May 2019 but CERT-IN officials claim they did not recognize the seriousness of the issue because the "communication was in pure technical jargon without any mention of Israeli Pegasus or the extent of the breach.”

At the state level, a panel was also established by the Chhattisgarh Government on 11 November 2019 to investigate the Pegasus hack since at least four of the victims belonged to Chhattisgarh. However, as per media reports, the panel concluded its investigation in January 2020 and it did not find any evidence of police officials purchasing the Pegasus spyware. There exists little or no information in the public domain from the government to confirm this. It is important to note that as per our conversations with the NSO-Pegasus hack victims, none of them have been afforded the opportunity to present their testimonies or appear before this panel. Further, little or no technical analysis has been attempted, and from the institution to the probable conclusion (if any) of this investigation, there is a large level of secrecy. Since a large number of the victims targeted belonged to Chhattisgarh and Maharashtra, we had also urged these state governments to initiate an independent investigation which must include testimonies from the victims of the Pegasus hack and experts in the field of data privacy and cyber-security.

The only official body which has provided a hearing to the victims of the Pegasus hack so far is the Parliamentary Standing Committee on Information Technology, which decided to examine the issue after a closely contested vote on 20 November 2019. Immediately prior to this, on 19 November 2019, 17 victims of the Pegasus hack had also written to the Parliamentary Standing Committee requesting it to investigate whether government officials had purchased and deployed Pegasus in India. The Parliamentary Standing Committee on Home Affairs had also agreed to discuss the issue and we wrote to both committees to clarify the legal position on use of spyware in India and highlighted  some broader cyber-security related concerns which must be addressed. Subsequently, depositions were made by the victims and subject matter experts on the issue, however any report on the basis of it is awaited.

Despite multiple government and parliamentary bodies examining the Pegasus hack, a whole year has passed and we still do not know who was responsible for this egregious violation of the privacy of human rights defenders in the country. While investigations have been stalled in India, the lawsuit filed by WhatsApp against the NSO Group in California has witnessed some progress. Most recently, the NSO Group filed an appeal before the Ninth Circuit claiming that WhatsApp’s lawsuit could not succeed since the NSO Group enjoyed derivative foreign sovereign immunity by virtue of its customers being foreign government entities.

On this anniversary of the Pegasus hack revelations, we reiterate our support for the human rights defenders who were subjected to this grossly illegal act of surveillance and urge government and parliamentary bodies to bolster efforts in their investigations. The installation of Pegasus was an illegal act as per existing law, specifically provisions of the Information Technology Act, 2000. Such an act calls for seriousness and alarm given that it may set a dangerous precedent on the use of malware and hacking that has put academics, human rights defenders and civil society voices at considerable risk. Since there is a reasonable apprehension that government actors were involved in the Pegasus hack, investigative processes must adhere to the highest standards of independence and transparency. Most importantly, testimonies from actual victims and experts in data privacy and cybersecurity must be heard by bodies examining the Pegasus hack to ensure the real harm suffered and the risk of future occurrences of such incidents are properly addressed.

Today, we stand in solidarity with them and signal our clear, unequivocal condemnation on the use of Pegasus and the NSO Group.

  1. Previous post titled ‘Statement: Scary disclosures on use of NSO spyware in India signal a need for urgent reform’ published on 31 October 2019 (link)
  2. Previous post titled ‘We provide the Standing Committees on Home Affairs with suggestions as they discuss the Pegasus scandal’ published on 15 November 2019 (link)
  3. Previous post titled ‘We ask the Committee on IT to let those targeted by Pegasus be heard!’ published on 21 November 2019 (link)
  4. Previous post titled ‘The need to investigate the NSO Group, which was behind the Pegasus software, is now more than ever’ published on 10 April 2020 (link)