Statement: One year of inaction, delay and evasion on the NSO-Pegasus hack #SaveOurPrivacy

Despite multiple government and parliamentary bodies examining the Pegasus hack, a whole year has passed and we still do not know who was responsible for this egregious violation of the privacy of human rights defenders in the country.

02 November, 2020
4 min read

One year ago on 30 Oct 2019, news first broke that at least two dozen human rights defenders in India including activists, academics, journalists and lawyers were targeted using a highly sophisticated spyware called Pegasus which was developed by Israel based NSO Group. Pegasus targeted users by exploiting a vulnerability in WhatsApp and it could gain complete access to a device by getting the user to click on a link or through a missed call. The revelations led to widespread outrage especially since the targets of surveillance were human rights defenders and the NSO Group claims that it only sold Pegasus to vetted government entities.

While the central government has evasively denied any involvement with the Pegasus hack, there has been no independent investigation into the matter. After the Pegasus hack became a subject of discussion in Parliament, the Minister of Electronics and Information Technology stated that CERT-IN intended to audit WhatsApp’s systems and had sent a notice to the NSO Group on 26 November 2019 but there have been no further updates from CERT-IN about the status of the investigation. It should be noted that CERT-IN had been alerted by WhatsApp about this security problem in May 2019 but CERT-IN officials claim they did not recognize the seriousness of the issue because the "communication was in pure technical jargon without any mention of Israeli Pegasus or the extent of the breach.”

At the state level, a panel was also established by the Chhattisgarh Government on 11 November 2019 to investigate the Pegasus hack since at least four of the victims belonged to Chhattisgarh. However, as per media reports, the panel concluded its investigation in January 2020 and it did not find any evidence of police officials purchasing the Pegasus spyware. There exists little or no information in the public domain from the government to confirm this. It is important to note that as per our conversations with the NSO-Pegasus hack victims, none of them have been afforded the opportunity to present their testimonies or appear before this panel. Further, little or no technical analysis has been attempted, and from the institution to the probable conclusion (if any) of this investigation, there is a large level of secrecy. Since a large number of the victims targeted belonged to Chhattisgarh and Maharashtra, we had also urged these state governments to initiate an independent investigation which must include testimonies from the victims of the Pegasus hack and experts in the field of data privacy and cyber-security.

The only official body which has provided a hearing to the victims of the Pegasus hack so far is the Parliamentary Standing Committee on Information Technology, which decided to examine the issue after a closely contested vote on 20 November 2019. Immediately prior to this, on 19 November 2019, 17 victims of the Pegasus hack had also written to the Parliamentary Standing Committee requesting it to investigate whether government officials had purchased and deployed Pegasus in India. The Parliamentary Standing Committee on Home Affairs had also agreed to discuss the issue and we wrote to both committees to clarify the legal position on use of spyware in India and highlighted  some broader cyber-security related concerns which must be addressed. Subsequently, depositions were made by the victims and subject matter experts on the issue, however any report on the basis of it is awaited.

Despite multiple government and parliamentary bodies examining the Pegasus hack, a whole year has passed and we still do not know who was responsible for this egregious violation of the privacy of human rights defenders in the country. While investigations have been stalled in India, the lawsuit filed by WhatsApp against the NSO Group in California has witnessed some progress. Most recently, the NSO Group filed an appeal before the Ninth Circuit claiming that WhatsApp’s lawsuit could not succeed since the NSO Group enjoyed derivative foreign sovereign immunity by virtue of its customers being foreign government entities.

On this anniversary of the Pegasus hack revelations, we reiterate our support for the human rights defenders who were subjected to this grossly illegal act of surveillance and urge government and parliamentary bodies to bolster efforts in their investigations. The installation of Pegasus was an illegal act as per existing law, specifically provisions of the Information Technology Act, 2000. Such an act calls for seriousness and alarm given that it may set a dangerous precedent on the use of malware and hacking that has put academics, human rights defenders and civil society voices at considerable risk. Since there is a reasonable apprehension that government actors were involved in the Pegasus hack, investigative processes must adhere to the highest standards of independence and transparency. Most importantly, testimonies from actual victims and experts in data privacy and cybersecurity must be heard by bodies examining the Pegasus hack to ensure the real harm suffered and the risk of future occurrences of such incidents are properly addressed.

Today, we stand in solidarity with them and signal our clear, unequivocal condemnation on the use of Pegasus and the NSO Group.

  1. Previous post titled ‘Statement: Scary disclosures on use of NSO spyware in India signal a need for urgent reform’ published on 31 October 2019 (link)
  2. Previous post titled ‘We provide the Standing Committees on Home Affairs with suggestions as they discuss the Pegasus scandal’ published on 15 November 2019 (link)
  3. Previous post titled ‘We ask the Committee on IT to let those targeted by Pegasus be heard!’ published on 21 November 2019 (link)
  4. Previous post titled ‘The need to investigate the NSO Group, which was behind the Pegasus software, is now more than ever’ published on 10 April 2020 (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!