Progress of Pegasus investigations around the world #SaveOurPrivacy

tl;dr

While the progress in India related to the Pegasus revelations has been slow, other jurisdictions have fared much better. In this post, we will take a look at the steps undertaken by other government authorities against the shocking violations of privacy committed through the invasive spyware.

France

According to the Pegasus Project partners, one of the President Emmanuel Macron’s personal telephone numbers was included in the leaked database which formed the basis for the Pegasus revelations in July. Immediately after the initial revelations President Macron was reported to have reached out to the Israeli Prime Minister Naftali Bennett, while French minister for armed forces, Florence Parly, had reached out for clarifications to her Israeli counterpart Benny Gantz. Within 24 hours of the reports, France had ordered a series of investigations into the matter.

Subsequently, France was the first country in the world to officially confirm that the Pegasus spyware was used to target its citizens. France's national cyber-security agency ANSSI confirmed that Pegasus was found on the devices of two journalists that work for the French news media organisation Mediapart, which is part of the international consortium of news media organisations that first broke the story back in July under their Pegasus Project. Mediapart had also reported that at least five ministers of the current French cabinet had been targeted through Pegasus. As a result of the diplomatic fallout from the incident, Israel has reportedly offered to ban the targeting of any French number by any future NSO Group clients.  

United States of America

Following the revelations, the US Government also raised concerns with senior Israeli officials about the use of NSO spyware, since reports revealed that it was used to target journalists, politicians and human rights defenders. The issue was also brought up by members of the US Congress who “called on the Biden administration to push forward on new regulations, sanctions and federal investigations into potential spyware abuse”. Then, on November 3, 2021, the US Commerce Department’s Bureau of Industry and Security (BIS) added the NSO Group to its Entity List for Malicious Cyber Activities for “or engaging in activities that are contrary to the national security or foreign policy interests of the United States”, according to the official press release. The press release further stated that NSO Group’s addition to the Entity List was based on “evidence that (NSO) developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers”. This essentially means that US companies will not be able to sell technology to the NSO Group.  

However, it is not just the US Government which has come down hard on the NSO Group. Apple Inc., whose products have been targeted by the Pegasus spyware repeatedly by exploiting vulnerabilities in Apple devices, has filed a suit which provides new insight into how the spyware targeted Apple devices and has sought a permanent injunction to ban NSO Group from using any Apple devices in the future. In its complaint, Apple has characterized NSO as, “notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse”. This suit follows in the footsteps of Whatsapp Inc. and its parent company Meta, which seeks to hold NSO liable for using WhatsApp’s servers to deliver the Pegasus spyware to 1400 targets across the world. IFF was one of eight civil society organisations from across the world which filed an amici brief before the Ninth Circuit Federal Court of Appeals in California for the Whatsapp suit. The amici brief urges the Ninth Circuit to dismiss the NSO Group's appeal claiming sovereign immunity from WhatsApp's lawsuit.

Mexico

The Mexican Government of President Andrés Manuel López Obrador has revealed that the previous two administrations spent $61 million on acquiring the Pegasus spyware from NSO during the administrations of President Felipe Calderón in 2006-2012 and President Enrique Peña Nieto in 2012-18. In November, the Mexican authorities made the first arrest related to the Pegasus revelations when a technician who worked for a private company was jailed based on allegations that he was involved in the illegal phone tapping of a broadcast journalist. However, NSO has reacted to the arrest by stating that their products are only sold to vetted government clients and hence cannot be operated by private companies or individuals.

United Kingdom

In the UK, there has been no official investigation which has been initiated in light of the revelations made by the Pegasus Project partners. However, calls for investigation gained momentum in October after English courts concluded that agents of Sheikh Mohammed, the ruler of Dubai, had infiltrated his ex-wife Princess Haya’s phone as well as the phones of her lawyer by using Pegasus during their ongoing legal battle. Within hours of this ruling, the Guardian, which is one of the Pegasus Project partners, reported that Pegasus “is no longer effective against UK numbers”.

Israel

In the immediate aftermath of the Pegasus Project reports, Israel had set up a senior inter-ministerial team to look into the revelations. However, the Israeli Government has tried to distance itself from the controversial company and has tried to downplay the role it plays in regulating the company. Israel’s foreign minister Yair Lapid has said that “the government has only limited control over how defense exports are used by customers”. Nonetheless, he said that Israel will work to ensure the NSO Group’s spyware does not fall into the wrong hands. After the US added NSO to its Entity List for Malicious Cyber Activities, Lapid tried to distance the Government from the company further by stating that, “NSO is a private company, it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government”. Now, in a bid to prevent misuse, the Israeli Defence Ministry has announced that it will be tightening supervision over cyber exports. Moving forward, any country that wishes to purchase Israeli cyber technology will have to give a signed declaration that use of the products will be done "for the investigation and prevention of terrorist acts and serious crimes only”.

What about India?

The Indian Government has failed to initiate any investigation into the Pegasus revelations, even though multiple Indian citizens were reported to have been targeted and the proceedings of both houses of Parliament were disrupted as Opposition party members called for a discussion on the issue. However, the Supreme Court has constituted a Committee of Experts to look into the allegations after it was approached by affected parties. This Committee comes in the wake of the Commission of Inquiry set up by the Government of West Bengal, a two member Commission tasked with investigating the issue. IFF’s Executive Director Apar Gupta deposed as a witness before the Commission last month.

Important Documents

1. Our work against surveillance perpetrated through the Pegasus spyware (link)