We need your support. Know More

The Most Dangerous Software Known to Humankind

Paranjoy Guha Thakurta
Nov 01, 2023
Laurent Richard and Sandrine Rigaud's book diligently documents not just the ghastly consequences of state surveillance on individuals but juxtaposes these with stories of resistance and courage.

Palestine and Israel continue to dominate the news cycle. Then one learns that several Members of Parliament and leaders belonging to political parties opposed to the ruling regime in this country, those working in the office of Rahul Gandhi, a few individuals apparently on the other side of the divide, not to mention a few journalists, including Siddharth Varadarajan, one of the founding editors of The Wire, Anand Mangnale and Ravi Nair of the Organised Crime and Corruption Reporting Project (OCCTP), have all been “alerted” by Apple:

“State-sponsored attackers may be targeting your iPhone… These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.”

If you thought iPhones were more secure than cellular mobile phones with the more commonly-used Android operating system, you are wrong.

Is there anything common between Israel and the alert issued by Apple? Answer: Yes.

Named after a mythical winged horse from Greek mythology, Pegasus is one of the world’s most powerful cyberweapons. To say that Pegasus is the nuclear bomb of computer software would be an understatement. It is zero click-bait. In other words, the person who uses a mobile phone does not have an iota of an idea if, how, when and where their phone has been infected by this spyware. Earlier, one would have to click on a link to enable malware to enter the phone. Technology has “progressed” at a phenomenally rapid pace.

Laurent Richard and Sandrine Rigaud
Pegasus: The Story of the World’s Most Dangerous Spyware
Macmillan, 2023

The privately-owned Israeli company called the NSO Group that developed the world’s most dangerous surveillance tool claims that it is used for law-enforcement: for nabbing terrorists, drug dealers, paedophiles, tracking drones and even finding people trapped in the rubble of a collapsed building. But this spyware – and its clones and imitations, including one named Predator – that is supposedly made available only to government law-enforcing agencies after due authorisation by the Israeli government, is also misused by regimes across the world, especially authoritarian ones. Only governments, and perhaps indirectly a few big business groups, can shell out the big bucks needed for the targeted deployment of Pegasus. Although Tel Aviv claims that the spyware is sold only to government bodies and NSO denies its unauthorised use – this argument is what Laurent Richard and Sandrine Rigaud’s book Pegasus: The Story of the World’s Most Dangerous Spyware seeks to dispute and demolish.

The crucial question that logically arises in the context of what’s currently going on is, why Israel’s military forces could not anticipate the attack by Hamas on October 7, despite having developed the most advanced spyware. This question remains unanswered.

To go back to Pegasus, the fact is that this spyware has been, and almost certainly continues to be, misused to track not just the political opponents of those in power in several countries, but also those within their respective governments who the rulers want to keep an eye on. Pegasus has been used to listen in to, read and view conversations, text and audio messages as well as videos over electronic mail and text communications on the mobile phones of quite a few heads of governments. For example, the royalty of Morocco used the spyware to snoop on top functionaries of the government of France as well as dissidents. The most widespread use of Pegasus is to track politicians, journalists, lawyers, judges, government officials and human rights activists.

This is what this book is all about. It has been written by two journalists who work with the Paris-based Forbidden Stories, which received a data leak of some 50,000 phone numbers on which Pegasus had apparently been used. Amnesty International was first roped in as a collaborator. Thereafter, the numbers were shared with more than 80 journalists working in 17 media organisations across the world, including The Wire in India. Those willing to have the innards of their phones forensically examined after extracting data from their personal devices, saw the information being scrutinised by technical experts in Europe and in Canada (at the Citizen Lab). The book details the elaborate way the global investigation was conducted over more than three months and finally made public in a coordinated manner in July 2021.

What makes the 318-page book extremely readable is that it is written in a racy style and filled with many anecdotes and accounts of the personal experiences of individuals. These include many heart-rending, real-life stories of people who were killed, their families devastated and how innocent people were harassed, tortured and incarcerated merely for doing their jobs in earnest – that is, exposing corruption in high places, abuses of power and the nexus between criminals and top government officials. The stories in the book are not just about death and destruction but also about amazing courage and fortitude. The way the researchers and technical experts behind the investigation went about doing their work in digging up the dirt about Pegasus are recounted in gripping detail.

§

Before proceeding further, a personal disclaimer is in order. Besides the founding editors of The Wire Siddharth Varadarajan and M.K. Venu, this reviewer is among those whose phones were forensically examined and who are named in the book at many places. I am also among those who have petitioned the Supreme Court of India in this connection. Whereas several governments in different countries have initiated probes into allegations of misuse of the spyware, the government of India has brazenly stonewalled attempts to disclose whether it has used Pegasus, that too despite the intervention of the country’s highest court. Not only does the government’s stance suggest that it has much to hide, the Supreme Court too hasn’t exactly covered itself with glory because of the tardy way in which it has acted – or rather, not acted.

On October 27, 2021, the Supreme Court had formed a committee headed by retired Justice R.V. Raveendran, with two members assisting him: Alok Joshi, former director of the government’s external intelligence agency the Research and Analysis Wing (RAW) in the Cabinet Secretariat and 1976 batch officer of the Indian Police Service; and Sundeep Oberoi, chairman of the sub-committee of the International Organization of Standardization, International Electro-Technical Commission and Joint Technical Committee. The committee was supported by another panel of three technical experts: Naveen Chaudhary, a professor of cyber security and digital forensics at the National Forensic Sciences University, Gujarat; Prabaharan P., professor, Amrita Vishwa Vidyapeetham, Kerala and expert on cyber security; and Ashwin Anil Gumaste, professor, department of computer sciences and engineering, Indian Institute of Technology, Bombay.

A day before the then Chief Justice of India N.V. Ramana retired on August 26, 2022, he observed in court that the government of the day had not cooperated with the committee he had appointed. He remarked: “We will say one sentence — the government did not cooperate with the technical committee on scrutiny of the devices for Pegasus spyware.”

He was that day presiding over a three-judge bench comprising Justices Surya Kant and Hima Kohli. He opened the voluminous report in three parts in court and the judges went through it quickly. The CJI said the technical committee had examined 29 phones and found malware in five of them but could not state if the malware was Pegasus. He said the Raveendran committee’s report would be uploaded on the website of the Supreme Court but the technical committee’s report would be uploaded after redacting portions as committee members had requested that personal data not be disclosed.

CJI Ramana said the Raveendran committee had recommended changes in the existing law on surveillance and also suggested that the protection of privacy be enhanced “along with the cyber secrecy of the nation”. The CJI said the committee’s recommendations and observations could be made public.

The bench stated: “Such a course of action taken by the Respondent­ Union of India, especially in proceedings of the present nature which touches upon the fundamental rights of the citizens of the country, cannot be accepted…The mere invocation of national security by the State does not render the Court a mute spectator.”

Earlier, when CJI Ramana had asked the Solicitor General of India Tushar Mehta representing the government to answer a straight question ­– has any agency of the Indian government purchased and used Pegasus – the latter refused to answer “yes” or “no” ostensibly on the ground that the answer would adversely affect “national security interests”. This was how brazen the government’s response was. But worse was to follow.

After the Raveendran committee and the technical committee submitted their reports in a sealed cover, and despite CJI Ramana’s observations in court, late at night on August 25, 2022, the Supreme Court decided to “re-seal” the report of the Raveendran committee and keep in the “safe custody” of the Secretary General of the court. The legal website The Leaflet commented: “The decision to keep the two reports under wraps, despite the CJI’s oral commitment to upload them on the Supreme Court’s website, disappointed those who expected some degree of transparency from the highest court.”

The case was supposed to be heard after four weeks. But more than 13 months have gone by and nothing has happened. Meanwhile, curiously, the depositions that were video-graphed (of various individuals, including Varadarajan and me) and made available on the publicly-available website set up by the inquiry committee, cannot be accessed at present.

§

To return to the book by Ricard and Rigaud, the particularly gripping stories are not just about Jamal Khashoggi, the Washington Post columnist and occasional critic of the royal family of Saudi Arabia (in particular, Mohammed bin Salman or MBS) who was allegedly complicit in engaging certain persons who cut Khashoggi’s body into pieces in October 2018 inside the Saudi consulate in Istanbul, Turkey. Pegasus was apparently deployed to track his fiancé and his lawyers even as he entered the consulate.

Equally gripping are the stories of journalists from Mexico, some of whom are no more. The murder of 39-year-old journalist Cecilio Pineda remains unsolved, as is the unnatural death of Regina Martinez of Prosco. Both exposed the working of the drug mafia whose members bribed and colluded with local government officials and police personnel. The phone of another investigative journalist, Jorge Carrasco was apparently compromised by Pegasus even as he continued to probe the circumstances of the deaths of his fellow journalists.

The book diligently documents not just the ghastly consequences of state surveillance on individuals but juxtaposes these with stories of resistance and courage. The examples of brave journalists, Khadija Ismayilova of Azerbaijan, and Bastian and Frederik Obermaier of Hungary, provide silver linings of hope in the dark clouds of dictatorship and authoritarianism.

Out of the 50,000 odd phone numbers that were “leaked” to Forbidden Stories (perhaps by an NSO insider), over 1,000 numbers in some 50 countries were found to have been allegedly infected by Pegasus after verification with multiple sources. Among these numbers were those that belonged to three presidents, ten prime ministers, one king, two Emirati princesses (no prizes for guessing their names), at least 600 politicians and government officials, 192 journalists, and 85 human rights activists and lawyers.

Let me anticipate a reaction to this review from supporters of the BJP and those who are part of the right-wing ecosystem, an instance of “whataboutery”. If Pegasus has indeed been misused across the world, what’s new about what is happening in India? Small consolation then?

Be that as it may, there is much in the book about how the international operation to ensure that 80 journalists working in 17 media organisations across the world, were persuaded to keep the entire investigation under wraps for many months, that is, before detailed questionnaires were e-mailed to NSO in Israel. The book ends soon after July 2021 when the stories were published in a coordinated manner over more than a week. I think it’s time for Ricard and Rigaud to publish a revised, enlarged edition of the book. Check out the many dozens of Indians whose names were disclosed in the series of articles published by The Wire that month.

One last remark. Why have I repeatedly used the word “allegedly” in this review article? The reason is simple: traces of Pegasus are very, very difficult to find. To understand how difficult this process is, read the book.

Paranjoy Guha Thakurta is a Delhi-based journalist. He is the co-author (with Ravi Nair) and publisher of The Rafale Deal; Flying Lies? The Role of Prime Minister Narendra Modi in India’s Biggest Defence Scandal.

Make a contribution to Independent Journalism