Introduction

A spyware is a malicious software, which is designed with the purpose of getting into someone’s computer to gather their data and private information with the purpose of sending it to a third party without the user’s consent. Thus, Spyware seems to work in both positive and negative ways. It can work in a positive way for Government and Multi-National Organizations, who need to keep a checks on their citizens and users and prevent any illegal and unwanted activities, while it work in the negative sense for the users whose data is being spied upon as it directly amounts to violation of their privacy.

What is Pegasus?

Issues surrounding Pegasus

How does Pegasus work?

History of Pegasus: How does it all started?

Spy- Tech and Zero – Click : How does Pegasus affects it all?

Issues with Government’s surveillance: How does it give rise to Pegasus?

Are there any legislations for surveillance?

Does interception means turning phones into spy-cams?

Conclusion

What is Pegasus?

Pegasus spyware, developed by NSO Group of Israel, is presently the most powerful spyware ever developed, which is designed to infiltrate smartphones including android and iOS by turning them into surveillance phones. The Israeli company however, claims that Pegasus is a tool particularly made to track criminals and terrorists and it is not made for mass surveillance. Furthermore, the company also claims that it is only selling the spyware to Governments and not to any third party.

Issues surrounding Pegasus

The first instance of Pegasus came into light after WhatsApp sued NSO group in a United States court for allegedly spying and hacking into its database back in 2019. Furthermore, it was alleged that a single license can be used to infect several smartphones and can cost as much as Rs. 70 lakhs. In 2016, a price list was released according to which NSO used to charged $650,000 plus installation fee of $500,000 to infect 10 devices.

Controversy surrounding Pegasus first came into light in July, 2021 when Amnesty international including several other media outlets reported that Pegasus was being used to snoop hundreds and thousands of individuals, the list which includes Indians as well. Furthermore, as NSO claimed that it only sells the software to the Governments, none of the nations have come forward and accepted the claim.

Furthermore, it was reported that over 300 verified phone numbers in India were being targeted by Pegasus including those of ministers, opposition leaders, judges, business personalities and journalists. And this is not the only list. The list presented by the Global media consortium further suggests that NSOs spyware is not only targeting opposition leaders, journalists and right activists but were also targeting people close to them.

Numerous reports from various Indian forums also suggests that at least 1000 people were in the list of potential targets of surveillance using the software.

How does Pegasus work?

For Pegasus to work on your device, it have to be installed on your phone first. It is generally done through sending some malicious files either through email or through SMS, after clicking on which the spyware gets installed on your device. Once installed on your device, it can steal almost any information stored on your device including your browsing history, SMS, contacts, call history, calendars and emails. Furthermore, it can even use your phone’s microchip to record your calls and other conversations and can further film you through its camera and can even track your GPS.

Upon installation, Pegasus contacts the attacker’s Command and Control (C&C) servers to receive and execute instructions and send back the target’s private data. This data can include passwords, contact lists, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps). The attacker can control the phone’s camera and microphone, and use the GPS function to track a target.

To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server. The spyware can evade forensic analysis and avoid detection by anti-virus software. Also, the attacker can remove and deactivate the spyware, when and if necessary.

Furthermore, it enables the law enforcement and intelligence agencies to remotely extract data virtually from any mobile phone device. In addition, a zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error. Pegasus can infect a device without the target’s engagement or knowledge. Therefore, all awareness about how to avoid a phishing attack or which links not to click are pointless.

History of Pegasus: How does it all started?

Pegasus was first discovered in Canada when the researchers at the Canadian Cyber Security Organization encountered the spyware on the phone of a human right activist Ahmed Mansoor. The citizens lab claimed to have discovered the spyware which was tracking all the information including his locations contacts and call history.

In 2018, the citizens lab went on to research further pertaining to the countries which were under the target of the Pegasus spyware and the report claimed that more than 45 countries including India were target of the spyware. It was further averted that the spyware was targeting the ministers and leaders of opposition and journalists.

However, in 2019 it was further averted that not only politicians and journalists but judges and human right activists were also the potential target of the spyware. Pegasus further came into light when WhatsApp claimed to have their data being spied by Pegasus spyware and further claimed to have their security been breached by the spyware.

The latest report being published in 2021 further suggested that it is the Governments who are using the spyware to spy on not only leaders of opposition but also their leaders at the same time. The report further suggested that between 2017 to 2019, around 300 people were being spied through this software, which included opposition leaders, journalists and human right activists.

Spy- Tech and Zero – Click : How does Pegasus affects it all?

The narrative behind building Pegasus spyware was to help Government agencies in tackling terrorism and drug trafficking. The first state to adopt Pegasus spyware was Mexico. The purpose for which it was opted i.e. to fight drug trafficking was never achieved and the spyware was used for spying on some 15,000 people including those close to the current president of Mexico, as per the report.

Then, Pegasus was utilizing attack vectors such as malicious links in e-mails and SMS. Once clicked, the link would install the spyware, giving the hacker complete access to the device without the target’s knowledge. Then, it leapfrogged to zero-click infections.

Such infections, used in WhatsApp and iMessage hacks, do not require any intervention from the end-user. On WhatsApp, a missed call on the voice call feature would insert a malicious code into the device. With iMessage, a short message preview did the trick.

Issues with Government’s surveillance: How does it give rise to Pegasus?

With Right to Privacy being declared a fundamental right, it has become extremely difficult for the Government and its agencies to tap the calls of the potential threats to the Indian security, without infringing their Right to Privacy.

Furthermore, in 2013 the current union home minister Amit Shah’s call recording sparked controversy when he was allegedly talking to the head of the anti-terrorism unit to tap phones of millions without any legal basis.

Thus, for Government not able to tap phones without prior legal sanctity and the threat of alerting the potential threat, Governmental agencies around the world needed a software which could do the job, which then gave rise to Pegasus.

Are there any legislations for surveillance?

Legislature does not leave the Government empty handed. Instead they provided various provisions for allowing the Government to tap phones when it comes to the national security. Section 92 of the Criminal Procedure Code, Rule 419A of the Telegraph Act and Sections 69 and 69B of the Information and Technology Act provides for exception to the Government in scenarios where national security is concerned.

However, the question is who is going to define the limit of such interception? Rule 2(f) of the Information Technology Rules, 2009 defines interception to be acquisition of content of any information so as to make the contents of information available to any person other than the sender, recipient or intended recipient of the communication.

Thus, this Section does not define the limit of interception and such questions are left unanswered by the legislation and are being left at the mercy of the Government.

Does interception means turning phones into spy-cams?

Interception of messages and information under the Telegraph Act and the IT Act only applies to ‘communication’ made through telegraph or computer resources, which is very different from the wide arsenal of surveillance that is offered by Pegasus once it infects a phone.

The use of someone’s mobile phone’s microphone or camera to record her actions or conversations which take place in their daily lives, and not over their electronic device, is thus not authorized by either Section 5(2) of The Telegraph Act or Section 69 of the Information Technology Act.

Thus, interception in no sense means turning the phone of potential threat in a spy-cam and legislature nowhere gives power to the Government to turn phones into spy-cams.

Conclusion

Law does not authorize Governments to spy of the phones of its citizen. Thus, Governments found a way to do so without damaging the integrity of the nation. However, seeing the recent trend it can be concluded that Pegasus is not being used for the purpose for which it was initially designed. Thus, it is left to see whether Pegasus will continue to spy on us or will international organizations will stop its functioning.