India’s Supreme Court orders independent probe following Pegasus Project investigation

Supreme Court is pictured through a gate in New Delhi, May 26, 2016. REUTERS/Anindito Mukherjee

NEW DELHI – India’s Supreme Court on Wednesday, Oct. 27, 2021, ordered an independent probe into reports that phone numbers belonging to journalists, activists and political figures in India were found on a list that included some numbers selected for surveillance by clients of the Israeli surveillance firm NSO Group.

The Pegasus Project, first published in July by a global media consortium that included The Washington Post, revealed that hundreds of numbers from India appeared on the global list of more than 50,000 phone numbers, which included some associated with heads of state.

NSO’s Pegasus spyware is a surveillance tool sold only to governments or their agencies, primarily to fight terrorism. Its use to infiltrate phones belonging to politicians, journalists and activists has renewed concerns about the erosion of civil liberties in India under Prime Minister Narendra Modi. Forensic analyses confirmed that the phones of at least 10 people in India were hacked.

Pegasus can be used to hack a phone without action by the victim, known as a “zero-click” attack. Once infected, the phone’s cameras and microphones can be accessed remotely.

Several petitions were filed in India’s top court, some on behalf of those whose phones were found to be infected by the spyware, seeking a court-monitored investigation into the matter. During the weeks-long hearing, the court asked the government to confirm the use of the spyware. The government declined, citing national security, and instead offered to set up a committee that would examine the issue.

The court appointed a three-member committee that includes professors of cybersecurity and computer science at top institutes. The committee will be supervised by a retired Supreme Court judge, and the matter will be heard in eight weeks.

The committee’s mandate will be to determine whether Pegasus spyware was acquired by the federal or state governments or their agencies for use against Indian citizens, among others.

The court noted that the government’s petitions contained “no specific denial of any of the facts.”

The state cannot get a “free pass every time the spectre of ‘national security’ is raised,” the court said in its order, noting that indiscriminate spying cannot be allowed outside the purview of the law.

In July, Information and Technology Minister Ashwini Vaishnaw told Parliament that India has checks and balances to ensure there was no “illegal surveillance.” Vaishnaw was one of the two ministers in the Modi government whose phone numbers appeared on the list.

France’s Mediapart news outlet reported in September that the phones of five French ministers bore traces of the Pegasus spyware, citing an analysis by the country’s security agencies. France and other European countries have initiated investigations into the use of Pegasus.

The list contained numbers belonging to prominent figures from India, including Rahul Gandhi, India’s main opposition leader, and his aides; Ashok Lavasa, a top official of India’s autonomous election commission who determined Modi broke campaign laws during the 2019 national election; and co-founders of the Wire, an independent media outlet considered critical of the Modi government. The Wire was a partner in the Pegasus Project.

Gandhi told reporters that the Supreme Court order was a “big step” and that the use of Pegasus was “an attempt to crush India’s democracy.”

Siddharth Varadarajan, a co-founder of the Wire, whose phone was compromised by Pegasus, according to forensic analysis, called it an “excellent first step.” He said that while a lot will depend on the extent to which the government cooperates with the panel, “it is reassuring that the court is taking concerns of privacy and surveillance very seriously.”

A group of activists jailed on terrorism charges also appeared on the list. The Washington Post reported earlier this year that the computers of two of the activists were also targets of a sophisticated malware attack that was used to plant evidence, according to a forensic analysis.

Allegations of the use of Pegasus in India first surfaced in 2019, when WhatsApp discovered that hundreds of its users globally had been targeted through a vulnerability in the app. WhatsApp informed the government that 121 of those users were Indians, the Indian Express newspaper reported.

The list of more than 50,000 phone numbers worldwide was first accessed by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group.

The NSO Group denied that the appearance of numbers on the list meant that they had been selected for surveillance. It promised to investigate the allegations of misuse and said it would drop clients who may have violated its usage terms.



Please enter your comment!
Please enter your name here