Going beyond the act of targeted cyber surveillance, Pegasus’ invasion of users in India through seemingly unstoppable means brings our legal and technological barricades to the forefront. Pegasus, the cyber espionage tool developed by Israeli technology firm, NSO Group Technologies, has made numerous headlines over the past week, with explanations of how it attacks, and more recently, the Ministry of Home Affairs’ denial of holding any information regarding the tool.
However, such tools are not particularly new, and have been around for a while. Speaking to News18, Debayan Gupta, faculty at the department of electrical engineering and computer science at the Massachusetts Institute of Technology, said, “Pegasus is an old tool sold by the NSO, which in theory is built for legal usage only. However, over time, it has picked up a bit of a bad reputation because of its involvement in multiple crimes.” Instances of other such tools with similar usage pattern include TheHackingTeam’s RCSAndroid, and the NSA’s notorious EternalBlue.
Over and above its obvious threats, the advent of a tool like Pegasus brings to light the aspect of cyber security laws in India. As Gupta states, “Each government is made up of individuals, and all it takes is one person with access to have bad intentions and sell those tools (to the Dark Web). Eventually, it is only a matter of time before these attacks land up in the criminal market, and gets used for malicious activities. That is exactly what we saw with EternalBlue, and a lot of other such tools that came before it as well.”
Given the propensity for such a tool to land up in the criminal market, the establishment of stricter cyber laws is imperative. However, in India, Section 69 of the Information Technology Act, 2000 lists down situations during which the government can impose cyber surveillance en masse. Among other factors, the section includes “preventing incitement to the commission of any cognizable offence” and “investigation of any offence” as permissible cases for spying on an individual. In simpler terms, this practically covers everyone, and at any time as deemed fit.
While WhatsApp faces the brunt for the attack right now, Pegasus is not specific to the chat app. Gupta explains, “When a video call is made (on WhatsApp), the call information as well as the metadata is sent to the recipient phone. When this comes, WhatsApp is “reading” this data in order to display it to you. Prior to its patch in May 2019, WhatsApp did not sanitise this package for the kind of code included in the metadata, because of which the contained Pegasus code would get executed on the recipient’s phone. This allowed remote installation of the spyware.” Once it was installed, it could gain access to anything, essentially reading every chat and webpage that a user opened. Pegasus was also cleverly designed, wherein it did not cause spikes in data usage, or drain battery excessively, or even take up too much space, meaning that for the average consumer, it is nearly impossible to detect that something might be wrong with their device.
The incident calls for tighter adoption of cyber security laws, in order to put in safeguards for users. For a tool such as Pegasus, end-to-end encrypted services do not protect information, since the entire device is taken over. This is compounded by state surveillance and the potential of the tool being sold to the criminal market, hence raising the chances of a future attack that would closely resemble NotPetya and WannaCry.
“Zero-day attacks are highly coveted by governments, but the Indian government does not really require more mass surveillance tools,” said Gupta, adding an ominous insight for the right to an individual’s privacy in India. Without any legislation to safeguard individuals, and popular apps falling prey to increasingly deceptive hacks, privacy seems like a price that has long been paid, one that may not really return.