A US court has held the Israeli spyware maker NSO Group responsible for using WhatsApp to illegally infiltrate the mobile phones of thousands of individuals with its Pegasus software – a military-grade spyware. In a landmark decision, the US District Court in Northern California found the NSO Group liable for violating state and federal hacking laws such as the US Computer Fraud and Abuse Act. The ruling comes five years after Meta, WhatsApp’s parent company, filed a case accusing the NSO Group of exploiting an audio-calling vulnerability in its messaging platform to deploy Pegasus spyware on unsuspecting users' mobile phones. According to WhatsApp, the malware targeted thousands of human rights defenders, journalists, and other members of civil society, as well as government officials and diplomats. In her decision, the judge noted that the NSO Group did not contest allegations that it had “reverse-engineered and/or decompiled the WhatsApp software” to install its Pegasus spyware on the affected devices.

The use of Pegasus to hack into mobile devices first came to light in 2019 when it was reported that the spyware used vulnerabilities in WhatsApp software to target 1400 individuals worldwide including 140 Indians. In 2021, 17 news organisations worldwide including The Wire from India, along with two NGO's – Amnesty International and Forbidden Stories reported that they had spent months examining a list of 50,000 phone numbers from around 50 countries including 1000 numbers from India whose phones could have been potentially hacked using Pegasus. They then forensically examined the phones of some of the people willing to have their phones tested. The results showed that 85 per cent of phones tested were hacked by Pegasus spyware.

The possible targets included journalists, activists, members of civil society, as well as government officials and diplomats from across the world. It included fourteen heads of states and governments: three presidents – France's Emmanuel Macron, Iraq's Barham Salih and South Africa's Cyril Ramaphosa, three sitting and seven former prime ministers, and a king, Morocco's Mohammed VI. The three sitting prime ministers – Pakistan's Imran Khan, Egypt's Mostafa Madbouly and Morocco's Saad-Eddine El Othmani. Seven former prime ministers included Lebanon's Saad Hariri, France's Édouard Philippe, Algeria's Noureddine Bedoui and Belgium's Charles Michel.

The investigation revealed that around 300 mobile phones in India were hacked. These included the phones of Rahul Gandhi and TMC leader Abhishek Banerjee, the then Deputy Chief Minister of Karnataka G Parameshwara and personal secretaries of Siddaramaiah and the then Chief Minister of Karnataka H D Kumaraswamy; two ministers in the Union government; 40 journalists, a member of the Election Commission, Ashok Lavasa, and various Human rights and student activists, a railway trade union leader and so on.

WHAT IS PEGASUS, AND

WHY IS IT SO DANGEROUS?

Pegasus is more than just spyware that monitors communications. It fundamentally takes control of the infected phone. Once it infects a smartphone, it would modify the device's software to access all its functions, effectively "owning" the phone.

What made Pegasus particularly dangerous was its ability to infect devices without any action from the user. Unlike typical malware that requires clicking on a malicious link or visiting a compromised site, Pegasus could exploit vulnerabilities without any user interaction. For instance, it used a WhatsApp vulnerability to infect phones with just a missed call. The spyware evolved to leverage zero-click exploits in apps like iMessage, FaceTime, WhatsApp, Telegram, and others.

Once installed, Pegasus could read messages, emails, and call logs; capture screenshots; track browser history; log keystrokes; and access contacts. It also exfiltrated data – sending files back to its servers. Encryption of messaging services like WhatsApp and Signal was evaded, as Pegasus could intercept the data directly from the phone before these apps could apply encryption. The software could even be used to plant incriminating documents on the infected phones.

Even iPhones, often considered more secure, were vulnerable to Pegasus. While iPhones log device activity, which can help detect infections, Android devices lack such comprehensive logs, making it easier for Pegasus to hide its presence. Regardless of the operating system, Pegasus could invade every aspect of a target's digital and physical life, making it a formidable tool for surveillance. It is far more sophisticated than run-of-the-mill malware or spyware and was hence classified as military-grade spyware. NSO, an Israeli company, had very close ties to Unit 8200, the Israeli equivalent of the NSA. NSO was founded and run by ex-intelligence officers from Unit 8200.

In light of this ruling by the US court, a pressing question for India concerns the status of the Pegasus investigations and the reports submitted in 2022 by a court-appointed expert committee to the Supreme Court. NSO has always claimed that Pegasus was sold only to “vetted governments” which raised questions about the Indian government’s role in the illegal hacking of people’s mobile phones. The government has relied on silence, denial, and obfuscation in response to these serious allegations. The government showed little interest in investigating claims that journalists, activists, politicians, and even constitutional authorities were targeted by the spyware. It asserted that India’s legal framework was robust enough to prevent illegal surveillance and refused to confirm whether it possessed the spyware, citing national security concerns. This stance persisted despite its admission in Parliament that it was aware of Pegasus targeting users via WhatsApp. Credible reports suggesting that Pegasus may have been used to plant evidence on dissidents' devices were also met with silence. The then Chief Justice of India, N V Ramana noted in open court that the government refused to cooperate with the Supreme Court appointed committee, set up to investigate the matter. The findings of the committee remain unpublished.

In light of this judicial decision by the US court holding NSO Group liable for the use of its spyware by its clients, exclusively “vetted” government entities, the time has come to resurrect the stalled probe in this matter. The sealed Supreme Court reports should be disclosed, and comprehensive investigations launched. The Supreme Court had already commented that citing “national security” concerns, the fundamental rights of the citizens, particularly the right to privacy, cannot be breached indiscriminately. It is essential for the preservation of the democratic system and protecting the rights of citizens that accountability be fixed for those who transgressed the laws and violated all legal boundaries. Since the Modi government is in denial and seeks to protect the guilty, a high level probe must be conducted to hold the government accountable. The Supreme Court must initiate and supervise such an enquiry.