It is a shocking revelation that journalists, rights activists, politicians and government officials were surveilled through Israeli software in more than 50 countries. Preliminary investigations say at least 1,000 people were targeted while the actual number could have been much more than it. According to initial estimates, the malware was used to kill at least two journalists. The international community will have to work together to stop the abuse of such gadgets to ensure protection of human rights and avoid conflict among governments and states.
The leak was of a list of more than 50,000 smartphone numbers believed to have been identified as people of interest by clients of an Israeli company, NSO, since 2016. At least one phone number once used by Prime Minister Imran Khan was on the India list, according to an investigation by 17 media organisations. India was among a number of countries which used the Israeli spyware in attempted and successful hacks of smartphones of journalists, government officials and human rights activists around the world. The spyware – Pegasus – use was reported by The Washington Post, the Guardian, Le Monde and other news outlets which collaborated on an investigation into a data leak.
More than 1,000 phone numbers in India appeared on the surveillance list while hundreds were from Pakistan. The numbers included those of more than 40 Indian journalists from major publications. Prime Minister Imran Khan, his cabinet ministers, several high-ranking Pakistani officials, diplomats, Kashmiri freedom fighters, Chinese journalists. Analysis of the more than 1,000 mostly Indian phone numbers selected for potential targeting by the NSO client strongly indicate Indian intelligence agencies were behind the selection including Indian Congress leader Rahul Gandhi, and even an Indian Supreme Court judge. In fact, Indian Prime Minister Narendra Modi used the malware to monitor two numbers belonging to Rahul Gandhi during India’s 2019 national elections, five of his close friends and other Congress party officials were selected as candidates for possible surveillance in the year before the 2019 vote and coincided with the identification of the numbers of two staff members, Sachin Rao and Alankar Sawai, who at the time were working on forthcoming state election campaigns against Modi’s party in Haryana and Maharashtra.
The Israeli company markets Pegasus as a tool for fighting terrorism and crime, but the inclusion of a major Indian opposition leader in the records – alongside political staffers, labour unionists, Tibetan Buddhist clerics, social justice campaigners and a woman who accused India’s most senior judge of sexual harassment – raises questions about its legality. At least two employees of the US Centers for Disease Control and Prevention based in India, including a US citizen, were also identified, along with Gagandeep Kang, a virologist and the first Indian woman to be accepted into the UK’s Royal Society. M Hari Menon, the director of the Bill and Melinda Gates Foundation’s Indian operations, was also selected as a target, alongside several researchers and campaigners working for anti-tobacco NGOs. The motive for the scrutiny is unclear, though the Modi government has expressed suspicion of foreign funding for charities, research institutes and NGOs and seeks to tighten restrictions for bringing in money from overseas. More than a dozen people associated with an Indian cabinet minister, Prahlad Singh Patel, are listed in the data including the elected official himself, his family members, advisers and personal staff including a cook and gardener in 2019. A second cabinet minister for electronics and information technology, Ashwini Vaishnaw – whose portfolio includes the regulation of the use of digital surveillance – was also selected as a potential surveillance target in 2017. Journalists emerge as a major focus in the records, including several covering defence and politics at major newspapers. Forensic analysis detected Pegasus activity as recently as in July on a phone used by Sushant Singh, a journalist who investigated a controversial billion-dollar contract awarded to one of Modi’s close allies in business to build a fleet of fighter jets with the French manufacturer Dassault. Reporter Rohini Singh is facing civil and criminal defamation charges over an investigation she produced into the finances of the son of India’s home minister, Amit Shah. She was selected as a target over the two years that followed the publication of the story. Ashok Lavasa was appointed by the government to the Election Commission of India, which regulates campaigning and polling, and which has for decades enjoyed a near-sacrosanct status as a symbol of the integrity of Indian democracy.
According to the investigation, the numbers on the list were unattributed, but the media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries. They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists and more than 600 politicians and government officials including heads of state, prime ministers and cabinet ministers.
Many numbers on the list were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Moroccan security services used the spyware to target around 30 French journalists and media executives. On the list were 15,000 numbers in Mexico — among them reportedly a number linked to a murdered reporter. A forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices. Among the numbers on the list were those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters. Three dozen journalists at Qatar´s Al-Jazeera network had their phones targeted by Pegasus malware, Citizen Lab reported in December, while Amnesty International said in June the software was used by Moroccan authorities on the cellphone of Omar Radi, a journalist convicted over a social media post.
An Amnesty International investigation into Pegasus says the tool compromised targets’ phones and routed data through commercial services like AWS and Amazon CloudFront, a move that it said “protects NSO Group from some internet scanning techniques.” It said it had contacted Amazon about NSO and Amazon had responded by banning NSO-related accounts. The company describes Pegasus as a tool for surveilling terrorists and cybercriminals. But the reporting from Amnesty International, Forbidden Stories, and 17 news outlets — says governments deployed it indiscriminately against political figures, dissidents, and journalists.
The leak must stir governments and global rights bodies to monitor countries which develop and sell software that infringe personal liberties.