Kolkata, India: Activists, journalists, and politicians around the world have been spied on using cellphone malware developed by a private Israeli firm, reports said Sunday, igniting fears of widespread privacy and rights abuses.
Over 40 Indian journalists’ phone numbers appear on a leaked list of prospective surveillance targets, and forensic testing has revealed that some of them were successfully spied on by an undisclosed agency using Pegasus malware, The Wire claimed.
Over the following few days, The Wire will release the identities it has been able to verify in various categories, step by step, with its partners.
The report comes amid a time when India’s democratic traits have been widely reported to have been tumbled downhill in record magnitudes since independence.
The Narendra Modi government has however denied the claims.
“India is a robust democracy that is committed to ensuring the right to privacy to all its citizens as a fundamental right” and that the “allegations regarding government surveillance on specific people have no concrete basis or truth associated with it whatsoever,” the Ministry of Electronics and Information Technology said.
The governments of the United Arab Emirates, Dubai, Saudi Arabia, Azerbaijan, Bahrain, Kazakhstan, and Mexico did not respond to requests for comment according to The Guardian.
The number of key Indian journalists at major news organizations such as the Hindustan Times, including executive editor Shishir Gupta, India Today, Network18, The Hindu, and Indian Express, is among the information stolen.
The use of the software, called Pegasus and developed by Israel’s NSO Group, was reported on by the Washington Post, the Guardian, Le Monde, and other news outlets who collaborated on an investigation into a data leak.
The leak was of a list of up to 50,000 phone numbers believed to have been identified as people of interest by clients of NSO since 2016, the reports said.
The inclusion of a phone number in the data does not indicate whether the device has been infected with Pegasus or has been hacked, the Wire said, which is one of the media partners involved in the reporting.
Not all of those numbers were subsequently hacked, and the news outlets with access to the leak said more details about those who were compromised would be released in the coming days.
Among the numbers on the list are those of journalists for media organizations around the world including Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El País, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America, the Guardian said.
The use of the software to hack the phones of Al-Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research center at the University of Toronto, and Amnesty International.
Among the numbers found on the list were two belonging to women close to Saudi-born journalist Jamal Khashoggi, who was murdered by a Saudi hit squad in 2018.
The list also included the number of a Mexican freelance journalist who was later murdered at a carwash. His phone was never found and it was not clear if it had been hacked.
The Washington Post said numbers on the list also belonged to heads of state and prime ministers, members of Arab royal families, diplomats and politicians, as well as activists and business executives.
The list did not identify which clients had entered the numbers on it. But the reports said many were clustered in 10 countries — Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates.
The Guardian wrote that the investigation suggests “widespread and continuing abuse” of Pegasus, which NSO says is intended for use against criminals and terrorists.
Amnesty International and Forbidden Stories, a Paris-based media non-profit organization, initially had access to the leak, which they then shared with media organizations.
NSO, a leader in the growing and largely unregulated private spyware industry, has previously pledged to police for abuses of its software.
It called the allegations exaggerated and baseless, according to The Washington Post, and would not confirm its clients’ identities.
Citizen Lab reported in December that dozens of journalists at Qatar’s Al-Jazeera network had their mobile communications intercepted by sophisticated electronic surveillance.
Amnesty International reported in June of last year that Moroccan authorities used NSO’s Pegasus software to insert spyware onto the cellphone of Omar Radi, a journalist convicted over a social media post.
What is Pegasus software?
Pegasus is military-grade surveillance or spying software.
The NSO Group, which was founded in 2010, is most known for developing Pegasus, a program that lets users remotely hack into cellphones and obtain access to their contents and features, including the microphone and camera.
Pegasus is not sold to private entities or even to any government, according to the corporation.
In reality, NSO emphasized in its letter to The Wire and its media partners that it only sells its spyware to “vetted nations.”
The corporation refuses to release its customer list, but the prevalence of Pegasus infections in India, as well as the spectrum of people who may have been targeted, clearly suggest that the spyware is being operated by an official Indian agency, the Wire has claimed.
Forbidden Stories, a France-based media non-profit, and Amnesty International were the first to have access to the leaked list, which they shared with The Wire and 15 other news organizations around the world as part of the Pegasus Project, a lengthy collaborative investigation.
Working together, The Guardian, The Washington Post, Le Monde, and Suddeutsche Zeitung were able to independently identify the owners of over 1,571 phone numbers in at least 10 countries, and forensically check a small cross-section of phones related with these numbers to test for Pegasus.
What does Pegasus maker say after the investigation?
The claim that the disclosed list is linked in any way to the operation of NSO’s malware is refuted by NSO.
The company initially stated in a letter to The Wire and Pegasus Project partners that it had “good reason to believe” that the leaked data was “not a list of numbers targeted by governments using Pegasus,” but rather a larger list of numbers that might have been used by NSO Group customers for other purposes.
How are Indian journalists reacting?
The story was broken by liberal left-wing media The Wire and has since then taken Twitter on a storm.
“Dear @PMOIndia why did your government put me on an intrusive surveillance list? For committing a crime of doing investigative journalism? Why was #Pegasus spyware introduced in my phone? Pegasus is only sold to governments,” wrote NDTV and GulfNews columnist Swati Chaturvedi on Twitter.
“Is any mainstream media house in India going to carry the #pegasus story? It is supposed to be the world’s largest democracy!,” wrote another journalist with Gulf News, Ashok Swain.
“The question this raises is if #Pegasus is only sold to governments, which other govts (China/Pak?) are using it to snoop on prominent Indian citizens? Shouldn’t the authorities call for an independent investigation?,” Indian Congress MP Shashi Tharoor wrote on Twitter.
With reporting from AFP.