Explained | The operations of the Pegasus spyware

How does the NSO based spyware infiltrate mobile phones and laptops? Does India have laws against unauthorised hacking?

Updated - February 03, 2022 07:32 am IST

Published - January 31, 2022 03:28 pm IST

Photo: Getty Images/iStockphoto

Photo: Getty Images/iStockphoto

The story so far: On January 28, the New York Times published an article extensively detailing how Pegasus, a spyware developed by Israel-based NSO Group, has been used as a tool to firm up Israel’s interests across the globe. The investigative article said that Israel got countries that had historically been against it on the Palestine issue to switch sides by offering this powerful spyware that can be deployed not only against drug traffickers and terrorists, but also against opposition activists and prying journalists. The tool is cited as one of the reasons why the Abraham accords between Israel and its neighbouring Arab countries fell into place and won the blessing of Saudi Arabia.

In this article, the reporters also assert that Pegasus was part of a $2-billion “package of sophisticated weapons and intelligence gear” transaction between India and Israel after Narendra Modi became the first Indian Prime Minister to visit Israel. The article claims that it was after this deal that India changed its historically pro-Palestine stance and voted in Israel’s favour in 2019 “at the U.N.’s Economic and Social Council to deny observer status to a Palestinian human rights organization.”

What do we know about Pegasus?

The Pegasus spyware can not only mop up information stored on phones such as photos and contacts, but also activate a phone’s cameras and microphones to turn it into a spying device without the owner’s knowledge.

It was reportedly used to entrap and murder Jamal Khashoggi, a critic of the Saudi Arabian Crown Prince Mohammed Bin Salman. As per the NYT article, it was used by UAE and Mexico and others against government critics alongside drug traffickers. The U.S.’s FBI also reportedly tested it out, though it was not deployed in the country.

The earliest avatars of Pegasus used spear phishing to enter phones, utilising a message designed to entice the target to click on a malicious link. However, it evolved into “zero-click” attacks with the phones being infected without any action from the target individual. In 2019, WhatsApp released a statement saying that Pegasus could enter phones via calls made on the platform, even if they were not attended. Pegasus used several such “exploits”, or weaknesses, to enter Android and Apple phones; and many of these exploits were reportedly “zero day”, which means even the device manufacturers were unaware of these weaknesses. Pegasus can also be delivered over the air from a nearby wireless transmitter, or manually inserted if the target phone is physically available. Once inside the phone, Pegasus seeks “root privileges”, a high level of control over the phone that enables the spyware to establish communications with its controllers through an anonymised network of internet addresses and servers. It can then start transmitting any data stored on the phone to its command-and-control centres.

What is known about the use of Pegasus in India?

Reports that appeared in July 2021 from the Pegasus Project, which includes The Wire in India, The Guardian in the U.K., and The Washington Post in the U.S., said that in India, at least 40 journalists, Cabinet Ministers, and holders of constitutional positions were possibly subjected to surveillance using Pegasus. The reports were based on a database of about 50,000 phone numbers accessed by the Paris-based non-profit Forbidden Stories and Amnesty International. These numbers were reportedly of interest to clients of the NSO Group, primarily from 10 countries. According to The Guardian , Amnesty International’s Security Lab tested 67 of the phones linked to the Indian numbers in the database and found that “23 were successfully infected and 14 showed signs of attempted penetration”.

Since Pegasus is graded as a cyberweapon and can be sold only to authorised government entities as per Israeli law, most reports have suggested that the governments in these countries are the clients.

What has been the fallout?

The Indian government has so far neither confirmed nor denied that it has deployed Pegasus for any operation. In the wake of the Pegasus Project revelations, several petitions were filed with the Supreme Court alleging that the Government has indulged in mass surveillance in an attempt to muzzle free speech and to chill dissent. In response to the petitions, the Supreme Court asked the Centre to file a detailed affidavit regarding the use of Pegasus. However, the Centre refused to comply, arguing that such a public affidavit would compromise national security. Following this, the Supreme Court on October 27, 2021 appointed an expert panel monitored by retired Supreme Court judge Justice R.V. Raveendran to probe and file a report on the spying allegations. The panel is yet to file the report.

The Government has so far not responded to the NYT report, except for Minister of State Gen (Retd) V.K. Singh calling the New York Times a “supari” (hit-job) newspaper. Former Indian Ambassador to the UN Syed Akbaruddin denied the claim that the alleged Pegasus sale influenced India’s 2019 vote against Palestine at the U.N.

What do Indian laws outline?

Section 5(2) of The Indian Telegraph Act, 1885, states that the Government can intercept a “message or class of messages” when it is “in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence”. The operational process and procedures for it appear in Rule 419A of the Indian Telegraph Rules, 1951. Rule 419A was added to the Telegraph Rules in 2007 after the verdict in the People’s Union for Civil Liberties (PUCL) vs Union of India case in 1996, in which the Supreme Court said telephonic conversations are covered by the right to privacy, which can be breached only if there are established procedures. Under Rule 419A, surveillance needs the sanction of the Home Secretary at the Central or State level, but in “unavoidable circumstance” can be cleared by a Joint Secretary or officers above, if they have the Home Secretary’s authorisation. In the K.S. Puttaswamy vs Union of India verdict of 2017, the Supreme Court further reiterated the need for oversight of surveillance, stating that it should be legally valid and serve a legitimate aim of the Government. The court also said the means adopted should be proportional to the need for surveillance, and there should be procedures to check any abuse of surveillance. The second legislation enabling surveillance is Section 69 of the Information Technology Act, 2000, which deals with electronic surveillance. It facilitates Government “interception or monitoring or decryption of any information through any computer resource” if it is in the interest of the “sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order” or for preventing or investigating any cognizable offence. The procedure for electronic surveillance as authorised by Section 69 is detailed in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. These rules, according to Apar Gupta, lawyer and executive director of the Internet Freedom Foundation, are very broad and allow even the redirection of traffic to false websites or the planting of any device to acquire any information. Mr. Gupta is of the opinion that the use of Pegasus is illegal as it constitutes unauthorised access under Section 66 of the Information Technology Act. Section 66 prescribes punishment to anyone who gains unauthorised access and “downloads, copies or extracts any data”, or “introduces or causes to be introduced any computer contaminant or computer virus,” as laid down in Section 43.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.