WhatsApp spy attack and after

Last week ended with a sensational piece of news: WhatsApp said spyware Pegasus was being used to hack into the phones of activists and journalists in India.

The software is the brainchild of the NSO Group, an Israeli company. WhatsApp has detected 1,400 instances of Pegasus being used in the latest wave of attacks between April 29 and May 10.

WhatsApp has identified 100-plus cases targeting human rights defenders and journalists. About two dozen of these attacks were in India.

Among those whose security was reportedly compromised is Congress leader Priyanka Gandhi.

The first question is who ordered this snooping. NSO claims they sell their technology only to government agencies for lawful investigation into crime and terrorism.

Speculation is rife that there is government involvement in the snooping. Vinay Srinivas, lawyer with Alternative Law Forum, Bengaluru, says, “The targets of the attack seem to be those who had critical things to say about the current government.”

Referring to a tweet by journalist Arvind Gunasekar, Srinivas says there is clear proof that the government knew of the breach and its severity.

The tweet includes a screenshot of a report from the CERT-IN (Indian Computer Emergency Response Team) website dated May 17. It shows severity rating as “High”.

WhatsApp says the vulnerability has now been patched and urged users to update the app. But a level of paranoia around smartphones and privacy has been created.

Apar Gupta, executive director of the Internet Freedom Foundation, based in Delhi works towards internet freedom and privacy, says Pegasus, specifically, is too expensive (it can cost up to eight million dollars a year to licence) to be used on ordinary citizens.

But not all spyware is expensive. “Multiple kinds are now commercially available and easy to procure. These can be used by an estranged lover or even a professional rival to find information about you,” he says.

Jija Hari Singh, retired DGP and Karnataka’s first woman IPS officer, says Pegasus is one of the smaller players, and spyware akin to it has been around for three decades. “Monsters bigger than Pegasus are still snooping on us,” she says.

NOTHING TO HIDE?

Many people fall back on the narrative of ‘I have nothing to hide, so I’m not worried’.

Aayush Rathi, Programme Officer at the Centre for Internet and Society, says that this is a flawed premise: “It is like saying free speech is not important for you because you have nothing useful to say.”

Gupta breaks down this rationale: “If a person has ‘nothing to hide’ then they should just unlock their phone and hand it over to any person who asks for it.
But the minute such a demand is made they would feel uncomfortable.”

This discomfort, he says, doesn’t come because they are doing something illegal but because they fear social judgement.

“There is a level of intimacy in their conversations that they’d rather not share with anyone else,” he says.

Many people believe only illegal activity leads to surveillance, but that is not the case.

“Even the most inconsequential actions are being logged on digital devices, and much of this information can be monetised,” he says.

The most tangible risks are financial fraud and identity theft, and spyware is also commonly used for corporate espionage.

UPDATE SECURITY

So what must one do if one’s phone is spied on? In the case of Pegasus, Rathi says, “You would have received a communication from WhatsApp if you were targeted. Irrespective, you should update the application immediately as the latest update fixes the vulnerability.”

Srinivas says legally the recourse available is the fundamental right to privacy. “Since the government doesn’t have any regulation in place to deal with this, the National Human Rights Commission will have to take it up,” he says.

Gupta advises precautions against preventable hacks. He advises a reading of online guides on surveillance self-defence, especially those by Electronic Frontier Foundation.

ALTERNATIVES

In terms of alternative messaging platforms, Signal, Telegram and Riot are considered as more secure apps. But even these could be hacked.

“Pegasus works at the level of the operating system,” says Rathi thus making any app vulnerable to it’s attack.

Shubhamangala Sunil, certified anti-terrorism specialist, says if you must have important conversations, do it in person with electronic devices at least 100 metres away.

Gupta urges people to engage with the problem positively.

“Make urgent demands for privacy and regulation around it. We’ve seen a large level of apathy towards use of technology and any conversation around data protection,” he says.

Along with a need for regulation for the future, Srinivas urges people to file
RTI petitions asking the government about Pegasus and what is being done about it. “This will help push the government into action against such attacks,” he says.

Indians hit by Pegasus

Many of those snooped on are connected with Bhima Koregaon movement and tribal movements in Chhattisgarh.

Nihal Singh Rathod: Bhima Koregaon lawyer

Bela Bhatia: Chhattisgath-based Dalit rights activist

Shalini Gera: Lawyer and secretary of the People’s Union for Civil Liberties

Ankit Grewal: Bhima Koregaon case lawyer

Anand Teltumbde: Academic and accused in the Bhima Koregaon case

Shubhranshu Choudary: Former BBC journalist, now working in Bastar

Santosh Bhartiya: Former MP and journalist

Rajeev Sharma: Journalist

Seema Azad: Activist (People’s Union for Civil Liberties)

How Pegasus works

Like most malware, Pegasus used to earlier try and get the target to click on a link.

Once this ‘exploit link’ was clicked the malware would install itself on the phone and access everything on it.

This includes private data such as passwords, contacts, texts, and live voice calls on messaging apps.

The software can even gain access to your camera, mic and GPS.

Now Pegasus uses a WhatsApp video call. Whether picked up or declined, is gains access to your phone.

Pegasus was reportedly used by Saudi Arabia to spy on assassinated journalist Jamal Khashoggi.

What to do if attacked

If you suspect you have been subject to any other kind of spying, Apar suggests you consult a digital technology specialist to remove the malware.

“There is a dearth of such specialists in India, but one can find help online. For example Access Now, a non-profit working towards an open and free Internet, has a helpline (help@accessnow.org). Amnesty Tech has a helpline specifically for human rights defenders. (share@amnesty.tech)