Pegasus spyware: Has national security been compromised?

While it is par for the course for governments in India to put political opponents, media persons and diplomats under surveillance, the recent use of Israeli-origin Pegasus software may be particularly egregious. Its plug-and-play spyware converts a mobile phone into a surveillance device.

The latest Pegasus leaks leave little doubt that its use has undermined India's democratic institutions. This includes the judiciary, Election Commission, the Parliamentary Opposition, Cabinet of ministers, and media. However, an important ramification of the Pegasus spyware seems to have escaped the debate: The possibility that national security could be compromised if the intelligence gathered by Pegasus were available to a third country.

If the Narendra Modi government has used Pegasus, has it then opened itself to strategic blackmail? Would not the organisation that has the list of target phones in its repository also have access to the information gathered from them?

One must ask where did the leak of the 50,000 mobile phones ostensibly compromised by Pegasus take place. It clearly did not originate in India or any country named in the leaks. So, where is the central repository located, and who controls it?

The prime suspect would be the NSO Group, which owns and sells Pegasus spyware, despite claiming that it has no knowledge of how its clients use it for investigating terrorism and serious crime. If this were true, then the NSO would be in no position to give a clean chit to its clients or assure critics that it can block clients' access to the spyware if misused.

It is proven that the phones of assassinated Saudi journalist Jamal Khashoggi, his wife, son and associates were compromised using Pegasus. It was also deployed to break into the phones of his fiancé and the Turkish Chief Prosecutor after his murder. The NSO Group gave itself a clean chit saying it "can confirm that our technology was not used to listen, monitor, track, or collect information regarding him (Khashoggi) or his family members." Could the company have done this without direct "insight" into how its spyware was used?

The NSO Group claims that if misuse of its technology is established, it can take appropriate action. "This includes shutting down a customers' system, something NSO has proven its ability and willingness to do… (has) done multiple times in the past, and will not hesitate to do again." A shutdown done remotely would require the existence of backdoor access to the Pegasus spyware programme. Pegasus clients may not have full knowledge of how much information is let in or let out through this backdoor.

The NSO Group is closely linked to the Israeli government. Sales to foreign clients are subject to the Israeli Defence Ministry's approval. It is also linked to Israel's defence establishment through its recruitment of staff. According to OCCRP (Organised Crime and Corruption Reporting Project), many of the 700 employees of the NSO Group are young Israeli veterans – not surprising in a country with compulsory military service.

Moreover, it also points out, "Veterans from Unit 8200 of the Israeli Defence Forces, which is responsible for communications intelligence and has been described as 'the foremost technical intelligence agency in the world', are known to have helped develop its (NSO Group's) technology." The company's spokesperson, Ariella Ben-Avraham, a former brigadier general, was Israel's "State Censor" earlier.

Given these overlaps, the Israeli government's claim that it "does not have access to the information gathered by NSO's clients" leaves niggling suspicions about the firewall, if any, between NSO and the Israeli state. It is tempting to speculate that Israeli state intelligence agencies might have access to the strategic intelligence gathered by Pegasus for NSO Group's clients.

The NSO Group claims that its product cannot be used to penetrate US phones. Was this a conscious decision taken by those who designed the spyware and, if so, why? The Washington Post found that the dozen phone numbers of Americans working overseas on the leaked list, were all, except one, registered with foreign cellular networks. It is also difficult to ignore that the phone numbers of public figures leaked in the list are overwhelmingly from countries where Israel and the US have strategic interests.

Assuming for the moment hypothetically that a foreign country has access to data and intelligence gathered using Pegasus, what happens then? Can stealthily-procured intelligence be used by the third party for geopolitical ends? One might witness that unfolding in the region soon.

Given its history of being economical with the truth even before Parliament, unless the government categorically states that none of its intelligence agencies purchased or used Pegasus against Indian citizens, it will be presumed to be guilty. As India has good relations with Israel, Prime Minister Modi can easily follow his party MP Subramanian Swamy's advice – ask Israel, who paid for Pegasus and put his fellow citizens under surveillance.

(The writer is a journalist based in Delhi)

Disclaimer: The views expressed above are the author’s own. They do not necessarily reflect the views of DH.