In October 2023, Apple notified several Opposition leaders and journalists in India that their phones had been remotely targeted by state-sponsored attackers. The notification sent by the smartphone manufacturer reads, “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID.” It further goes on to say, “These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.” This development has reignited existing concerns around the Indian government's alleged use of spyware and its illegitimate surveillance practices.
This is not the first time Apple has notified individuals about the possibility of their phones having been targeted by state-sponsored attackers. Apple debuted their threat notification feature in November 2021, following revelations that were made as part of the Pegasus Project — an investigative reporting initiative comprising more than a dozen news organisations. Months earlier, the project had started shedding light on how Pegasus spyware was being used to target and infect the phones of human rights activists, political dissidents and journalists around the world, including in India.
The first round of threat notifications issued by Apple in November 2021 was delivered to Thai activists and researchers who were known to be critical of Thailand’s government. In December 2021, Apple notified 11 employees of the US Embassy in Uganda about their phones having been targeted by state-sponsored attackers. Since the threat notifications feature was first launched two years ago, Apple has notified individuals in over 150 countries about possible targeting of their phones by state-sponsored attackers.
A sealed-cover report
In March 2023, the Financial Times reported that the Indian government was looking to acquire spyware from “less exposed competitors” of the NSO Group, the Israeli company responsible for developing and marketing the Pegasus spyware. The NSO Group has been subject to considerable scrutiny in India and abroad, after a series of damning articles were published as part of the Pegasus Project, describing the company’s role in creating and selling spyware.
In October 2021, the Supreme Court of India ordered a “thorough inquiry” into the Indian government’s alleged use of the Pegasus spyware. The apex court appointed an expert committee tasked with conducting forensic analysis of the phones of the individuals who were suspected to have been targeted with Pegasus. The committee submitted its final report before the SC in August 2022.
There are many parts of the sealed-cover report which have still not been made public, though it was reported that out of the 29 devices analysed, five were found to have been infected with spyware, though the committee was not able to conclude whether the spyware in question was Pegasus. It is worth noting that both the committee as well as the court had made it a point to observe on record that the Indian government chose not to cooperate with the committee throughout the course of the investigation.
Government response
Apple has not explicitly stated that it believes the Indian government to be behind the spyware attacks. As a matter of practice, the tech giant chooses not to attribute attacks related to a set of threat notifications as having originated from a particular country. Apple also chooses to not disclose any of the technical information it uses to detect attempted compromises of users’ devices. This position is justified: According to Apple, revealing information about what causes them to issue threat notifications could “help state-sponsored attackers adapt their behaviour to evade detection in the future.”
However, Apple’s decision to not show all of the cards it holds, was weaponised by IT Minister Ashwini Vaishnaw, who used it to downplay the public outcry surrounding the recent issue. He instead jumped at the opportunity to press Apple with questions. Vaishnaw said that the Apple threat notification “seems vague and non-specific in nature.”
Ordering an investigation into the matter, Vaishnaw somehow managed to simultaneously profess the seriousness with which this issue was supposedly being taken up by the Indian government, while still downplaying and attacking the veracity of the claims raised by Opposition leaders and journalists, calling it a “distraction”. The minister went as far as to falsely state that Apple itself had “released a clarification [proving] that the allegations by compulsive critics are not true.” Apple never released such a statement. But Vaishnaw issued his statements, all the while reiterating that “the government takes its role of protecting the privacy and security of all citizens very seriously.”
Meanwhile, the Indian government has given the mantle of investigating the spate of suspected spyware infections to CERT-In, a nodal agency under the Ministry of Electronics and Information Technology, which has a mandate for responding to and helping contain computer security incidents in the country. Though Apple — keeping in line with its behaviour in other countries — has not implicated any specific parties, the fact that only those who are known to be critical of the current ruling party have been on the receiving end of Apple’s threat notifications does not instill much confidence in the position taken by the government with regard to protecting the privacy of all citizens.
I will take this opportunity to ask a pressing question: Can CERT-In be trusted to maintain neutrality and operate without bias while investigating an issue where the Indian government may potentially be implicated as a suspect? As the matter stands, the possibility that the Indian government might have used spyware to surveil Opposition party leaders and journalists cannot be ruled out.
To date, the Indian government has not categorically denied or admitted to having acquired or deployed Pegasus within the country. At the same time, as noted above, the government has previously been characterised by the Supreme Court as not having cooperated with the expert committee tasked with investigating Pegasus.
Individuals who have received Apple’s threat notifications might be better off having their phones forensically examined by independent third parties that have been carefully analysing and publishing evidence documenting commercial spyware. Furthermore, it might also be time for the Supreme Court to consider making public the August 2022 report that was submitted in sealed covers to the court by the technical committee investigating Pegasus. This could be a step towards reassuring citizens of data privacy.
Arbitrary deployment of highly invasive surveillance technologies in violation of the constitutionally guaranteed right to privacy should have no place in a democracy. Comprehensive surveillance reforms and judicial oversight are the need of the hour — the targeting of Opposition leaders and journalists in the run-up to next year's general elections should be the final nail in the coffin.
(Karan Saini is an independent security researcher based in New Delhi, India.)