WhatsApp hack: Pegasus scandal highlights India's self-destructive lack of oversight over its intelligence services
In 2018, Citizen Lab first published findings demonstrating that an Israeli company, NSO Group, had exploited vulnerabilities in operating systems to create Pegasus, a system capable of hijacking targeted phones
Faced with revelations that the the phones and digital communications of at least 19 academics, journalists and activists were surveilled, India's intelligence community and government have been scrambling for cover
NSO Group's customers included governments in West Asia with a reputation for lawlessness and brutality; their targets included well-reputed human-rights defenders
Led by Omri Lavie and Shalev Hulio, both veterans of Israel's Unit 8200 signals intelligence arm, NSO Group is just one of several private sector contractors offering surveillance technologies
Each evening, a brown manilla envelope would arrive on Charles Hughes' desk, containing a roadmap to world peace. In 1921-1922, the savage wounds of the First World War still unhealed, the United States' secretary of state was negotiating restrictions on the sizes of naval fleets in the Pacific. Tokyo's negotiators were holding out for 700,000 tonnes to the US and UK's million tonnes each. The plain paper sheets inside the envelope told Hughes something the Japanese negotiators didn't yet know: what they were to say the next day.
For customers at its New York office, the Black Chamber was a normal business; a provider of codes and ciphers to secure telegraph communications. Led by Herbert Yardley, the organisation was in fact in the business of decrypting secret diplomatic traffic. Hughes learned Tokyo was telling its negotiators to settle for much smaller fleet, of just 300,000 tonnes — and was able to seal a much better deal than was thought possible.
In 1929, then-secretary of state Henry Stimson cut off funding to the Black Chamber. "What you do in war and what you do in peace," declassified documents record him as saying, "are two entirely different things." He tartly added, "Gentlemen, do not read each others' mail."
Faced with revelations that the the phones and digital communications of at least 19 academics, journalists and activists were surveilled, India’s intelligence community and government have been scrambling for cover. From details so far available, it’s clear the surveillance was carried out without lawful authorisation — and with no legal oversight. The elements of a blockbuster scandal are all present: Shady Israeli contractors, out-of-control spies, and a government willing to subvert the Constitution.
The story, though, is more complex than it might seem, though — and holds out questions about intelligence oversight and reform that India’s politicians have long ducked, corroding both the integrity of the covert services and the country itself.
In 2018, Citizen Lab at the Munk School of Government at the University of Toronto first published findings demonstrating that an Israeli company, NSO Group, had exploited vulnerabilities in operating systems to create Pegasus, a system capable of hijacking targeted phones. Even though ongoing litigation involves WhatsApp’s claims against NSO, the technology in fact allows for almost everything on the phone — from contacts to mail — to be surveilled, even manipulated.
NSO Group's customers included governments in West Asia with a reputation for lawlessness and brutality; their targets included well-reputed human-rights defenders. In Mexico, the government's use of Pegasus to target lawyers, journalists and political activists has sparked a still-unfolding criminal investigation. Elsewhere, targets have ended up in prison — or dead.
Led by Omri Lavie and Shalev Hulio, both veterans of Israel’s Unit 8200 signals intelligence arm, NSO Group is just one of several private sector contractors offering similar technologies. HackingTeam, from Italy, FinFisher in the United States, even Wolf Intelligence from India, which at an exhibition in France in 2016, claimed to have technology which could infect iPhones, much like NSO Group. Firms like Zerodium, and Indian-Cypriot Lokd, specialise in zero-day exploits — vulnerabilities in operating systems.
E-mail stolen from HackingTeam — which was itself spying on a NSO demonstration for authorities in Mexico — shows that one system marketed in 2013, capable of targeting iOS6, was on offer for a staggering $18 million. From a 2016 price list, again leaked, NSO is known to have been offering customers the rights to hack 10 devices for $650,000, on top of a $500,000 installation fee.
Put simply, there’s an entire ecosystem of companies making Pegasus-like tools for governments across the world. To understand why involves a brief detour through the history of communications intelligence.
Ever since humans learned the power of lies, they have worked to shield their secrets — and seize those of others. The contest between the cryptologist, or code-maker, and cryptanalyst, or code-breaker has been one of the defining struggles of history. Fearing that his messengers might be captured or corrupted, Julius Caesar used what is called a substitution cipher — replacing the letter A with D, B with E and so on. The Kama Sutra’s author, Vatsayana, listed mlecchita-vikalpa as one of the 64 arts women needed to learn — this one, to conceal sexual liaisons.
Basic ciphers like these were easy to crack, using a technique called frequency analysis — so cryptologists evolved ever more sophisticated tools. Simon Singh’s Black Chamber has a fantastic set of tools to study the evolution of both cryptology and cryptanalysis first-hand.
From 1925, Germany began deploying a path-breaking mechanical encrypted-communication system code-named Enigma, which resisted the combined efforts of cryptanalysts — thus allowing the Nazi military machine an unprecedented degree of secrecy, and facilitating its new strategy of high-speed mechanised war.
In 1939, the Polish mathematician, Marian Rejewski, led a team that made some breakthroughs against Enigma, based on studies of a machine stolen by the country's spies. Then, in 1943, a top-secret British team led by the mercurial Alan Turing, used electromechanical devices — the first computers — to finally crack the Enigma code.
Full penetration of Enigma's naval variant needed a daring raid that allowed code-books to be salvaged from the submarine U559, without allowing Germany to suspect the vital information had not gone to the seabed.
Listening stations run by the Five Eyes — the United States, United Kingdom, Canada Australia and New Zealand — were sucking up wireless communication across the world by the 1970s, learning from the value communications intelligence had demonstrated during the Second World War.
From 1998, though, fears began to mount in the European Parliament that the surveillance system, code-named Echelon, was being used to gain the United States advantages in commercial negotiations. There were also credible concerns over privacy-rights violations, with agencies barred by law from spying on their own citizens using partners to do the dirty work for them.
In 1993, Canadian intelligence officer-turned-whistleblower Fred Stock revealed the targets weren’t only security-related: Negotiations of the North American Free Trade Agreement, Chinese grain purchases, French weapons sales, even radical environmental organisations like Greenpeace.
Edward Snowden’s disclosure that the United States' National Security Agency was vacuuming-up gigantic amounts of international data traffic — in effect, reading everyone’s private correspondence — surprised no-one who followed the intelligence world: Only the scale was startling.
Like many other countries, India just didn’t have didn’t have NSA like resources—but wanted in on the technology. Early this decade, companies like Shoghi and ClearTrail were selling equipment capable of plucking conversations off air, by listening-in to mobile phone and satellite traffic. The technology could even, one Shoghi brochure states, analyse "bulk speech data" — in other words, listen in and pick particular languages, words, or even voices out of millions of simultaneous conversations.
Police forces enthusiastically embraced the technology, until its potential for abuse became clear when the conversations of top officials were accidentally intercepted in Karnataka and New Delhi. The Central government stepped in to restrict the use of mass interception by states — but stopped short of legally regulating its own use of the technology.
Large prime number cryptography — the kind used to secure everything from banking transactions to iMessage and WhatsApp — posed bigger challenges. The technology shifted the balance of power away from the cryptanalyst to the cryptographer. Because no-one has discovered a fast way to factorise large prime numbers — or, at least, is known to have done so — it requires gargantuan amounts of computing power to decrypt the most routine communications. Even with a supercomputer, by one estimate, it would take 1.02 x 1018 years — a billion times a billion — to crack a single Advanced Encryption Standard digital key.
Even if the NSA was capturing everyone’s conversations, it couldn’t conceivably read all of them — and for both spies and law-enforcement, this was a real problem. Banks needed secure means to conduct transactions; businesses needed to be sure their rivals couldn’t spy on them; individual citizens wanted secure privacy — but the same technology aided the terrorist and the plain-vanilla criminal, too.
Late to the game, encryption posed special problems for India. The Centre for the Development of Telematics’ Lawful Interception and Monitoring project, and the Defence Research and Development Organisation’s NETRA, gathered vast amounts of data — but much of it was walled-off by advanced encryption.
New Delhi’s efforts to play catch-up, inspired by China’s successes in the field, had less-than-luminous results. In 2018-2019, the government drastically increased the National Security Council’s budget to Rs 841.73 crore — Rs 715.89 crore of which was to be invested in projects by Indian technology start-ups, focussing on communications intelligence.
The money, though, mostly went unspent: Knowing all but a few projects would likely fail, bureaucrats refused to sign off on the high-risk spending, fearing subsequent inquiries and criminal investigations. For 2019-2020, the National Security Council’s budget was slashed to Rs 152 crore.
Left with few options, the government turned to the Research and Analysis Wing — and its unaudited bank accounts overseas — to pick up what technology could be found overseas. "The numbers of individuals on whom the the system could be was small," a senior intelligence official says, "because of the enormous costs involved. The Maharashtra Maoist cases were a kind of test."
From 2016, acquisitions of technology from Israeli vendors have exploded across India — with increasingly sophisticated surveillance technology being used by police forces from Telengana and Tamil Nadu to Jammu Kashmir. "There’s plenty of anecdotal stories to suggest terrorist plots have been hit by surveillance technology — but no way to tell if the same technology is being used for unlawful purposes, too," he adds.
"Even if it isn’t today," a New Delhi-based police officer says, "it will be tomorrow. The temptation for the executive to use this technology to serve its political interest has been shown to be too great to resist before, and will be yet again."
Historians of intelligence have judged Henry Stimson harshly for shutting down the Black Chamber. His instincts, though, weren’t wrong: The rules of war are, indeed, different from the rules of peace. In March 1950, the National Security Council of the United States of America issued a top-secret directive that Stimson might have predicted would end in tragedy. “The special nature of Communications Intelligence activities,” it reads, “requires that they be treated in all respects as being outside the framework of other or general intelligence activities.”
Inside a decade, the NSA had begun spying on its own citizens: Top politicians like Frank Church and Howard Baker, civil rights leaders like Martin Luther King Jr, the actress Jane Fonda, and even that writer of wonderful poems for little children, Benjamin Spock, were all deemed legitimate targets.
Eventually, the United States Senate stepped in. The pathbreaking investigation of the Church Commission warned: "The interception of international communications signals sent through the air is the job of NSA; and, thanks to modern technological developments, it does its job very well. The danger lies in the ability of the NSA to turn its awesome technology against domestic communications."
Fighting interception technologies like Pegasus, history tells us, is a pointless enterprise: Nation-states aren’t gentlemen, and have a legitimate interest in tearing the shroud of their enemies’ secrets. Instead, institutions need to be in place to ensure this technology is used for lawful ends. Perhaps the government had credible reasons to believe the individuals it targeted with Pegasus posed a threat to the Union — but that determination needs to be made in lawful ways, not on a bureaucrats’ whim.
India has had more than its fair share of painful learning on the price of unlawful intelligence operations: The country’s institutions still wear scars from former prime minister Indira Gandhi’s abuse of the Intelligence Bureau, and the multiple wiretap scandals that erupted on Manmohan Singh's watch. In not one case, however, has accountability ever been determined, and wrong-doing punished.
R&AW and the Intelligence Bureau are not governed by any Act; their charters are vague, containing no express prohibitions or responsibilities. This is in stark contrast to other democracies, ranging from the United States to the United Kingdom, France and Germany; even Israel.
India’s lawless national security architecture encourages politicians to misuse the covert services, and the intelligence leadership to collude with politicians. The inexorable consequence has been a toxic institutional culture, characterised by mediocrity and the absence of accountability.
The time came long ago for India’s Church Commission moment — but even now isn’t too late.
National Olympic associations in the United States, Canada, the United Kingdom and Australia have advised athletes to leave their personal devices at home and use temporary burner phones if possible while in China for the Games.
France joined US, Germany, Canada and other countries as it passed a law criminalising the use of the discredited practice to attempt to change the sexual orientation or gender identity of gay people