By now, ministers and Bharatiya Janata Party members have fulminated and muttered complaints about the massive story of illegal surveillance using Pegasus spyware on Indian citizens.

On Monday, new Information Technology minister Ashiwini Vaishnav described the reports as “highly sensational”, hours before it emerged his own phone number had been on a list of potential hacking targets. Union Home Minister Amit Shah attempted to repurpose his infamous chronology comment and make vague remarks about a global conspiracy.

Ravi Shankar Prasad, recently sacked from the Cabinet, asked if this was “revenge for the way India handled Covid, caccination and more than 75% of population are getting free vaccines” even though the consortium of news organisations that broke the story were reporting on surveillance in Mexico, Rwanda, Morocco and Hungary.

In all of these official responses, one phrase was missing: India did not use Pegasus spyware on its own citizens.

Here are the main responses so far, not counting sundry defences put up by party spokespersons on TV talkshows:

  • The official response to queries from the Washington Post, later comically released to ANI without any attribution.
  • Information Technology Minister Ashwini Vaishnav’s statement in Parliament.
  • Home Minister Amit Shah’s “disruptor-obstructer” press release.
  • Recently fired minister Ravi Shankar Prasad’s press conference on behalf of the party.

Each of these feature various dodges about the reports from a consortium of global news organisations that revealed potential targets of illegal hacking using Israeli firm NSO Group’s Pegasus software, which the firm says is sold only to “vetted governments”. A small cross-section of these numbers analysed by Amnesty International’s Security Lab did indicate actual hacking or hacking attempts.

Individuals like former Congress President Rahul Gandhi, former Election Commissioner Ashok Lavasa, political strategist Prashant Kishor and others were reportedly on the leaked list of potential Pegasus targets, in addition to a number of journalists and human rights activists, raising serious questions about India’s democratic set up.

Did India use Pegasus?

There are a number of reasons to believe that the Indian government, or a security agency under it, may have been using Pegasus.

For one, the NSO Group has stated several times that it only sells its spyware to “vetted governments”. Researchers at Citizen Lab, the University of Toronto’s cyber-security group that has previously studied the use of Pegasus, have concluded that India is one of the company’s clients.

Moreover, according to the Guardian, “the selection of Indian numbers largely commenced around the time of Modi’s 2017 trip to Israel, the first visit to the country by an Indian prime minister and a marker of the burgeoning relationship between the two states, including billions of dollars in deals between Delhi and Israeli defence industries”. This is significant because Pegasus is classified as a cyber weapon and any export must be approved by the Israeli Defence Ministry.

But perhaps the most relevant reason to believe that the Indian government has purchased and used Pegasus is simply that, despite being asked about it repeatedly, it has refused to say no.

After reports of Pegasus spyware being used to hack into the phones of human rights activists first emerged, a number of questions were posed in 2019 to Ravi Shankar Prasad who was IT minister at the time. His answer at the time was simply, “To the best of my knowledge, no unauthorised interception has been done.”

Prasad did not say no. He did not deny the use of Pegasus. By refusing to do so, he implied that the government may have “authorised” the use of the spyware against Indian citizens.

Not saying ‘no’

Glance at each of the responses over the past three days, and you’ll find similar attempts to avoid saying no.

The statment to the Washington Post, for example, says, “Government of India’s response to a Right to Information application about the use of Pegasus has been prominently reported by media and is in itself sufficient to counter any malicious claims about the alleged association between the Government of India and Pegasus.”

Except the RTI reply from 2019 neither confirmed nor denied whether Indian authorities had used Pegasus. Instead, it simply said that the Cyber and Information Security Division of the Home Ministry had “no information” about this.

The response also says that “in the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian State. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.”

This is again untrue. First, the alleged use of Pegasus was not categorically denied by the Indian state – and still has not been.

Second, in the Indian Supreme Court, WhatsApp’s counsel said nothing about whether it had information about the Indian state using Pegasus. Instead, in an unrelated court hearing regarding the safety of online payment systems, the lawyer for WhatsApp offered a boilerplate denial that his client had been hacked.

More pertinently, WhatsApp actually filed a complaint against NSO Group in the US and admitted – in a piece written by the messaging service’s head Will Cathcart – that its spyware had been used to target “at least 100 human-rights defenders, journalists and other members of civil society across the world”.

If that wasn’t enough, here is Cathcart’s tweet following the new Pegasus revelations:

Confusing Parliament

New IT minister Ashwini Vaishnav, whose own phone number is on the list of potential targets, then took to Parliament to make a statement on the issue.

In the Lok Sabha, Vaishnav first repeated the line about WhatsApp denying hacking claims, despite Cathcart’s very public statements and the company’s legal action against NSO Group.

After asking whether the emergence of this global investigation on the eve of India’s Parliamentary session was a coincidence, he went on to make two major claims:

  • “The report itself clarifies that presence of a number [on the list] does not amount to snooping.”
  • “NSO has also said that the list of countries shown using Pegasus is incorrect and many countries mentioned are not even our clients. It also said that most of its clients are western countries.”

The first is accurate. The reports from the 17 news organisations do asset that simply the presence of a number on the leaked list does not mean that they were hacked. Yet, what Vaishnav failed to inform Parliament was that analysis of a small cross-section of numbers confirmed hacking or hacking attempts, and revealed that the timing closely matched with the inclusion of the numbers on the leaked list.

In a number of cases, analysis revealed that Indian citizens had indeed been spied on by NSO’s software. That should be alarming news for the minister, yet he did not mention or address it. And this is despite India’s own cybersecurity agency, CERT-In, having published a vulnerability report about Pegasus that the government had acknowledged in 2019.

The second statement is even more bizarre. Vaishnav could have simply said that the Indian government, or various agencies under it, have not used Pegasus. Instead, he pointed to a statement from NSO Group claiming that the list of countries is incorrect. Why should Indian citizens rely on the word of an Israeli company when its own government could very well come out and set the record straight?

Following this, Vaishnav fell back on the claim that “the time tested processes in our country are well-established to ensure that unauthorised surveillance does not occur”.

Wild conspiracy theories

Finally, Union Home Minister Amit Shah and recently fired IT minister Ravi Shankar Prasad entered the fray with more political responses.

In a release on his website, Shah audaciously attempted to reclaim his infamous “understand the chronology” statement and insisted that the aim of the reports are to “do whatever is possible and humiliate India at the world stage, peddle the same old narratives about our nation and derail India’s development trajectory”. He went on to claim, “This is a report by the disrupters for the obstructers.”

Again, the Union Home Minister made no attempt to respond to the underlying question: did India use Pegasus against its own citizens?

Shah also did not explain why he was insisting that a global journalism project, which has also led to questions about state suveillance in countries as disparate as Mexico, Saudi Arabia, Rwanda and Hungary as well as the policies of Israel, was somehow a conspiracy against India.

Ravi Shankar Prasad, however, offered an answer to this question.

You read that right. Prasad asked if this global investigation into the practices of an Israeli spyware company that permits governments to hack into the phones of journalists, activists and political opponents was somehow revenge for his government’s handling of the Covid crisis – which was on display for the world to see in April and May – as well as its confusing u-turns on vaccine policy that have left India with a fully vaccinated figure of just 6% halfway into 2021.

Again, instead of answering the question of whether India had used Pegasus, the former minister offered a more roundabout claim, saying ,“Not a shred of evidence has come... that there is any linkage of the government or the Bharatiya Janata Party.”

Maybe more tellingly – and inaccurately – Prasad asked a question that appeared to betray a deeper truth: “If more than 45 countries are using Pegasus, why is only India being targeted?”