The astonishing capability of the Pegasus spyware, which was used to target human rights activists, lawyers and journalists in India and around the world, has been in focus as details of the attack have emerged over the last few days. The tool in question was able to hack into any phone simply through a missed call predominantly via WhatsApp, giving the attackers unfettered access to the device, including location data, emails, passwords and even the ability to turn on its mic and camera. What is much more unclear is the scale of the attack.

In India, news reports have mentioned estimates of 25-50 individuals targeted. Scroll.in has been able to confirm with 22 of them, primarily working in the field of human rights. Other reports have mentioned political targets, such as former Union Minister Praful Patel.

Meanwhile, at the global level, WhatsApp has said that it detected approximately 1,400 instances of the spyware being used between April 29, 2019, after it was alerted to the vulnerability and May 10, 2019, when it was patched.

“The Target Users included attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials,” the Facebook-owned messaging company said in a lawsuit it has filed against NSO Group, an Israeli spyware developer that sells Pegasus. Read this explainer to understand how it worked.

So out of the 1.5 billion or so users of WhatsApp, are only 1,400 people affected?

The answer is simply that we don’t know.

Specific numbers

When asked about specific numbers, a WhatsApp spokesperson referred us to the FAQ page that the company put up after it announced the lawsuit against NSO Group. The page mentions that WhatsAp contacted approximately 1,400 users about the attack, but does not say whether it believes this is the total number of those who were targeted.

“Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators,” says a piece on Citizen Lab, the University of Toronto’s cyber-security group that helped WhatsApp identify some of those attacked by the spyware tools. Several other experts have also pointed out that the spyware tools, if not carefully monitored, could easily be deployed and deleted in such a way that they leave no trace – meaning it is possible that even WhatsApp has no sense of how many people were targeted.

Citizen Lab’s involvement, meanwhile, may explain why the names of targets that have emerged so far have turned out to be primarily those who work in the field of human rights. According to the same piece, after details of the missed-call vulnerability emerged in April 2019, “Citizen Lab volunteered to help WhatsApp identify cases where the suspected targets of this attack were members of civil society, such as human rights defenders and journalists.”

In other words, efforts to reach out to targets specifically prioritised those working in civil society organisations. The focus on civil society targets also formed a key part of the Op-Ed written by Will Cathcart, head of WhatsApp, in the Washington Post: “There was another disturbing pattern to the attack, as our lawsuit explains. It targeted at least 100 human-rights defenders, journalists and other members of civil society across the world,” Cathcart wrote. “Democracies depend on strong independent journalism and civil society, and intentionally weakening security puts these institutions at risk.”

Notice that the lawsuit includes, in addition to civil society professionals, “diplomats and other senior foreign government officials”, suggesting that more explicitly political targets may also have come to light, but WhatsApp and Citizen Lab have for now chosen not to focus on them just as yet.

“The way these companies would do this is that they would prioritise human rights defenders and journalists first,” said Raman Jit Singh Chima, Asia Policy Director and Senior International Counsel at Access Now, a global advocacy group dedicated to the open internet. “These companies are under special obligation to tell them first. It would favour those who are most targeted, and most vulnerable, even though there may be other people.”

Could there be more than the 1,400 that WhatsApp has so far mentioned? “I think it would definitely be a small subset,” Chima said. “It’s definitely not the entire set targeted by Pegasus, which, remember, has capabilities beyond WhatsApp.”

Indeed, earlier Citizen Lab had found that Pegasus – before the video calling hack had been identified, was being used in as many as 45 countries. “Moreover, though WhatsApp may have more data, it may be information that even they don’t fully understand or are trying to corroborate. So we don’t really know,” Chima said.