Israeli company NSO Group, which sells the Pegasus spyware, on Monday dismissed reports about surveillance on Indian ministers, Opposition politicians, and journalists, saying that they were “full of wrong assumptions and uncorroborated theories”.
The clarification came after a leaked list, featuring more than 50,000 phone numbers “concentrated in countries known to engage in surveillance of their citizens”, was accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International, which shared it with 17 news organisations as part of the Pegasus Project. The alleged hacking was done using the NSO Group’s Pegasus spyware.
According to the Wire, which focused on the Indian portion of the list, “the numbers of those in the database include over 40 journalists, three major opposition figures, one constitutional authority, two serving ministers in the Narendra Modi government, current and former heads and officials of security organisations and scores of businesspersons”.
“After checking their [Forbidden Stories] claims, we firmly deny the false allegations made in their report,” the NSO Group said on Monday. “Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.”
The Israeli surveillance company said that claims made in the reports by the sources were done on the basis of “misleading interpretation of data from accessible and overt basic information”. It added that this had no bearing on the list of the customers’ targets of Pegasus or any other NSO products.
“Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies for numerous purposes, as well as by private companies worldwide,” the company said. “The claims that the data was leaked from our servers, is a complete lie and ridiculous, since such data never existed on any of our servers.”
- Pegasus: Indian politicians and reporters on list of targets for spyware ‘sold only to governments’
- ‘No unauthorised interception’, says Centre on Pegasus hack targeting Indian journalists, ministers
The Israeli company reiterated that it was not involved in the 2018 murder of The Washington Post journalist Jamal Khashoggi, adding that this claim had been investigated earlier. “We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in the inquiry,” the statement from the NSO Group added.
The company again said that it sells its “technologies solely to law enforcement and intelligence agencies of vetted governments”, adding that this was done with the purpose of preventing crime and terror activities. “NSO does not operate the system and has no visibility to the data,” the company added.
Meanwhile, an Indian government statement on Sunday failed to categorically address questions of whether any Indian agencies had used the spyware. Instead, it said that “there has been no unauthorised interception” and that “the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever”.
But the Internet Freedom Foundation, an Indian non-governmental organisation that seeks to protect digital liberties, on Monday said the Indian government’s statement on the allegations of surveillance was not enough.
“We would like to emphasise that this response by the Government is insufficient and fails to respond conclusively to the detailed reporting by the Pegasus Project,” the organisation said. It also noted that the government had no power to hack into the phones of Indian citizens.
“Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under the Information Technology Act, 2000 and it is only through such hacking that the Pegasus spyware can be used against a person,” the Internet Freedom Foundation said. “This revelation reveals a need for urgent surveillance reform to protect citizens against the use of such invasive technologies which hamper their fundamental right to privacy and threatens the democratic ideals of our country.”
The organisation pointed out that such surveillance deters journalists from reporting on sensitive matters and stops human rights activists from working with the vulnerable sections of the society, some of whom may “have been victimised by their own government”. “IFF will attempt to reach out to any victims of illegal surveillance in India and we will make every attempt to ensure that they can access the legal system to seek redress,” it added.
On Sunday, The Wire had revealed the names of dozens of journalists and activists on the list, including its own founder-editors Siddharth Vardarajan and MK Venu, The Hindu’s Vijaita Singh, the Hindustan Times’ Shishir Gupta, as well as scholars and activists on the Committee for the Release of Political Prisoners and relatives, lawyers and friends of those arrested in the Bhima Koregaon case and the accused themselves.
The Wire added that more names would be revealed over the next few days. It said that the database also features a number registered in the name of a sitting Supreme Court judge, though it has yet to verify whether the judge was using it during the period of the hacking.
‘Horrible human rights abuses,’ says WhatsApp chief
The head of Facebook-owned messaging platform WhatsApp Will Cathcart on Sunday accused NSO’s Pegasus spyware of committing “horrible human rights abuses”.
Cathcart called on technology companies and governments to hold the Israeli surveillance company accountable for the alleged hacking.
“This is a wake up call for security on the internet,” he said in one of the tweets. “The mobile phone is the primary computer for billions of people. Governments and companies must do everything they can to make it as secure as possible. Our security and freedom depend on it.”
Cathcart also defended the end-to-end encryption technology used by the messaging platform, suggesting that its weakening would have “terrifying consequences”.
The technology, introduced by WhatsApp in 2016, encrypts messages in an unreadable format when it leaves the sender’s device and is decrypted in a readable format only when it is delivered on the intended receiver’s device.
Notably, in May, WhatsApp had highlighted upon the importance of end-to-end encryption while expressing its reservations on a provision of the Centre’s new IT rules which mandates the company to identify the “first originator of information” when authorities demand it.
In a blog post, WhatsApp had said, “...a government that chooses to mandate traceability is effectively mandating a new form of mass surveillance.”