1.Rahul, Prashant Kishor, ex-EC Lavasa on list of spyware targets

Analysis confirms Pegasus attack or attempts on 10 Indian numbers, says report

Former Congress president Rahul Gandhi, former Election Commissioner Ashok Lavasa, election strategist Prashant Kishor, Trinamool Congress leader Abhishek Banerjee and Union Ministers Ashwini Vaishnaw and Prahlad Patel appeared on a leaked list of “potential” or actual targets for spying by the Israeli company NSO’s Pegasus spyware, news website The Wire and other international publications reported on Monday.

Two mobile phones used by Mr. Gandhi appeared on the list — one was added in 2018 when he was the president of the Congress and the other after the 2019 Lok Sabha election, according to the reports. Numbers belonging to at least five of Mr. Gandhi’s close friends and other Congress officials, including Sachin Rao and Alankar Sawai, also figured on the list, which has the names of dozens of journalists, activists and healthcare experts.

At least one number once used by Pakistan Prime Minister Imran Khan as well as hundreds of others in the country also appeared on the list.

The phones targeted were infiltrated by a malicious software called Pegasus, which is sold by the NSO Group. The spyware can secretly unlock the target’s phone, computer or other devices, collect information and transfer it to another device without the permission of the user. The Israeli company has said it sells Pegasus only to government agencies to fight terrorism and other serious crimes and that it does not operate the spyware licensed to its clients.

Those who were targeted in India included The Wire’s editors Siddharth Varadarajan and M.K. Venu, journalist Sushant Singh and Mr. Kishor, a forensic analysis found. The phone of Mr. Kishor, who worked with the Trinamool in West Bengal and the DMK in Tamil Nadu that went to the polls in April, was found to have been compromised as recently as July 14.

Investigations confirmed the Pegasus attack, or signs of potential targeting, on phones linked to 10 Indian numbers and 27 phones around the world, according to The Guardian.

Why in News

Recently, it has been reported that Pegasus, the malicious software, has allegedly been used to secretly monitor and spy on an extensive host of public figures in India.

About Pegasus:

• It is a type of malicious software or malware classified as a spyware.
  • It is designed to gain access to devices, without the knowledge of users, and gather personal information and relay it back to whoever it is that is using the software to spy.
  • Pegasus has been developed by the Israeli firm NSO Group that was set up in 2010.
  • The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
  • Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.
    
    
    • These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.
• Targets:
  • Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm.
  • Indian ministers, government officials and opposition leaders also figure in the list of people whose phones may have been compromised by the spyware.
    • In 2019, WhatsApp filed a lawsuit in the US court against Israel’s NSO Group, alleging that the firm was incorporating cyber-attacks on the application by infecting mobile devices with malicious software.
• Recent Steps Taken in India:
  • Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
  • National Cyber security Coordination Centre (NCCC): In 2017, the NCCC was developed to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.
  • Cyber Swachhta Kendra: In 2017, this platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
  • Indian Cyber Crime Coordination Centre (I4C): I4C was recently inaugurated by the government.
    • National Cyber Crime Reporting Portal has also been launched pan India.
  • Computer Emergency Response Team – India (CERT-IN): It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
  • Legislation:
• Information Technology Act, 2000.
• Personal Data Protection Bill, 2019.

• International Mechanisms:
  • International Telecommunication Union (ITU): It is a specialized agency within the United Nations which plays a leading role in the standardization and development of telecommunications and cyber security issues.
  • Budapest Convention on Cybercrime: It is an international treaty that seeks to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It came into force on 1^st July 2004.
    • India is not a signatory to this convention.

Types of Cyber Attacks

• Malware: It is short for malicious software, refers to any kind of software that is designed to cause damage to a single computer, server, or computer network. Ransomware, Spy ware, Worms, viruses, and Trojans are all varieties of malware.
• Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
• Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
  • DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
• Man-in-the-middle (MitM) attacks: Also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction.
  • Once the attackers interrupt the traffic, they can filter and steal data.
• SQL Injection: SQL stands for Structured Query Language, a programming language used to communicate with databases.
  • Many of the servers that store critical data for websites and services use SQL to manage the data in their databases.
  • A SQL injection attack specifically targets such kinds of servers, using malicious code to get the server to divulge information it normally wouldn’t.
• Cross-Site Scripting (XSS): Similar to an SQL injection attack, this attack also involves injecting malicious code into a website, but in this case the website itself is not being attacked.
  • Instead the malicious code the attacker has injected, only runs in the user’s browser when they visit the attacked website, and it goes after the visitor directly, not the website.
• Social Engineering: It is an attack that relies on human interaction to trick users into breaking security procedures in order to gain sensitive information that is typically protected.

2.Egypt takes centre stage in West Asian affairs

The instrument that Cairo is using to assert its diverse interests in a complex region is not military force, but diplomacy

Most important developments in West Asia are increasingly revealing an Egyptian fingerprint. Egypt’s diplomats and intelligence officers recently negotiated the end of the 11-day Israel-Palestine conflict, with the new Israeli government looking to Egypt to manage the turbulent cauldron of Gaza. Turkey, which has been hostile to Egyptian President Abdel Fattah al-Sisi for the coup in July 2013, when he overthrew the Muslim Brotherhood government in Cairo headed by President Mohammed Morsi, is anxious to reopen relations.

Egypt, after long years of neglect, has now become active in re-engaging with its neighbours in Africa, with substantial economic and defence partnership agreements. Finally, Egypt, with Iraq and Jordan, announced in Baghdad at the end of June that a new tripartite grouping of these West Asian States had been set up, proclaiming the advent of al-Sham al-Jadid, the “New Levant”.

Political, economic changes

Just a few years ago, after the overthrow of the country’s first democratically elected government, Egypt survived with a $12 billion aid package from Saudi Arabia, the United Arab Emirates (UAE) and Kuwait. These West Asian deposits were supplemented by grants in 2013-14 for the import of petroleum products, valued at another $16 billion.

West Asian politics was also largely influenced by the active role of Saudi Arabia and the UAE, in Syria, Yemen and Libya. Egypt found itself a reluctant partner in these ventures, though it was low key in Yemen and maintained ties with the Assad government in Damascus. In Libya, it was pushed into a more active role to confront the Tripoli-based administration, but here, too, it refused to deploy troops in the country.

Egypt’s role in the blockade of Qatar from June 2017, initiated by Saudi Arabia and the UAE, was also relatively lukewarm. Egypt allowed Qatari LNG to pass through the Suez Canal, while Qatar made no effort to dilute its investments in Egypt or order the repatriation of 2,50,000 Egyptian workers in the country.

The failure of Saudi Arabia and the UAE to achieve any success in their military interventions, or in the blockade of Qatar, has opened the space for Egypt to regain the influence it has traditionally enjoyed in Arab counsels. This has been greatly facilitated by the good management of its economy through difficult times. Economic reforms from 2015 finally provided foreign exchange reserves of $40 billion by 2018 and a growth rate of 5.6% in 2019.

The instrument that Egypt is using to assert its diverse interests in a complex and conflictual region is not military force, but diplomacy.

Regional challenges

The principal challenge that Egypt presently faces relates to Ethiopia’s plan to construct the “Grand Ethiopian Renaissance Dam” (GERD) on the Blue Nile. Egypt fears this project could restrict its access to the waters of the Nile, the source of 95% of its fresh water. Seeing the project as an “existential threat”, Egyptian officials have said that “all options” are on the table. However, Egypt has actually embarked on robust diplomatic engagements in its African neighbourhood, with defence agreements with the “ring countries” around Ethiopia — Sudan, Uganda, Burundi, Rwanda and Kenya — to safeguard its interests.

Ethiopia has initiated its own diplomatic effort in the Horn of Africa by firming up ties with Somalia, Eritrea and South Sudan. In response, Egypt has agreed to build a major dam and hydropower project in Tanzania, so that the latter will compete with Ethiopia in the export of power in the region. At the end of June, Egypt wrote to the UN Security Council seeking international intervention on the dam issue; it said that, with this effort, “we will have exhausted all the peaceful means”.

Egypt’s other challenge is relations with Turkey. The two countries met at the deputy Foreign Minister level in Cairo in early May and discussed the issues that divide them: Libya and the East Mediterranean. In Libya, Turkey has deployed about 500 soldiers and another 2,000 fighters from its militia in Syria in support of the Tripoli-based authority. Egypt and the UAE have so far backed the Tobruk-based administration and supported the rival Libyan force, led by Field Marshal Khalifa Haftar, with weaponry and mercenaries. In March 2021, an interim government of National Unity was formed that brings together the two rival administrations in one national order until elections are held in December this year. But this arrangement is still fragile, and competitions for power between the Tripoli and Tobruk-based rivals are ongoing.

Libya’s peace process demands that foreign troops leave the country. Though the Syrian militants have started leaving, Turkey asserts that its own soldiers have been invited by the government and is showing no signs of withdrawing them, while Russia insists that withdrawal of foreign troops will be a “step-by-step” process so that a power balance is maintained. In the East Mediterranean, Egypt, with other littoral partners, has delineated energy claims in the sea which conflict with Turkey’s claims. With neither side willing to compromise, there are serious fears of conflict. On July 3, Egypt affirmed its interest in Libya by inaugurating a new naval base close to the Libyan border.

Coalition for cooperation

The just-announced tripartite coalition of Egypt, Iraq and Jordan is clearly an attempt by the partners to broaden their regional engagements: Iraq would like to free itself from the Iranian grip and expand ties with its Arab neighbours. Jordan is unhappy with the recent Saudi role in trying to topple King Abdullah and replace him with a disgruntled half brother, Prince Hamza. Egypt views the partnership as an opportunity to move beyond its traditional dependence on Saudi Arabia and the UAE and assert its own leadership in the region.

Together, the partners constitute a near-contiguous land mass, with a total population of 150 million and considerable domestic agricultural and industrial capacity. They are looking at extensive cooperation in energy connectivity and reconstruction areas. Membership is open and, later, Syria and Lebanon could also join this group.

The outlook

While Egypt’s diplomacy has already placed it in the vanguard of regional affairs, it also faces serious challenges. As of now, Ethiopia is not budging on GERD, raising fears of a military confrontation.

At home, due to the novel coronavirus pandemic, unemployment has increased, recovery has been slow, and the percentage of workers without adequate income has gone up from 55% to nearly 75%. The poverty rate is still 2% higher than in 2015, when reforms had started. Further deterioration in the economy could compel Egypt to seek assistance from the Gulf States, which would dilute its independent posture in regional affairs.

Again, under the country’s stringent counterterrorism laws, tens of thousands of government critics are in detention. During the election campaign, Joe Biden, now U.S. President, had promised that there would be “no more blank checks for Trump’s ‘favourite dictator’”, a reference to al-Sisi. However, it remains to be seen if the U.S. will actually go through with this.

As of now, Egypt is riding high. The Egyptian President recently revamped the museum of ancient history in Cairo and presided over parades of mummies of former Egyptian pharaohs as they moved to their new home. Perhaps, he feels a kinship with those old rulers who had brought Egypt so much glory all those centuries ago.

3.Surveillance reform is the need of the hour

The proposed legislation related to the personal data protection of citizens fails to consider surveillance

It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance. This unsettling query arises on the basis of reports emerging from a collaborative investigation by journalists from around the world, including from India’s The Wire, titled the ‘Pegasus Project’. Reports say that over “300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others”, were targeted using spyware made by the Israeli firm, NSO Group.

Threat to press freedom

Subsequent reporting showed that the Pegasus spyware had been used to target 37 phones, of which 10 belonged to Indians. Amnesty International’s Security Lab was then able to confirm that Pegasus was used to compromise the phones of former journalist of The Indian Express Sushant Singh, former editor of the Economic and Political Weekly Paranjoy Guha Thakurta, former Outlook journalist S.N.M. Abdi, and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu.

These revelations highlight a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019, similar allegations were made about the use of Pegasus against journalists and human rights activists. Most of them were situated in Maharashtra and Chhattisgarh as the hack targeted lawyers related to the Bhima Koregaon case and Dalit activists, respectively. However, despite repeated calls for investigations, the relevant State governments failed to do so.

A significant number of Indians reportedly affected by Pegasus this time are again journalists. This is not surprising since the World Press Freedom Index produced by Reporters Without Borders has ranked India 142 out of 180 countries in 2021. What is shocking, however, is that the press requires (and in democracies is afforded) greater protections on speech and privacy. Privacy and free speech are what enable good reporting. They protect journalists against threats of private and governmental reprisals against legitimate reporting. This has been recognised in Supreme Court decisions. In the absence of privacy, the safety of journalists, especially those whose work criticises the government, and the personal safety of their sources is jeopardised. Such a lack of privacy, therefore, creates an aura of distrust around these journalists and effectively buries their credibility.

Problematic provisions

The government, in its purported undated and unsigned response, relied on existing provisions of law under the Indian Telegraph Act of 1885 and the Information Technology (IT) Act of 2000. Even without the use of Pegasus or any other hacking software and surveillance, these provisions are problematic and offer the government total opacity in respect of its interception and monitoring activities. While the provisions of the Telegraph Act relate to telephone conversations, the IT Act relates to all communications undertaken using a computer resource. Section 69 of the IT Act and the Interception Rules of 2009 are even more opaque than the Telegraph Act, and offer even weaker protections to the surveilled. No provision, however, allows the government to hack the phones of any individual since hacking of computer resources, including mobile phones and apps, is a criminal offence under the IT Act. Nonetheless, surveillance itself, whether under a provision of law or without it, is a gross violation of the fundamental rights of citizens.

The very existence of a surveillance system impacts the right to privacy and the exercise of freedom of speech and personal liberty under Articles 19 and 21 of the Constitution, respectively. It prevents people from reading and exchanging unorthodox, controversial or provocative ideas. Regardless of whether a citizen knows that their email is being read by the government, the perceived danger, founded on reasonable suspicion that this may happen, itself impacts their ability to express, receive and discuss such ideas.

There is also no scope for an individual subjected to surveillance to approach a court of law prior to or during or subsequent to acts of surveillance since the system itself is covert. In the absence of parliamentary or judicial oversight, electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech. Constitutional functionaries such as a sitting judge of the Supreme Court have reportedly been surveilled under Pegasus without any checks outside the executive wing of government. Vesting such disproportionate power with one wing of the government threatens the separation of powers of the government. In response to a Right to Information (RTI) request in 2013, the Central government had revealed that 7,500 to 9,000 orders for interception of telephones are issued by it every month. However, RTI requests for such information are now denied citing threats to national security and to the physical safety of persons.

The government, in its purported response, stated that any surveillance which takes place happens through a “due process of law”. However, the existing provisions are insufficient to protect against the spread of authoritarianism since they allow the executive to exercise a disproportionate amount of power. Such surveillance, when carried out entirely by the executive, curtails Articles 32 and 226 of the Constitution (empowering the Supreme Court and High Courts, respectively, to issue certain writs) as it happens in secret. Thus, the affected person is unable to show a breach of their rights. This violates not only the ideals of due process and the separation of powers but also goes against the requirement of procedural safeguards as mandated in K.S. Puttaswamy (Retd) v. Union of India (2017).

Role of judiciary

Thus, in order to satisfy the ideal of “due process of law”, to maintain an effective separation of powers and to fulfill the requirements of procedural safeguards and natural justice, there needs to be oversight from another branch of the government. Only the judiciary can be competent to decide whether specific instances of surveillance are proportionate, whether less onerous alternatives are available, and to balance the necessity of the government’s objectives with the rights of the impacted individuals. The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking in particular, is also essential because the leaked database of targeted numbers contained the phone number of a sitting Supreme Court judge, which further calls into question the independence of the judiciary in India.

Surveillance reform is the need of the hour in India. Not only are existing protections weak but the proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities. When spyware is expensive and interception is inefficient, the individuals surveilled will be shortlisted by priority and perceived threat level to the existing regime. But as spyware becomes more affordable and interception becomes more efficient, there will no longer be a need to shortlist individuals. Everyone will be potentially subject to state-sponsored mass surveillance. The only solution is immediate and far-reaching surveillance reform.