Pegasus developer NSO Group's flip-flops and network of companies need examination

NSO Group, the Israeli company says it has no control over clients and their conduct but also maintains that clients cannot turn rogue without its knowledge. Does it have sister companies in Dubai?

Shalev Hulio, CEO of NSO Group, the developer of Pegasus spyware
Shalev Hulio, CEO of NSO Group, the developer of Pegasus spyware
user

Uttam Sengupta

Surveillance is like salt, necessary in moderation but dangerous in excess. Whoever said it couldn’t have put it better. A certain degree of surveillance, as BJP supporters have been reminding Indians, has existed from the times of Chanakya. Deployment of the Indian Intelligence Bureau by powerful bureaucrats and politicians to check out the background of their daughters’ boyfriends or a prospective groom is not entirely unheard of. And yes, all countries do snoop on others.

In July 2014, a month or so after Narendra Modi took over as Prime Minister, the US envoy to India was summoned to the foreign ministry to lodge India’s protest at reports that the US National Security Agency (NSA) had been snooping on BJP leaders including Modi. This was intolerable and India had been violated, said the foreign office then.

In 2013, the UPA Government had also lodged protests with the US for allegedly placing the India’s embassy in Washington D.C. and India’s UN Mission in New York under surveillance. CIA’s operation in enabling a RAW officer, who was acting as CIA’s mole in the Indian agency, to flee from India around 2004 is also too fresh to be forgotten. The officer and his immediate family were given a fresh identity and helped to settle in the US.

But the extent of cyber surveillance was revealed first by the data leaked in 2010 by Wikileaks founded by Julian Assange; and thereafter when Edward Snowden in 2013 leaked details of snooping by the NSA. Snowden, who was working for an NSA contractor, flew to Hong Kong to release the data before seeking asylum in Russia. The data he leaked proved among other things that the US had tapped into a phone used by German Chancellor Angela Merkel. It strained for months relations between the two ‘friendly’ countries.

This week when Ashwini Vaishnaw, the new Union Minister of Information Technology & Communication, therefore declared in Parliament that illegal surveillance was not possible in India, he was being either naïve or was being economical with the truth.

Shalev Hulio, a former Israeli military commander, had set up NSO, which developed the Pegasus spyware, in 2010. In an interview to a tech magazine last year Hulio was candid in saying, “People don’t understand how intelligence works…it’s not easy, it’s not pleasant. Intelligence is a shitty business full of ethical dilemmas”. Indeed NSO Group, the best known but not the only company dealing with spyware, has said on record that 'someone must do the dirty work'.

But while Hulio was at least being honest, Vaishnaw and the Government of India seem to have buried their heads in the sand, refusing to see what is obvious to others. The Pegasus Project--a collaborative investigation by Forbidden Stories, Amnesty International and University of Toronto’s Citizen Lab--said the Home Minister of India, is a conspiracy to defame India.

PM Modi with former Israel PM Benjamin Netanyahu
PM Modi with former Israel PM Benjamin Netanyahu

What is suspicious is the Indian Government’s refusal to confirm or deny that it had acquired the spyware, which is sold only to governments and government agencies vetted by Israel. The closest it has come to admission is when former Union Minister Ravi Shankar Prasad, fielded to defend the government, wondered why India was being singled out when 40 other countries were also using the spyware.

A Freudian slip or not, Prasad in 2019 too had refused to categorically answer the question. He had evaded the question then by asserting that there had been no “unauthorised” surveillance. How could he be so sure? Is it possible that Prasad was being honest and Indian citizens were snooped on by rogue elements within the government? Can the role of foreign governments be ruled out?

Is it possible for a government agency to purchase the license and outsource its operation to a business house or a political party for that matter? An inquiry alone can clear the air and sooner the Government allows it, the better.

THE PEGASUS SPYWARE

The beauty of spyware Pegasus is that it works silently and from a distance. It can inject and infiltrate a smartphone, even an Apple iPhone, without the user’s knowledge. It can switch on the phone’s microphone and camera even when the phone is shut. It can collect and copy the data including messages and photographs stored in the phone. It can of course track the location and movement of the user and people he or she is meeting. Above all it can be activated and deactivated at the will of the Pegasus user.

A forensic examination of the phone and its data is necessary to prove the hacking. But while the Paris based non-profit Forbidden Stories and Amnesty International accessed the list of 50,000 phone numbers of targets across the world, they did not have access to the devices.

The list, almost certainly leaked by an insider, provided phone numbers of people and the period when they were targeted. The license to use the spyware is allowed for a limited period— how long is not yet known—and the vendor in that case has to keep track so that clients do not exceed the number of targets contracted for surveillance or overshoot the period of the license. Media reports have suggested that the Pegasus spyware is available for a fee of Rs. 60 crore ($ 8 million) for spying on a maximum of 50 targets.

The revelation that the Indian Government increased to budget for the National Security Council's secretariat from around Rs 40 Crore to a whopping Rs 311 Crore in 2016-17 has further added grist to the rumour mill. It coincided with the visit of Prime Minister Modi to Israel.

The Pegasus Project found the numbers of at least 1,000 Indians on the list of potential targets. In other words, whoever chose to snoop on these Indians would have paid a sum of Rs 1,200 crore for the pleasure.

How many people or agencies in India can afford to spend this kind of money on surveillance? Some of the targets contacted by the Pegasus Project refused to part with their devices because of privacy concerns. Others said they had lost, misplaced or discarded the devices they had used when they were being targeted. A few were not interested in pursuing the matter.

That is why only 300 numbers in the list of at least 1,000 Indians could be identified by the project investigators. Only 22 of these phones were forensically examined by Amnesty International’s lab and reviewed by University of Toronto’s Citizen Lab. Ten of them were found to have been ‘definitely’ tampered by the spyware while results of the remaining 12 were inconclusive.

Since the spyware does not leave a trace of the user, only circumstantial evidence can be used to direct the needle of suspicion. Which foreign government, for example, would be interested in snooping on Election Commissioner Ashok Lavasa or Congress leader Rahul Gandhi, the woman who accused the then CJI of sexual harassment and her relatives? Who would be interested in pursuing the personal secretary of the then Karnataka chief minister or political strategist Prashant Kishor during the West Bengal elections?

---

Shell companies and global network of NSO

The NSO Group is also shadowy, judging by reports in the public domain. Reports suggest that the company in 2014 was sold to an American private equity firm for 100 million dollars. In 2020 it is said to have been sold again for a billion US dollars to a European equity firm and the original founders of NSO including Hulio.

Tech journals report that the Group has a maze of companies operating in different countries in Eastern Europe, Africa, Asia and Latin America; mostly in countries with weak regulatory bodies. It has been suggested that NSO operates through several shell companies; that the company goes by different names and is known as Q Cyber Technologies in Israel, OSY Techno-logies in Luxembourg and by the name of Westbridge in North America.

So, when NSO says that the incriminating list of targets is not theirs or when the Indian Government refuses to either confirm or deny that it has used Pegasus—they could at least technically be correct. The Government could have dealt with a company with a different name in Dubai or Bulgaria and got access to the spyware named something else than Pegasus.

An NSO spokesman did tell NDTV this week that the ‘Indian’ list is not theirs. “It is not an NSO list, and it never was - it is fabricated information. It is not a list of targets or potential targets of NSO’s customers,” he maintained.

But how did the NSO find out it is not THEIR list? The Group’s conflicting and contradictory statements have served to strengthen the suspicion rather than allay it. It first claimed in a statement that the company had no control over its clients and had no knowledge of how the spyware was used by them. It also claimed, however, that whenever it received complaints, it conducted a thorough inspection following which it actually shut down the service in some cases and had blacklisted two clients recently. How could they have done so without monitoring the clients' actions in real time ?

In another inconsistency, the Group’s CEO first claimed that intelligence outfits using the spyware never allowed ‘operational visibility’. And yet, after Washington Post columnist Jamal Khashoggi was murdered and allegations surfaced that Pegasus spyware was used to track him and his associates, NSO claimed it was certain that its spyware were not used.

Saudi journalist Jamal Khashoggi, a critic of Crown Prince Mohammed Bin Salman, was allegedly murdered inside Saudi consulate in Istanbul
Saudi journalist Jamal Khashoggi, a critic of Crown Prince Mohammed Bin Salman, was allegedly murdered inside Saudi consulate in Istanbul

The Group’s CEO claimed in an interview that it had conducted a thorough inspection of all its clients and subjected them to technological tests that could not be forged. “The systems have records and it is impossible to act against a target without us being able to check it,” he had said in a written interview to Ynet Media. How could it have inspected clients without operational visibility? How could it shut down the service?

International pressure is growing and clearly it will no longer be business as usual. NSO has so far refused to reveal names of its clients (why should the client list be a secret when all that Pegasus is doing, it claims, is saving lives?).

An inquiry is necessary to find out if taxpayers’ money was used to buy the spyware; whether it was illegally outsourced to private, business or political interests. Since the spyware, it is claimed, is meant to target criminals, drug peddlers and terrorists, the inquiry must also find out the veracity of such claims.

France has already ordered an inquiry. Israel, in the face of world-wide condemnation, has offered to examine the issue. The United States has international conspiracy officially expressed its concern though it may not be as innocent of snooping as it would like the world to believe.

But the reaction of the Government of India defies all reason. Typically the Prime Minister has blamed the Congress. The Home Minister has blamed international conspiracy to defame and derail India. Union ministers and BJP chief ministers have blamed the anti-India agenda of Amnesty International.

The orchestrated chorus does little to add to the Government's credibility. In fact it arouses suspicion and betrays a certain degree of nervousness and paranoia. It will be in India's interest and in the interest of the Government itself to allow a transparent, public inquiry.

(The writer is Consulting Editor at National Herald. Views are personal)

Click here to join our official telegram channel (@nationalherald) and stay updated with the latest headlines