TNM spoke to cyber security researcher and co-author of ‘The Art of Conjuring Alternate Realities’ Anand V about the row over governments using Israeli military-grade spyware Pegasus and how it affects us as citizens.

Cyber security expert Anand VCyber security expert Anand V
news Interview Thursday, August 25, 2022 - 14:53

This interview first appeared in TNM’s Here’s the Thing newsletter on September 30, 2021.

Revelations that governments around the world were using military-grade spyware from an Israeli company called NSO to eavesdrop on private conversations shook the world. This was headline news in major mainstream newspapers. The Indian government too had been named as users of Pegasus, the spyware. Its targets: journalists, activists, sitting judges of the Supreme Court, opposition politicians, and even the ruling party’s own functionaries. This should have been big news for days, but apart from a few stories, it seemed no one cared.

For its part, the Union government refused to give any information to the Supreme Court about its use of Pegasus. Largely the issue is seen as something that affects ‘other people’ and ‘not us’. So why should you care about Pegasus? We spoke to cyber security researcher and the co-author of The Art of Conjuring Alternate Realities, Anand V, about the issue. Excerpts from the interview: 

When we talk about Pegasus and other spyware, the question people ask is: why should citizens care about Pegasus? If I am not targeted, why should I worry? If I have nothing to hide, what is the big deal?

The answer that I usually give is, give me your bank username and password, give me a personal photograph, and give me all the intimate pictures that you have as a person to me. And if that makes you uncomfortable, of course, you have something to worry about. And so the larger point that most of the people don't understand is that, it really doesn't matter whether you are targeted or not. What you must be more worried about, in general, is how these tools are being used. 

The nature of the modern nation state is that most of these states are typically engaged in some kind of intelligence gathering exercise across the entire spectrum. Some could be foreign, some could be local, some could be domestic — whatever you call them. There are a lot of approved procedures and processes that you have to follow if you're doing it on a domestic target, and if you're doing it on a foreign target, and so on. So the trouble with using a tool like Pegasus is that it is typically never used on domestic targets. 

I mean, the reason why the Cabinet Secretary's name came up in the court hearings, is because when it comes to national security, you typically don't want a lot of scrutiny on what the status plan is at all. But domestic is a very different ballgame. And what these guys have done, which is very concerning to a lot of us, is they have used it on people who are not a threat to the state.

Typically, it works like this: you get a suspicion, you do intelligence gathering, you think that something is not right. And then you basically put a person on phone surveillance. And given the nature of encrypted communications that is going on, with everyone using Signal or WhatsApp, it is turning out to be harder and harder. So you can say, look, this person is a valid threat, and I'm going to put him on surveillance — and it needs to go via a fixed approval process. And the fixed approval process requires assessing the person. You have to answer, why is the person a security problem for the state? So you just can't pick a random person and say, well, he's a security threat for the state. There has to be a very, very defined reason why you're putting these people on the Pegasus list.

And if you look at it, most of the journalists who are on my contact list were actually on the list. Are we now going to a place where we are seeing journalists as a security threat to the sovereignty of the country? That is one of the most bizarre things that everyone would laugh at. So there is really no credible threat.

I'll give a very different example. And this is something that many people may relate to. Pegasus is not a normal spyware device. So it is one thing for you to watch these movies like Gangs of Wasseypur, where people sell each other homemade guns. Why do they do it? Because it’s very difficult for a common person to get a licenced revolver. There’s an elaborate process to it. It’s a very similar process when you have spyware like this. A normal spying device you get in the market costs about USD 50. Pegasus is a million dollar device. So in computer security, this is the equivalent of someone using a 500 pound bomb on a civilian target. In terms of abuse and misuse and coming into your personal space, it is as bad as putting a time bomb on a normal civilian who has nothing. And that's basically what is concerning, because states are not supposed to do this.

And when people come and say, but I'm not targeted — I mean, here is the spectrum of people that we have seen. The person whom I gave an affidavit for in the Supreme Court is Professor Jagdeep S. Chhokar, who was running the Association for Democratic Reforms, whose job has been to say, we need better people in the Parliament. They do a bunch of reports. They're pretty harmless people, whose only job is to collect election affidavits filed by political party representatives and MPs, and put up a report. Why on earth would that person be put on a security watchlist, why was Pegasus put on his machine? So we have a situation where people are saying that it doesn't concern them that DNP bombs are being dropped on journalists and people who are generally fighting for transparency and accountability in the government. I would probably question these people whether they're pretty serious about living in a country like ours.

The other question that gets asked is: Isn't it okay - even essential - for a government to know what its citizens are up to, in this age of terrorism? Better safe than sorry?

Please, for you to come back and say Professor Jagdeep Chhokar, Prashant Kishor, Rahul Gandhi, and even some ministers — are we now saying that these people are terrorists? It is one thing to say that we need some tools for terrorists, but it doesn't mean that you use the tools on your own people. There is a reason why fratricide and patricide and all these things are forbidden!

Have you ever been in a situation where all your information, from whom you contacted to what you told your wife, to what you had for breakfast and dinner, what’s the pillow talk that you had with a girlfriend and spouses, are all out in the open market? Have you ever seen — have any of these people seen — the Pegasus interface? From the other side? Very few of us have seen it on the intelligence side. And once you see it, I don't think you will be asking these questions.

The government has now refused to share details in court claiming this is not in national interest. Isn't the cybersecurity of citizens a matter of national interest? What's the legal framework around this?

In general, every person who works in the intelligence agencies, will come back and agree on three broad principles. One is that the surveillance framework in India after the Puttaswamy judgment (Right to Privacy), has to be radically revisited. And most of the surveillance rules and procedures and processes were written for the pre-internet era.

Currently, everything has to be approved by the Home Secretary. It does not have any judicial oversight. It is fundamentally an executive oversight. There is not even parliamentary oversight, which is quite weird in a country which calls itself a democracy, because in every other place, there is some amount of judicial and parliamentary oversight. Even in the US — you can question whether the select committee basically looks at all the intelligence, they may decide not to talk about it in public, but there is an oversight engine. So none of this oversight mechanism exists in India.

And so you can come back and say, well, there's really no legal problem with using Pegasus against civilians because it’s what we call passive monitoring. But this is unique in the sense that it also has the write capabilities on the device. And so one of the problems that you have with that kind of capability is that you plant whatever document on child sex abuse material, pornography, whatever on the target device. 

Most of the jurisprudence is about saying that your home is your castle. Pegasus is like, there is a police officer who comes and sits in your house and watches what you do from morning to evening. He can even put whatever stuff you want in your home. There is no existing legal framework covered under the constitution or any legal statute. 

The Government of India has been exceptionally reticent about it because, in my mind, this is pretty much in the illegal, unconstitutional territory by a large mile, it’s not even an edge case.

Remember the distinction. Do they use it on foreign targets? Yes. Are there legitimate uses for it? Yeah. But the thing dramatically changes if you start putting this stuff on people who are not under suspicion. Target selection matters, whom you're putting it on matters. When the target is completely flat like this, it's a big problem.

The NSO group has said they sell Pegasus only to governments. How do we verify this? Assuming that's true, how did India purchase this? Where is the budget coming from? How was it authorised? Aren't these things of national importance?

You won’t find these budget items in the consolidated fund of India. This usually comes from funds for intelligence ops, what is called Black Ops. It just comes from that. And sometimes, these agreements can come off as a part of some other purchase. You may probably come and say I'm going to buy a whole bunch of arms from you, can you basically give me this for free kind of contracts, which are largely opaque. You won’t find some tender document, or a bidding. No one will ever see this.

So how do you verify that the government has purchased this then? Because of evidence. We have a lot of technical evidence that The Citizen Lab has published about all the IP addresses that were being used. When you declare a target, you have to basically deploy it on a server, which basically keeps track of all these things. Those things leave traces and IP addresses that have been traced, actually have been traced back to IP addresses that are typically only given to government entities. You're not looking for a budget document. There's plenty of technical evidence for those who actually look for it, and know where to find it. That's the way these things work.

If you notice, the Government of India has never denied it.

What does this whole case mean for dissent in India, especially online? How do activists and others who criticise the government now work and collaborate?

What is privacy in the age of Pegasus? You can have the classic definition of a journalist version. You can argue, until your head falls off, by saying, by law, the government is not supposed to do this or that. I'm not saying that is not required. I'm just saying as a practical operator, how do you deal with reality?

The way in which you have to think about it is to, in the age of Pegasus, think like an intelligence agent. And what does it mean? It means that privacy is now defined as the capability to misrepresent yourself. It is something that you have gained for yourself by deploying operational security practices. This is really what it comes down to.

The government basically came back and told the court that if we confirm or deny we’re using these practices, then people will moderate their behaviour. In reality, most people do moderate their behaviour. We have put out a whole bunch of recommendations on operational security, and most of these recommendations are pretty hard for normal journalists to follow. But unfortunately, you have no choice but to take it because at the end of it, you have to ask the question — what is your core asset? Your contacts list, right? So if a journalist is not going to take information security seriously, a whistleblower wouldn’t talk to them.

There is no doubt that we have to fight this on two sides. One is to do whatever it takes in order to push the constitutional mechanism; but also, take operational security much more seriously. The first question many journalists ask within two minutes of meeting me is, give me your phone number. Those are pretty dangerous questions in these times! You have to train people on operational security processes, which are very well known, and then you can collaborate with your sources. And then you may probably have a better choice of surviving. Is that really desirable? Surely not. But when nothing is working, the only thing you can do is practice the practical version of security, not a constitutionally defined question of security.

A lot of the people who've been targeted are journalists. But we also see a lot of like BJP leaders and their allies who are on the Pegasus list. So is it time for the pro-government mainstream media to worry as well?

Okay, so here is another way of thinking about it. They say, keep your friends close, keep your enemies closer. To tweak it, keep your enemies closer, keep your friends even closer. Friends must be kept closer than enemies, to keep an eye on your friends much more than they like.

Most governments are very, very worried about narratives. I mean, why is the government coming in asking for traceability on WhatsApp? Why do you think they're asking? I’ve even written a book about it — they want a right way of talking or thinking about the government — they have created a different version of reality. The current government is very worried about that. And one way to think about why the targets are chosen the way they are, is because these are journalists who have much more access to what is happening on the ground.

To me, what it means is when a government, which goes autocratic, or authoritarian, or doesn't listen to what's on the ground, it basically loses track of reality. One way to think about Pegasus is the reason why journalists are there in the list is because they are very, very interested in information resources. What's really happening out there because they no longer have information sources on what's happening. And a similar approach is really a reason why you even see their own people on the list. The purpose is more of information gathering and figuring out what's happening out there. “Is there a new trend emerging? Is that something that we should be worried about?”

The reason why there are journalists on the list is because there are people who actually understand what is going on.

I don’t think in their wildest imagination the government expected the list would get out. So then what is the intent? The intent is not harassment, the intent is not intimidation, the intent is fundamentally information gathering and figuring out what's happening on the ground. That's the way in which I read the Pegasus list.

About the interviewee: Anand Venkatanaryanan is a cyber security and privacy researcher. He is a public interest technologist and has written extensively about cyber security issues in several publications. He was called as an expert witness before the Supreme Court of India in the Aadhaar case and has also deposed before the Kenyan High court on their Digital Identity project called Huduma Namba.

Also read: Govt didn’t cooperate with probe, malware may not be Pegasus: SC panel report

Become a TNM Member for just Rs 999!
You can also support us with a one-time payment.