Activist Rona Wilson's smartphone was infiltrated using NSO Group's Pegasus spyware a year before his arrest in the Elgar Parishad case, according to new forensic analysis. Wilson, a prisoners' rights activist and academic, was a victim of surveillance and incriminating document delivery for close to a year before his arrest in June 2018, according to the analysis. Digital forensics firm Arsenal Consulting said Wilson's Apple phone was not just selected for surveillance by a client of Israel's NSO Group, but was also successfully compromised on many occasions.
The analysis showed that two backups of the iPhone 6s belonging to Wilson had digital traces showing infection by the Pegasus surveillance tool, which its developer, the Israeli cybersecurity firm NSO Group, has said has been licensed only to government agencies.
The Indian government has neither confirmed nor denied that it is an NSO Group client.
V Suresh, National General Secretary of People's Union for Civil Liberties (PUCL) said the new findings show compelling evidence in the case. "Now there is compelling evidence. We are exploring all legal possibilities to validate these findings based on the new type of electronic evidence," Suresh told PTI.
Citing findings of the forensic firm that Wilson's phone was attacked multiple times using a spyware, PUCL on Friday, December 17, made a pitch for granting bail to the activist and other accused, contending the company's reports show the case has "no evidentiary basis".
PUCL and Mumbai Rising to Save Democracy (MSRD) in a statement said that Arsenal Consulting, a Boston-based forensic investigation firm assisting defence lawyers in the Bhima Koregaon case, and Amnesty Tech Security Lab "have confirmed" that Wilson's phone was "attacked multiple times" by Pegasus spyware.
The PUCL said, according to the firm's findings, there were 49 different instances of Wilson's phone being attacked using the spyware between July 5, 2017 and April 10, 2018. This is "striking" given the firm's earlier report had already shown that Wilson's computer had allegedly been hacked by NetWire Remote Access Trojan between June 13, 2016 and April 17, 2018 "in order to plant incriminating files on his computer", the statement said.
The same was done in the case of another accused Surendra Gadling, it alleged.
The Arsenal also confirmed that neither Wilson nor Gadling had ever opened the files in question, the PUCL said. "Thus, in 2017 and 2018, Wilson was being subjected to both surveillance through Pegasus and evidence planting through the NetWire RAT," the PUCL said.
The PUCL further alleged that 16 human rights defenders, lawyers and artists have been jailed "without trial for over three years under the draconian Unlawful Activities (Prevention) Act". "...Given that we now have compelling evidence that there are citizens who've been attacked by both NetWire and Pegasus, it is crucial that the committee appointed by the Supreme Court investigate any connections between the two attacks and the implications for the BK (Bhima Koregaon) case.
"The four reports from Arsenal taken together leave little doubt that the BK case has no evidentiary basis. At the minimum, all the accused must be granted bail immediately," the PUCL demanded.
The PUCL alleged the first Pegasus attack on Wilson's phone took place on the second day of Prime Minister Narendra Modi's visit to Israel, where the NSO group company that manufactures Pegasus is headquartered. "Was this just a coincidence?" it asked.
The PUCL said NSO has repeatedly stated it sells Pegasus only to governments, and all its sales are subject to approval by the Israeli government.
"Were there members of the PM's team who could have been authorised to act on behalf of the government to contract the services of the NSO group and/or authorise attacks on Indian citizens? Or, were there any private cybersecurity actors, including cybersecurity firms with whom the government contracts, who were part of the delegation? Why has the government maintained a studied silence on these questions?" it asked.
The PUCL said it has been over 300 days since the first report "revealed" evidence-planting and 150 days since the reports on Pegasus attack, and added together it is the single "best-documented case of a cybercrime compromising India's criminal justice system and the rights of its citizens". "Yet the government remains silent. Why?" it asked.
The reports should have compelled the NIA to re-examine the devices of those it has accused of crimes and publish its findings, the PUCL said. "...If the NIA does not even care to investigate these aspects, how can it claim its actions are legitimate?" the PUCL questioned.
Wilson and others were arrested in the case that relates to alleged inflammatory speeches delivered at the 'Elgar Parishad' conclave, held at Shaniwarwada in Pune on December 31, 2017, which the police alleged led to violence the next day near the Koregaon Bhima war memorial located on the city's outskirts. The Pune Police alleged the conclave was backed by Maoists.