On Pegasus spyware

September 19, 2021

Statements by the government expressing outrage are understandable, however, these have centred on targetting by India rather than speaking to the larger issue of privacy rights and questioning the legitimacy of surveillance technologies in general

On Pegasus spyware

The fact that we are being monitored through digital devices does not garner much shock or headlines any longer given the normalisation of digital surveillance practices. However, the recent Pegasus spyware revelations, uncovered as part of an investigation by the consortium of news organisations led by Forbidden Stories and Amnesty International, pointed towards the shocking scale and insidious nature of the confluence of state and private surveillance.

As far as spywares go, Pegasus has been renowned for a while given the extent of its capabilities as it can be downloaded on smartphone remotely and evade tracing. Usually, spyware is installed on devices through phishing attacks, which means that it requires some action from the end-user and allows for digital security practices to act as a bulwark against the spyware from entering your device. What makes the most recent version of Pegasus so powerful and worrying is the recipient cannot do anything to stop being targetted through “zero-click” attacks. Forbidden Stories notes that “once installed, it allows clients to take complete control of the device, including accessing messages from encrypted messaging apps like WhatsApp and Signal, and turning on the microphone and camera.”

Pegasus is owned by the NSO Group, an Israeli surveillance company, which claims that its technologies are used to “prevent and investigate terrorism and crime.” If the NSO Group sounds familiar it’s because you might have heard about them with relation to the WhatsApp hacking revelations in 2019 which resulted in nearly 1,500 phones of activists, journalists and politicians being targetted. This led to Facebook taking legal action against the Group. Earlier, it was embroiled in the targetting of Mexican activists and journalists which came to light in 2017. You’ve probably also heard of them in relation to Jamal Khashogi’s murder where NSO’s spyware was employed to monitor people close to Khashoggi, including his wife and the chief prosecutor in the case, in the lead-up to and after his murder.

The recent revelations point towards human rights activists, journalists, lawyers and politicians being targetted at the behest of governments across the world. A list of 50,000 numbers has been leaked, however it is unclear if all numbers were actually targetted, but it points towards the scale the surveillance enacted by NSO’s clients, which include governments, militaries, law enforcement and intelligence agencies. The entire list of clients has not been revealed so far, though the revelations identify 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo and the United Arab Emirates.

The Pegasus revelations have renewed calls from rights activists to enforce “an immediate moratorium on the sale, transfer and use of surveillance technology until human rights-compliant regulatory frameworks are in place” as suggested by the United Nations Special Rapporteur on freedom of opinion and expression in 2019. Furthermore, Amnesty International has stated that the UN Guiding Principles on Business and Human Rights should be enforced to place obligations on private companies to adhere to human rights standards and ensure that their technologies are not used to target dissidents, activists and journalists. While the Pegasus spyware might appear to be an outlier, intrusive technologies are becoming increasingly common — as Edward Snowden points out in his recent incisive article, Apple’s plans to introduce backdoors into its storage in the name of combatting child sexual abuse material point towards insidious ways in which surveillance technologies are being normalised and hold the unprecedented potential to be employed by governments to enact both targetted and en masse surveillance.

In the past, the government has discouraged use of messaging applications like WhatsApp to share government-related information. However, it has failed to come up with viable alternatives to government officials.

The revelations generated a flurry of activity in Pakistan once it was learnt that one of the numbers in the list belonged to Imran Khan, though it is unclear whether his phone was actually infected. This is not the first time that officials in Pakistan have been targetted. In 2019, NSO malware that exploited a vulnerability in WhatsApp was used to target at least two dozen Pakistani government officials. Statements by the government expressing outrage are understandable. However, these have centred on targetting by India rather than speaking to the larger issue of privacy rights and questioning the legitimacy of surveillance technologies in general. Soon after the story came to light, federal cabinet hastily approved the National Cyber Security Policy 2021 that doesn’t say anything substantial apart from establishing a Cyber Governance Policy Committee (CGPC) with a wide mandate to, among other things, formulate a Cyber Security Act. It also allows for the establishment of Computer Emergency Response Teams (CERTs), which were already envisioned under existing legislation.

In the past, the government has discouraged use of messaging applications like WhatsApp to share government-related information. However, it has failed to come up with viable alternatives to government officials. The National Information Technology Board (NITB) has worked towards implementing e-governance, however structural factors have undercut these efforts substantially. Digital security is heavily dependent on practices and habits which are difficult to implement within bureaucratic structures that are resistant to change, particularly in a culture where files and paperwork have been embedded in maintaining status quo and power centres. Furthermore, the NITB’s track record isn’t exactly confidence inducing; the Covid-19 tracking app developed by the Board was heavily criticised by digital security and rights experts for lacking basic digital safety protocols.

Lastly, the response in Pakistan centred framing the issue of digital security as solely a national security one that reproduces militaristic, state-centric and non-transparent narratives, rather than questioning the very utility of surveillance. Pakistan’s response to the Pegasus speaks of outrage at being targetted, but does little to talk about similar surveillance technologies employed internally that use similar pretexts as the NSO, i.e. counter-terrorism and crime control, to chip away at privacy rights of citizens. While there has been talk of a Personal Data Protection Act, and several drafts have been circulated by the Ministry of Information Technology there has been no transparency or meaningful engagement with civil society to produce a law that vests powers in the hands of citizens.

Perhaps our government can hold on to this feeling of being on the receiving end of surveillance to reflect on the entire paradigm of a surveillance state as a flawed model for governance. Surveillance, as they might have learnt, is a means of control and offers little by way of security and safety. A glaring example of this can be observed in the fact that in the recent Minar-i-Pakistan harassment case, the assault on the survivor occurred under the glare of 40 functional cameras at the park. It is time to stop presenting surveillance as a device to control crime, particularly against vulnerable groups, by decoupling surveillance from safety once and for all.

Shmyla Khan is the Director of Policy and Research at Digital Rights Foundation.

On Pegasus spyware