The Pegasus project was a collaborative effort embarked upon by 17 international media organisations, unearthing a list of 50,000-plus phone numbers worldwide that were said to have been targeted by the spyware. The spyware maker, NSO Group, claimed that Pegasus was sold only to law enforcement and intelligence services of nation states for combating terrorism and crime. While countries like France, Germany, Poland, and Hungary admitted to its purchase, the US denied buying the software after its demonstration to the FBI.
Out of the stack of 50,000, 300 phone numbers belonged to Indian subscribers including journalists, politicians, NGOs, etc. In October 2021, the Supreme Court ordered an inquiry on whether Pegasus was used by the government. The SC hearing on the report last week led to disbelief, acrimony and trading of charges between the Opposition and the ruling party.
If the report of the technical committee appointed by the SC to investigate the Pegasus affair were to be taken at face value, one may conclude that the spyware episode is a figment of the collective imagination of several hundred cyber-security researchers and technology companies like Apple, Google, Meta, Trend Micro, Proof Point etc., who have been misinformed to invest billions of dollars in hardening their systems to fix vulnerabilities that do not exist.
It might also seem that some of these technology companies (Apple and Meta, for example) have committed perjury in the US courts, by publishing factually incorrect statements about the Zero-Click iMessage and WhatsApp vulnerabilities. Further, it might also seem that several foreign governments and their intelligence services were inveigled into believing the technical indicators published by the researchers and technology companies, which led to their conclusion that there was indeed a Pegasus infection on the devices examined by them.
There are hence only two ways to look at the report of the technical committee: It is either ground-breaking or completely wrong. We don’t know which of these is true because it is kept under a sealed cover by the SC under the excuse that if put out in the public domain, it might result in the creation of more dangerous malware. As the methodology, process, and tools used by the committee to arrive at its conclusions are now deemed to be a state secret, we have to use analogies and other approaches to understand the report.
Consider, for a moment, the tests that are used for detecting Covid. Each test has two characteristics — false positive and false negative. False positive is when a test detects Covid when the infection is not present. False negative is when it does not detect an infection. As several test kits use different methodologies, every test kit must always indicate the probability of false positives and false negatives.
Now imagine there is a test kit in the market, which when given a sample of tissue that every other kit detects as infected by Covid, says there is an infection but it is not conclusive whether it is Covid. Then, the first logical question to ask would be if the kit ever detected Covid. Is the false negative rate of the kit 100 per cent? The conclusion would naturally be that this kit is not a reliable indicator for testing Covid.
A similar reasoning process can be applied to the committee’s report. The methodology it used is not known and the burden of proof that it is indeed reliable is with the committee, and not with the petitioners. The dispute between various approaches and their reliability usually either takes place in the scientific domain through the process of peer reviews or in the legal realm through the process of cross-examination by lawyers in the open court.
Neither of these has happened. While the Court-appointed committee demanded complete transparency from the petitioners including asking for a complete copy of their phone data and conducted a detailed examination of the witnesses appearing for them, it has not applied the same standards to itself. Further, by allowing the committee’s report to be kept under sealed cover, the Court itself has denied scientific scrutiny of the report.
The committee meekly accepted the non-cooperation of the government in the probe. It did not invite public depositions from independent researchers, cyber-security experts from Apple, Google, Proof-Point, Meta and other organisations. Even if five phones are infected by some other spyware, it was the government’s call to deny or accept the charge and not the committee’s. The committee fell short of its real objective by not probing the origin and nature of this “some other malware”.
The Court has also missed an opportunity in creating a precedent on how digital forensic evidence needs to be examined and the standards the evidence needs to be subjected. In an era where data breaches, ransomware and other cyber-crimes have become increasingly common, widespread know-how on the examination of digital evidence is a key indicator if a nation-state is set to become a cyber power.
The recommendations made in the report will not make anyone wiser since the issues of privacy and surveillance reform have been debated for long but have not been translated into action. The Data Privacy Bill has been withdrawn, while both state and central governments are unwilling to change the current pattern of layers of the executive arm alone sanctioning and overseeing surveillance. The reluctance of political parties to subject surveillance to judicial oversight is the reason why the courts were expected to strike down surveillance methods as against the basic tenets of freedom of speech.
The Pegasus case, hence, was not just about protecting personal privacy of the petitioners but was also an opportunity for all arms of the state to understand their critical role in making India a responsible cyber power. That opportunity seems to have slipped away.
Azad served as Secretary Security and Venkatnarayanan is a cyber security and privacy researcher. Both are with Deepstrat, a Delhi-based think tank