If State Intelligence Needs Pegasus, Govt Will Take Decision – Rambukwella
By SulochanaRamiah Mohan
Life is made miserable for smartphone users when their devices are hacked via mobile apps; leaking photos, chats and information that then are used for nefarious activities. Even the Easter Sunday attacks on 21 April 2019 were planned using an app called Prima, investigations revealed. However, the one software which is dangerously intruding into the private lives of ordinary citizens is Pegasus, created by three Israelis Niv Carmi, OmriLavie and ShalevHulio at NSO Group Technologies based in Tel Aviv. Sri Lanka is also caught in this recent spyware scandal.
The Israeli Government licensed NSO Group created Pegasus which can stealthily be installed on smartphones (iOS and Android) and other internet-enabled devices and navigate without the user’s knowldege. It has showed up in many countries including India and Sri Lankan might not be spared as Media Minister Keheliya Rambukwella hinted to Ceylon Today, “It depends on whether the intelligence unit want this application or not before it is taken up for discussion”.
Pegasus was introduced in 2016 and it can read text messages, track calls, collect passwords, location tracking, access the target device’s microphone and camera, and gather additional information from apps on a user’s device remotely.
A conglomerate of international journalists revealed beginning of July that NSO Group had sold access to Pegasus to oppressive regimes around the world who abused it to spy on journalists, human rights activists, and political rivals.
Reportedly, Pegasus has been used to surveil 50,000 targets, including Heads of State, reporters and activists. Many Indian journalists have suspected that the Pegasus is doing it rounds in their country too.
Last week Indian journalists said they were targeted along with many human rights activists which sparked international condemnation.
“So far not required”
Minister Rambukwella, regarding Pegasus and relentless questioning by Local media said that with rapidly improving technology, the possibility of software being used in Sri Lanka cannot be ruled out.
On the Government’s stance on purchasing Pegasus for Sri Lanka, he said, “if the Government’s intelligence unit has made a request, then of course they will have to but so far such request was not made by them.If the Intelligence Unit of the Government wants it, then they will have discussed about it,” he told Ceylon Today.
However, such an app enables the remote surveillance of smartphones and it has been sold to many countries resulting in privacy of common citizens being infringed.
“As far as intelligence is concerned, whatever they request for their work they may ask but certainly not to spy on personal lives,” he assured.
“To my knowledge we are not buying it but if a reasonable request is made on certain basis, then the Government will have to decide. The entire intelligence network in the worldwork that way,” he further said.
When asked if theintelligence unit made such a request he stressed, “not to my knowledge”.
Lately, the National Child Protection Authority has been giving statistics on child abuse and cybercrimes in Sri Lanka. Also, last Friday (30) the Government announced that over 17,000 child porn videos photos had been uploaded between 17 June and 28 July, but the Media Minister pointed out thatSri Lanka has many other surveillance devices and the intelligencenetwork is collaborating with Facebook and other organisationsthat share information and they have upgraded the service.
Whether Pegasus is used for good purpose or not is up for debate, already Indian journalists and French citizens are fuming over the app that had tiptoed into their lives.
Q: Will the Government buy only Pegasus?
Rambukwellaresponded, “As technology advances, the best technology is what everyone will want to purchase and that is happening all over the world”.
He also opined that private parties cannot buy Pegasus unless the Government approves it. “Of course many things are purchased undercover and I have not yet studied the Pegasus app,” he added.
He underlined that the Government is not interested in spying on personal lives.
But such remote device can also infringe into personal lives and monitor their activities which areviolations of their rights.
Q: Can it happen in Sri Lanka?
The Ministerreplied, “That can happen but the Government stance is that we are not to spy on the people.”
Selling Pegasus app to governments and private partiesneeds the approval of the Israeli Government first hence Rambukwela noted that private parties cannot buy from Israel without the consent of their Government.
NSO Group Technologies is based in Tel Aviv inHerzliya, was founded in 2010 and has employed almost 500 people as of 2017.
An investigation by the journalism non-profit organisation ‘Forbidden Stories’ alleged that prominent figures including the French President Emmanuel Macron and RoulaKhalaf, editor of the Financial Times, were included on a database of names selected for possible surveillance by NSO clients.
They said phone numbers belonging to journalists were identified in 21 countries. Pegasus had the phone number of SiddharthVaradarajan an Indian investigative journalist. Alongside M.K.Venu and Sidharth Bhatia, Varadarajan, who was formerly an editor at The Hindu and founded The Wire in 2015.
Two serving colonels who challenged official policy, a retired intelligence officer who took RAW to Court, and two serving Border Security Force officers were also featured in the Pegasus Project database, The Wire reported
However, the Indian Government never confirmed or denied being a client of NSO Group.
VeteranBJP politician, Dr. Subramanian Swamy tweeted, “If we have nothing to hide, then Modi should write to Israeli PM and seek the truth about the NSO's Pegasus project including who paid for it.”
Over 500 individuals and groups in India have written to Chief Justice of India (CJI) N.V.Ramana seeking immediate intervention of the Supreme Court in the alleged Pegasus snooping matter and declare a “moratorium on the export, sale, transfer and use of Pegasus” spyware in the country.
NSO Group was sued in Court in 2019, when several human rights activist groups filed a lawsuit to force the Israeli Government to revoke NSO’s export license, citing cases where the software was used for human rights abuses outside of typical law enforcement investigations. An Israeli Court rejected the case in July 2020 in a surprising win for the NSO Group.
They said to have denied that the names on the list had been targeted, and insisted that Governments were in charge of the technology's deployment
NSO Group claims that its Pegasus spyware is only used to “investigate terrorism and crime” and “leaves no traces whatsoever”.
Theforensic methodology report shows that neither of these statements are true. The report accompanies the release of the Pegasus Project, a collaborative investigation that involves more than 80 journalists from 17 media organisations in 10 countries coordinated by Forbidden Stories with technical support of Amnesty International’s Security Lab.
Amnesty International’s Security Lab has performed in-depth forensic analysis of numerous mobile devices from human rights defenders (HRDs) and journalists around the world. This research has uncovered widespread, persistent and on-going unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.
Founding Chair of LIRNEasia, an ICT policy and regulation think tank, Prof RohanSamarajiva added that the Government did not rule out that they will not purchase it hence it stands at that. Hesaid the app does not have to be downloadedand it was the University of Toronto that tracked NSO Group’s Pegasus Spyware to Operations in 45 Countries, he added.
According to the University of Toronto, their findings painted a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
Forbidden Stories noted that Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, they also found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.
India is silent
Prof. Samarajiva also said it appears the sale of the app is government to government and not for private parties. “It appears to be government to government when countries like India is silent on the spyware issue, it is certain that it has to be government if they are avoiding revealing the sources.
“If it’s private party, then the government should announce who it is. No action has been taken byIndia so far despitehighlighted that the spyware is active in the country,” he added.
Finding whether Sri Lanka is going to use or using Pegasus should be up to the media; no one else is going to declare, he added.
According to Purevpn website, Pegasus was found on slain Saudi Arabian journalist Jamal Khashoggi’s Fiancée’s phone. He was acolumnist for Washington Post before he was brutally assassinated inside the Saudi consulate in Istanbul on 2 October 2018. His assassination has raised serious questions regarding the involvement of notable figures in the Kingdom.
Washington Post reporter Dana Priest is working on the collaboration, known as “The Pegasus Project.” She travelled to Turkey to verify if Pegasus had been used to surveil Khashoggi’s fiancée, HaticeCengiz.
Spyware in 40 countries
Meanwhile, Science writer, tech watcher and Media analyst, Nalaka Gunawardene speaking on the spyware noted that Pegasus is the world’s most sophisticated commercially available spyware.
Investigations by the 17 Media organisations that probed Pegasus found that NSO has sold its spyware to at least 40 countries – this includes some Governments with reputations of corruption and human rights violations. So it is increasingly clear that the spyware’s capabilities for monitoring, interception and decoding of private electronic communications are being misused. Far more independent journalists, forthright judges, civil society activists and public intellectuals critical of their governmentsare coming under surveillance than crime suspects or extremists.
He added that there are some well documented examples of Pegasus misuses. This software was implicated in 2018 in the hacking of Amazon owner (and world’s richest man) Jeff Bezos’ mobile phone by the crown prince of Saudi Arabia, he added.
“Spyware industry has been around for nearly three decades and it’s a thriving business. In 2013, Edward Snowden, a former computer intelligence consultant leaked highly classified information from the National Security Agency (NSA) in the U.S. showing how surveillance tools were being used to gather and analyse vast volumes of citizens’ personal data. The snooping went beyond the justification of spying on any real or perceived threats to national security.”
The latest Pegasus exposé shows how sophisticated spyware tools are now being sold on the open market, sustaining an industry of malware developers. The shadowy nature of their business makes it hard to track what products and services are being sold to whom and for what uses. As such, regulating is hard if not impossible.
Gunawardene added that, In June 2019, the then UN Special Rapporteur on freedom of opinion and expression, David Kaye, called for an “immediate moratorium on the sale, transfer and use of surveillance technology until human rights-compliant regulatory frameworks are in place”.
In a special report to the UN Human Rights Council on the surveillance industry and its interference with human rights, he said, “Surveillance tools can interfere with human rights, from the right to privacy and freedom of expression to rights of association and assembly, religious belief, non-discrimination, and public participation. And yet they are not subject to any effective global or national control”.
Given the current lack of an effective regulatory framework on the use of surveillance technologies to mitigate and remedy the harms they can cause, Kaye added, “it is imperative that States limit the uses of such technologies to lawful ones only, subjected to the strictest sorts of oversight and authorisation, and that States condition export of such technologies on the strictest human rights due diligence”.
He cautioned two years ago, “The private surveillance industry is a free-for-all. an environment in which States and industry are collaborating in the spread of technology that is causing immediate and regular harm to individuals and organisations that are essential to democratic life – journalists, activists, opposition figures, lawyers, and others.”
Global Investigation Journalism report
The Global Investigation journalism reported that two previous administrations spent USD 61 million to buy Pegasus spyware that has been implicated in government surveillance of opponents and journalists around the world.
They said that the NSO Group has been systematically abused for years by governments around the world. “Our NodeXL mapping from 12 to 18 July, which tracks the most popular data journalism stories on Twitter each week, found lots of coverage of this collaboration that analysed over 50,000 phone numbers selected for surveillance. In this edition, we also feature an insight into Facebook’s data wars by The New York Times, an interactive piece by Al Jazeera on how the holy city of Mecca has expanded, and a colourful project by the Washington Post on the rise of K-pop.”
Maxico based AP agency noted that Public Safety Secretary Rosa Icela Rodriguez saying that records had been found of 31 contracts signed during the administrations of President Felipe Calderon in 2006-2012 and President Enrique Pena Nieto in 2012-18. Some contracts may have been disguised as purchases of other equipment. The Government said many of the contracts with the Israeli spyware firm NSO Group were signed with front companies, which are often used in Mexico to facilitate kickbacks or avoid taxes.
Last week the Israeli Government said they had raided NSO Group offices after many complaints. The Government raiding its own entity was criticised as part of “damage control for the IsraeliGovernment”.
Israeli officials are going through regular investigative steps in a case that has received international attention, especially after several news outlets reported that NSO’s customers might have targeted the personal smartphones of several heads of state, including French President Emanuel Macron, who lobbied Israeli Government officials earlier this week to look into the company’s affairs.
All in all, despite citing that ordinary people won’t be targeted by something as sophisticated as Pegasus, it’s only a matter of time an ordinary individual becomes a person of interest. ([email protected])
How does Pegasus work?
Israel-based “Cyber Warfare” vendor NSO Group produces and sells a mobile phone spyware suite called Pegasus. To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.