Mighty snooping on the meek

Rajesh Ramachandran

Yea, I walk through the valley of the shadow of surveillance, I will fear all evil: for thou art with me; my phone and thy software they discomfort me. Well, this attempt at rephrasing Psalm 23 may not fully capture our all-pervading fear of being snooped on, but it does paint a painful picture of life lived under the magnifying lens of an invisible adversary. The Central government is in the dock over allegations of buying the Pegasus software from NSO, an Israeli company, for hundreds of crores of rupees, to deploy it against Indian citizens — politicians, bureaucrats, journalists and others. The Centre has not responded to these allegations in Parliament, but the Israeli government has raided the NSO, giving the scandal a global dimension. While the BJP government and the Opposition battle over accusations and refutations, there are questions galore that go abegging.

To ask some of them, one has to assume that the government did indeed buy the Pegasus software, as alleged by the global consortium of 17 media organisations, and that it deployed this software — listening to, reading and watching all that was happening on thousands of mobile devices. If the allegations are true, why did the government buy this software at all? All governments all across the world are listening to private conversations all the time, why then buy this particular software? This seems to be another instance of a monumental goof-up, comparable in scale to the blunders during the first lockdown or the oxygen crisis of the second coronavirus surge. Fortunately, no lives were lost or no one was made to walk thousands of kilometres; only a few hundred crores of taxpayers’ money were lost and some political embarrassment caused, which is of course par for the course.

Buyers of Pegasus software do it primarily for one reason: deniability. The software can be deployed by third-party contractors, launched from third party servers — kept in Ukraine today, Serbia tomorrow and Croatia the day after. The contractors check in and out of servers like guests walking in and out of hotel rooms. This makes the operation untraceable because it cannot be proved who launched the software and from where. Even more valuable is the kind of snooping offered: to infect and take over a device without leaving a trace. The saleability of Pegasus-like expensive software lies in their efficiency in remaining hidden in the infected device. All buyers, allegedly our government included, fell for this claim, which has been conclusively proved wrong.

So, like most of the stuff the government buys, Pegasus is a dud (if the Centre has bought it). Pegasus’s failure is twofold. Technologically, it is inferior software that does not perform what its makers claim it does. Any decent hacker can take over a mobile device, but the challenge is in taking it over without the host knowing about the infection. Huge amounts of money are paid to ensure that the host does not even suspect an attack and that the software does not leave a trace behind in the mobile device. But Pegasus did leave a trace that was forensically analysed by the Citizen Lab of the University of Toronto. If this is weapons-grade technology, then it is a gun that backfires. Apple’s App store has already launched a new version of the application iVerify to ‘check your device for trails of Pegasus software.’

Now, the second failure is a blunder of epic proportions. NSO has left the database of all those individuals against whom the software was deployed in some unsecured server from where it has been either hacked or leaked. If the NSO itself has leaked the database — like some Income Tax department official leaking the Radia tapes to all and sundry — then the Pegasus scandal should go down as the most comical snooping attempt ever made in the history of techint. After all, this snooping deal has invited international ignominy on all those who bought the software. The media organisations have only mentioned this database as a ‘leaked list’ without explaining whether it was leaked by NSO or someone in the governments that used it, or whether NSO’s servers were hacked.

For a government that believes in Atmanirbhar Bharat, these allegations are a big blow to its competent swadeshi image. India claims to be a software superpower, whereas it actually might be getting fooled by glib double-crossing vendors with ineffective wares. The allegations, in fact, point towards the failure of our national capacity to build and operate weapons-grade technology.

The bright side of the Pegasus scandal is the understanding that we are being watched, heard and read all the time. If the Israelis have half-decent software, the Americans and the Chinese would definitely have foolproof versions that won’t leave a trace even in the Apple phones that they design and manufacture. If the Chinese have this capability, nothing stops them from sharing it with their strongest ally, the Pakistanis. In a country where everyone conducts even the most confidential business over WhatsApp and there are WhatsApp groups for officials in most government departments, snooping would have become pretty easy now.

There are only two possibilities for those in public life. A life of Gandhian transparency, where one leads a life without anything to hide while knowing full well that every bit of one’s life is being scrutinised by a hostile entity in power. If it is not possible to be Gandhi-like, the only option is to keep the mobile phone out of the conversation, which might sound like an oxymoron, but all devices are potential targets and hence have to be kept out. Finally, the question remains — should governments deploy such means against their citizens? When the façade of deniability is torn down, what remain exposed are big men eavesdropping on the meek who get crushed under their mighty boots.

Join Whatsapp Channel of The Tribune for latest updates.