The Pegasus Protocol: Government Surveillance, Privacy and Our Lives

☴ Contents

• A Distraction as Introduction
  
• The Pegasus Report
• Daily Records
  
• The Conspiracy of Disruptionists and Obstructionists
  
• Privacy Concerns with Technology
  
• Government Surveillance:1984 in 2021
  
• Project Pegasus (An infographic) 
• Conclusion
• Resources

The Pegasus Report has revealed, besides illustrating the devious and dominant nature of the State, how it has become dangerous to live in a surveillance state, in which our right to privacy is undermined for purported common benefits.

Or are we living in a dystopian world?

The State and the capitalists are seeing not many things beyond power and profit.

A Distraction as Introduction

Imagine you are a sensible human being, living a normal life. You believe we are a political animal. You believe that we need to engage with issues that have sociopolitical and economic relevance. You also believe privacy and surveillance are major issues in the digital world. Suddenly, you found your neighbour has been checking out your phones. You don’t know what s/he has been looking, but for sure, s/he has been looking into your phone. How would you feel? What would you do?

That person can definitely be called a weirdo. That’s for sure. And it will be pretty serious if s/he had used your GPay to transfer money to his/her account. When it’s the question of money, Voltaire said, everyone is of the same religion.

What if your neighbour turns out to be the State or the Government?

It’s much more than just about money now. Assuming we know the power of a State, that kind of snooping on your phone affects not only you but also all of us. 

The latest Pegasus Report has given us so much to consider, and to dig, generally about this whole issue of privacy and surveillance, and specifically about government surveillance and the privacy concerns with technology. More than eyebrows, the report has raised concerns about the dangers of living in a surveillance state.

Let’s quickly see the Pegasus Report and then proceed.   

The Pegasus Report 

After a brief hiatus, the issue of privacy and surveillance has hit the headlines all over again, thanks to the Pegasus Report. What’s more, it involves several people in the media industry. The report is going to be another turning point in the history of Internet and information technology, while the topic will remain one of the global issues.

To introduce the latest development, the Pegasus Report is an investigation involving alleged cases of the government surveillance of citizens in more than 50 countries. The report mentions the use of Pegasus spyware to spy on more than 50,000 people that include among others, journalists, politicians belonging to opposition parties, and rights activists. 

The Pegasus Project media partners:
The Guardian (UK), Le Monde (France), The Washington Post (US), Süddeutsche Zeitung (Germany), Die Zeit (Germany), Aristegui Noticias (Mexico), Radio France (France), Proceso (Mexico), Organized Crime and Corruption Reporting Project (OCCRP), Knack (Belgium), Le Soir (Belgium), Haaretz/TheMarker (Israel), The Wire (India), Daraj (Lebanon), Direkt36 (Hungary), PBS Frontline (US).

Technical support: Amnesty International’s Security Lab.
(Source: Forbidden Stories)

Behind the investigations are the Amnesty International, the Forbidden Stories, and a group of 17 media organisations from all over the world. From India, The Wire is the sole organisation that is part of the global investigation. And at the centre of the crisis is a private Israeli technology firm, the NSO Group that has a tagline that screams: Developing technology to prevent and investigate crime and terror. You can check their website. In a press release that reeks of its frustration, recently (last week of July 2021) they clarified:

In light of the recent planned and well-orchestrated media campaign lead by (the) Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.

According to the BBC:

The group, an Israeli-based but American-owned company, specialises in creating what it calls tools against crime and terrorism. But the security researchers call them something else: a cyber arms dealer.
— Who are the hackers who cracked the iPhone? (Dave Lee)

Now we know the case involves a private technology firm that has gone rogue and media organisations whose sole objective is gathering information and distributing them to the public. 

As it turns out, most of the governments, including that of India, are denying the allegations or any involvement. Albeit: (a) it is clear that the NSO Group sells their products only to law enforcement and intelligence agencies of ‘vetted governments’; and (b) forensic examination revealed traces of Pegasus on the phones of several people; for example, in India there are reportedly more than 1,000 people out of which 30 of them are journalists. From Manipur, this includes Malem Ningthouja, an academic and writer based in New Delhi. 

This is not the first time the NSO Group has been in the spotlight. Back in 2019, Facebook had filed a case against them for intercepting WhatsApp messages. Back then, there were only 17 people in India, and though the government had also refused to acknowledge its involvement, officials have been resorting to two legal protections: one, Section 69 of the Information Technology Act, 2000 and two, Section 5 of the Indian Telegraph Act, 1885.

The aforementioned Section 69 ‘empowers the Central Government or a State Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India’, while the Section 5 ‘authorises specific individuals to view messages in the case of a public emergency or in the interest of public safety’.

In other words, it is completely legal for the government to pursue surveillance programmes but this does not address the ethical and political implications. Do not surprised if it is insisted that these are for our benefits. Perhaps, just as it has been already done in many parts of the world, most programmes are ostensibly for the benefits of the individuals and the society. But is that really the case?

In terms of legality, the government of India has also enacted the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, against which Facebook-owned WhatsApp had recently filed a case. Under the new legislation, many of the service providers have to remove encryption as well as trace the source of a message if compelled by government authorities. This has a direct consequence on, among other things, mass surveillance, end-to-end encryption, privacy, and censorship.  (PS: The IT Rules came into effect from 26 May 2021.) 

Just before the Pegasus hit the news stand, the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules 2021 had got the ball rolling as it addresses the questions on mass government surveillance but there has been no consensus. In fact, some of the intermediaries have gone to court against the government.

Daily Records

Reports have suggested that the configuration of Pegasus is quite expensive as well. In Cost of putting Pegasus in phones runs into crores, The Indian Express reported:

The cost of deploying a spyware like Pegasus is, even by conservative estimates, rather steep. According to estimates based on documents on the NSO Group’s commercial proposal acquired by The New York Times in 2016, the Israeli spyware maker priced its surveillance tools on a par with traditional software companies — $500,000 installation fee, followed by $650,000 to spy on 10 iPhones or Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users.

Further surveillance targets, according to the report, required the client to pay an additional fee — $800,000 for 100 extra targets; $500,000 for 50 extra targets; or $150,000 for 20 extra targets. In addition, NSO also charged an annual system maintenance fee of 17% of the total cost every year after the initial order. The charges were for an initial fixed period of time, with renewals costing extra. (July 21, The Indian Express)

Every day there have been newer disclosures from the report by the Forbidden Stories, Amnesty International and their media partners. Some of the latest findings include the fact that this spyware can snoop on three levels: initial data extraction, passive monitoring, and active collection. 

Data records such as SMS records, contacts, call log, emails, messages, and browsing history are sent to the command and control server during initial data extraction. After the extraction, an agent can monitor for new data records. In active collection, as the name suggests, a malware operator can send request to the infected device to retrieve information in real time. The info can range from voice-call interception to photo taking. Yes, they can take photos using the infected device without the phone owner’s knowledge!

Data records such as SMS records, contacts, call log, emails, messages, and browsing history are sent to the command and control server during initial data extraction. After the extraction, an agent can monitor for new data records. In active collection, as the name suggests, a malware operator can send request to the infected device to retrieve information in real time.

Its zero-click attacks remain the most sophisticated feature. This means, previously, a targeted phone user had to be deceived to click on a link, but not anymore. Pegasus can infiltrate the phone by identifying zero-day vulnerabilities. Again, this means, the spyware can enter through any defect in the operating system of the phone that are yet to be identified and patched.

Just as in those devices in a James Bond movie, Pegasus also has a mechanism for self-destruction and deleting evidences from a compromised phone. Unsurprisingly, the NSO Group keeps saying that its objective is fighting crime and terrorism. 

The headlines related to the Pegasus Report are going to hog the limelight for a few weeks then it will, as always, fade away from the pubic memory. Regardless of the lies the governments are telling the citizens and the short public memory, we cannot ignore some of the serious issues relating to privacy and surveillance. 

Orwell's 1984 illustrated that mass surveillance is the hallmark of a totalitarian regime. Now, what is even more worrying is the fact that some of the biggest democracies in the world are endorsing it, albeit in clandestine manners.

The Conspiracy of Disruptionists and Obstructionists

Before we move on, let me share with you a story. It is more of a justification than a story. Well, the other day, on a local TV discussion, a BJP spokesperson rubbished the claim that the government is sponsoring a surveillance programme. He said that the report is ‘a figment of some people’s imagination’, (and by people, he meant anti-Indians) and that there has been an international conspiracy against India by organisations such as the Amnesty International that has clear anti-India stances.  

The spokesperson also mentioned that foreign disruptionists and obstructionists are the real culprits. He explained that there are many foreigners, who are envious of India, and are now trying to malign the image of India. These disruptionists do not want to see India develop, and that they only want to see India as a land of snake charmers and women who defecate in the open. 

He added that it is also intolerable for the disruptionists to see the rise of ‘Modi, a village-educated PM, and the first PM to be born in independent India, and who is yet to be infected with western liberal culture’. (Everyone knows that the PM had completed MA in Entire Political Science from Gujarat University.)

These disruptionists and obstructionists, according to the gentleman, are a powerful group of individuals who can change governments, wage war, and supply arms and so on. He emphasized, while blissfully ignoring the purposes or benefits of government surveillance and the right to privacy, that these people just cannot tolerate to see a rising India.

His statements remind me a half of John Perkins of the Confessions of an Economic Hit Man fame and another half of Karl Marx. Perkins is a self-styled economic hitman who used to help corporations economically colonised the so-called Third World countries. Then, Marx, he put it in black and white that you can give a reason for everything, but that all the reasons are not necessarily logical.

WhatsApp defines encryption as communications that remain encrypted from a device controlled by the sender to one controlled by the recipient.

Privacy Concerns with Technology

We have several landmarks in history. In the last couple of decades, the Internet has definitely occupied the top spot; and very closely on the list are the items of the world wide web. Smartphones, social media, emails, ecommerce sites, and the revolution in work processes will be prominent chapters in future history books for schoolchildren while cat pics, TikTok videos, and YouTube comments will find favourable mentions. 

Technology and innovation go hand in hand. It is unanimous that technology has been enhancing civic and social innovation. Take machine learning, artificial intelligence, data journalism in media studies, besides the obvious Internet, and we can see how much things have changed for the benefit of humanity. Briefly, we are using technology to solve problems while creating opportunities for collective growth.     

But, on the flip side, we have a few issues that are already critical in our daily lives today. Out of the numbers of problems, we are grappling with two of them that are directly related to the Pegasus Report: one, privacy and two, surveillance.

When we use an app such as WhatsApp, how secure is it? Its USP is the end-to-end encryption. In one of its technical white paper (Read the PDF: WhatsApp Encryption Overview), WhatsApp defines this encryption as communications that remain encrypted from a device controlled by the sender to one controlled by the recipient. Technically, this app is a secure instant messaging platform with privacy at its core. However, the recent incidents including the Pegasus Report have brought back questions around WhatsApp’s privacy and security. 

On the other hand, if we have to loosely apply Habermas’ concept, a public sphere is where we can form and discuss opinions. In the digital world, it is difficult to draw the line but we can still say the space where we have given access to others can be considered a part of the public sphere. Social media is an example, but we do have a password to access it, implying it is not completely free for all. Besides, on any social media sites, there are several privacy settings that give us control to some extent. Emails are easier to define what is personal and private.

Even on the Blogger platform, where I maintain this blog, I have the privilege to keep it private or open only to invited readers. My point is: we can manage to an extent how much we make our blogs and social media accounts a public sphere. Any access to the restricted space will be a case of privacy violation even if Internet is an open space.

If we have to define it: Privacy is the right to maintain information to ourselves. 

Why privacy is essential 

• Privacy is the right to maintain information to ourselves 
• Privacy ensures we have a choice as well 
• Privacy is also important because it is directly related to our safety and freedom 
  

It is ridiculous for the State to take it away in the name of a frivolous reason like that of ‘saving’ a nation. Most of the time what a country needs to be saved from are the politicians. For everything that they lack in governance and administration, they always make it up by misusing power. They know the mass is gullible. 

The number of people who have been arrested under archaic sedition laws and the notorious National Security Act in India is an indication that the State would go to any extent to not only impose its power, but also to remind the people who the boss is.

As far as privacy is concerned, the Forbidden Stories have provided sufficient evidences to show how the governments in 50 countries have snooped on its citizens. Meantime this was the same reason why the American whistleblower Edward Snowden had leaked the documents on surveillance programmes of the National Security Agency (intelligence agency of the United States Department of Defense). Howsoever he is a polarising figure, we can say that privacy and security are exclusive terms. 

What better illustrates this than the fact that the people who have been spied on are mostly those individuals who do not favour a ruling government. If you do favour, then no matter how violent you are, and forget about Pegasus, you can become a Pragya Thakur. And become a Member of the Parliament.

Any way, privacy is also important because it is directly related to our safety and freedom. When we exercise what we share on the Internet for example, we are using our own agency to control information about ourselves, what we know about others, and what is known about the world. 

Privacy is also about our individuality. Albeit it is an antithesis to the State that only wants a homogenised society made up of conforming individuals. 

Privacy ensures we have choice as well. It enhances our autonomy and self-determination. For businesses that offer us products and services, privacy must be an essential part of the product and not be one of its features. Note: We will see further in the next section, Government Surveillance: 1984 in 2021, that along with the State, corporate houses are also equally responsible for making a mess of privacy and surveillance. 

In the wake of the Pegasus Report, those who favour the government have been making two arguments: one, if I don’t have anything to hide, why worry? and two: we have no issues when we give away our information to American corporations (read Facebook, Twitter and others), but we are nitpicking when it comes to the government.

Well, their first argument, as Snowden puts it, is just the same as saying I don’t care about the right to speech because I don’t have anything to say. It is a slippery slope at its best. We know privacy is important for several reasons. Regarding their second argument, there is a thing called consent that the bhakts are clearly unfamiliar with. 

If given a chance, everyone from the right, centre and the left will opt out of a surveillance state. For those who are conceding now because of the government, a change of political party in New Delhi will make them change their decision. Perhaps, megalomaniacs or people with similar tendencies would have no qualms about it, but they will be the only individuals.

The issue of surveillance has been a thing for quite some time, but never in the history has it been so sophisticated and at such a 'mass' level.

Government Surveillance: 1984 in 2021

The Pegasus Report has revealed, besides illustrating the devious and dominant nature of the State, how it has become dangerous to live in a surveillance state, in which our right to privacy is undermined for purported common benefits. 

Just a few decades ago, it used to be an element of fiction. People saw it coming and now it’s not going to go soon. Orwell’s 1984 / Nineteen Eighty-Four illustrated that mass surveillance is the hallmark of a totalitarian regime. Now, what is even more worrying is the fact that some of the biggest democracies in the world are endorsing it, albeit in clandestine manners.

The ideas behind surveillance are completely against the principles of democracy that require transparency. It is not only the invasion on individual privacy but also about the misuse of power by the State. When Orwell wrote 1984, he would not have imagined the extent to which it can become a reality. 

In an essay, Inside the Whale, which was partly a review of Henry Miller’s Tropic of Cancer, Orwell gave us a very bleak picture: 

Almost certainly we are moving into an age of totalitarian dictatorships – an age in which freedom of thought will be at first a deadly sin and later on a meaningless abstraction. The autonomous individual is going to be stamped out of existence. 

For us, it is one thing to get absorbed in a dystopia where the Big Brother is watching you. And it is totally another to live in a real dystopian world, in which: 

• we are told that there are no surveillance programmes yet the State has all the powers to do so; 
• journalists are routinely arrested on frivolous charges (Manipur Has Jailed an Activist, a Journalist for Two Months Now for Saying Cow Dung Can’t Cure COVID, The Wire)
• we can see three groups just as Orwell had categorised the world according to geopolitical and military affiliations. In 2021, we can see the world through the perspectives of (a) North America and Britain, (b) Russia and Europe, and (c) China. Replace the names with Oceania, Eurasia and Eastasia, and we get 1984.  

Surveillance has been a thing for quite some time, but never in the history has it been so sophisticated and at such a ‘mass’ level. Against drone surveillance, communication surveillance, facial recognition software, AI and data mining, old methods such as phone tapping and physically following a target are so naïve. Most recently, surveillance entered the public sphere when Edward Snowden leaked the information from the NSA. 

Now we know it’s never about a guy following another person, noting down a vehicle registration number, hanging around where the second person is, like we see in old films. Everything is invisible with technology. What’s more, the kinds and amount of information that can be extracted are astronomical. It’s simply just not information but data plus metadata!  

Mass surveillance programmes, according to Snowden are like casting a wide net, ‘but the problem is when you cast the net too wide, when you’re collecting everything, you understand nothing’. Watch the episode of Vice HBO: ‘State of Surveillance’ with Edward Snowden and Shane Smith on Youtube. 

It is so unfortunate that Snowden is living in exile when he should be the person to tell legally and officially what to allow and not to allow on the world wide web. We really don’t need the politicians, who don't even know the ‘i’ of Internet, making policies and telling us what is right and what is wrong.

 

“The ACLU has prepared a map (illustrating how the NSA has gained direct access to the telecommunications infrastructure through some of America’s largest companies). It shows how the military spying agency has extended its tentacles into much of the U.S. civilian communications infrastructure, including, it appears, the switches through which international and some domestic communications are routed, Internet exchange points, individual telephone company central facilities, and Internet Service Providers (ISP).” (Source: American Civil Liberties Union: Eavesdropping 101: What can the NSA do?)

Once upon a time, iPhones were promoted to have a foolproof security system, and so was WhatsApp with its encrypted message facility. Earlier in January 2021, remember how so many people switched to Signal and Telegram after the in-app notification about the change in its privacy settings. Well, here is a simple fact: as long as we are using technology, we are always prone to privacy and security issues.

Let’s take an example. Vehicles have been an extension of our foot, if we have to take McLuhan’s concept of technology. We can go faster and farther. But there is also a chance of accident if we drive a vehicle. This is out of the question if we walk instead. This means: first, we cannot stop using it just because it is correlated to accidents; and second, we have to improve the safety levels. 

This goes as well for the information technology, under which we have the Internet, our smartphones, PC, laptops and all sorts of devices.

This brings us to the fact that our data and information are vulnerable not only because of the State but every stakeholders who are involved in processing it. Most of them are the private corporate firms, particularly those based in the Silicon Valley in California, US. Susanna Zuboff’s surveillance capitalism* succinctly captures this sentiment. Just look for a product on Google, and then its ads will start popping up everywhere you go on the web. At the end of the day, the State and the capitalists are seeing not many things beyond power and profit.

* Surveillance capitalism is an economic system centered around the commodification of personal data with the core purpose of profit-making. The concept of surveillance capitalism arose as advertising companies, led by Google’s AdWords, saw the possibilities of using personal data to target consumers more precisely.
— Surveillance Capitalism and the Challenge of Collective Action, Shoshana Zuboff, New Labor Forum, Vol 28, Issue 1, 2019

Consent does not mean Google and Facebook should be given a free hand. They have been spared because the focus is on Pegasus Report and mass government surveillance today. 

Still, one of the remedies to these ailments is the rise of an informed collective individuals and further a society. Another solution is to use secure and privacy-oriented browsers such as Brave, Tor and Epic, and search engines such as Qwant and DuckDuckGo. Besides, there are dozens of good safety practices that we can develop as our healthy digital habit. Since we are going to keep driving, why not take some of the precautions?

Prevention is better than cure. But when there is an intentional onslaught, like the surveillance programmes that have been detected in more than 50 countries, we need much more than precautionary steps. To cut to the chase, we have to be political and take political steps. The State must be made aware that it is an excess and futile exercise. 

Crime and terror prevention, the rationale on which the NSO Group promotes its spyware, might need an institutional approach. A country like India has its well-structured Ministry of Home Affairs, and in this case, it is aided by the armed forces, which is (a) the second largest in terms of the number of military and paramilitary personnel, and (b) third largest in terms of military expenditure, in the world. Such a secretive activity as snooping reflects poorly on all of them. In extreme cases, it can betray the trust of the public, which can be profoundly detrimental for its democratic system.

Use the data you already have, instead of mining more and getting lost in the massive labyrinth of 0s and 1s and shoving the people to an Orwellian hellhole. Without doing much, the people whoever are responsible for carrying out the menial surveillance works are putting in too much effort. This gives us the image of an employee, who uses a site like: (a) http://pcottle.github.io/MSOutlookit/ that lets you browse Reddit but makes it look like you are checking your Outlook Mail and (b) https://hackertyper.com/ that makes you look like a cool programmer. You can check these two sites!

We know how surveillance has been prioritised in many parts of the world on the ground that existing laws have not been able to keep up with technology. We should also remember that more than a little more than one hundred thousand people were picked up and detained in the US in the post 9/11 days using surveillance methods. As it turned out, not a single person, that is zero, was found to be a terrorist. 

In The Art of War, Sun Tzu devoted a whole chapter on the The Use Of Spies. He wrote:

Raising a host of a hundred thousand men and marching them great distances entails heavy loss on the people and a drain on the resources of the State. The daily expenditure will amount to a thousand ounces of silver. There will be commotion at home and abroad, and men will drop down exhausted on the highways. 

Security might be inherently related to surveillance programmes. But is it worth it? The cost factor is indispensable simply because of the exorbitant price of the software and its installation. Necessity might have compelled the Big Brother to spend a fortune on the Pegasus. But we have seen in a developing economy like India, with its economy sinking to a record low owing to the pandemic and incompetency of the government, the government surveillance on journalists, for instance, can only result in arbitrary arrests, which in turn affect its standing in ranking system like that of the World Press Freedom Index. Above all, in the world of technology, this will only necessitate the coding of more powerful antivirus programs. The point is, to repeat: is it worth all this effort?

Then there are questions related to ethics. How ethical is it for the State to look at its subjects secretly with ulterior motives? How ethical is it for the government that abide by the idea of We the People and still do an activity that is completely an antithesis to individual rights? 

It also raises the question of sovereignty because, obviously you are dealing with sensitive data and information, but the company, the NSO Group is based in Israel and an private entity. How secure are the information source and destination systems when ordinary organisations (ordinary, in the sense normal and not intelligence based) can have access to them? How solid is the  foundation of national intelligence and security? Enough is said and as far as the use of the Pegasus is concerned, we have more questions than answers.    

Here’s the infographic:

The report has given us so much to consider, and to dig, generally about this whole issue of privacy and surveillance, and specifically about government surveillance and the privacy concerns with technology.

Conclusion

It is ironic at times that an activity such as surveillance, which is supposed to be secretive, is out in the open for the whole world to look into it. In most cases, it is related to terms such as intelligence and security, yet the revelation of the Pegasus Report make the privacy and surveillance ecosystem so contradictory. This is no different from the security in the National Security Act. It has been applied more in political vendetta than in safeguarding the security of a State. Besides, it gives no sense of security or whatsoever to a citizen.    

For us, information technology has greatly impacted convenience and communication. However, the report has also human ingenuity at its worst. Just as social media has redefined stalking, smartphone has completely changed the method of surveillance. As much as the Internet has been transformed from a global data communications system to a private/public sphere, the complexity in its roles and functions have undergone a change, which in terms of sheer numbers, is beyond our imagination.

The issue is complicated. It is more complex than understanding the psychology of your annoying neighbour, whether s/he would snoop on your phone or not. You know, people are sometimes so strange. 

Notwithstanding the fact that the State and business organisations have their security or commercial imperatives, there can be no reason to justify their invasion on our privacy and the throttling of our freedom. There cannot be a balance between privacy and security for the simple reason that these are parts of the same whole. A long time ago, there used to kings and their divine powers. They are gone. Now we have the State and its long arms of the law but those cannot be absolute—neither its power nor its existence.  

Before we wind up, do share how much is too much when it comes to mass surveillance.     

Resources

• Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones  — The Yale Law Journal by Kevin S. Bankston & Ashkan Soltani
  
• Forensic Methodology Report: How to catch NSO Group’s Pegasus  — Amnesty International
• Seven Privacy Principles — Save Our Privacy
  
• The New Tech Totalitarianism — New Statesman by John Gray

More on the Topic:

Read a related post on this blog: Big Brother’s a Peeping Tom

The Pegasus Report on the Forbidden Stories’ website

Pegasus Project: 136 Names Revealed By The Wire On Snoop List So Far on The Wire