Pegasus Snooping in 2019: Did Modi Government Investigate? Not Really, Say RTIs
In 2019, the centre claimed it was looking into the matter. Two years on, it has "no information" about its probe.
"What happened to that?"
As heated arguments on the Pegasus snooping issue flew back and forth in the Supreme Court on Monday, 13 September, senior advocate Kapil Sibal asked a pertinent question.
He had been trying to establish to the judges how even the union government had acknowledged that the phones of Indian citizens had been targeted using the powerful Pegasus spyware, back in 2019, when the first revelations about this had been reported by The Indian Express.
On 31 October 2019, then-Union Law and Information Technology Minister Ravi Shankar Prasad had openly said that the government "is concerned at the breach of privacy of citizens of India".
On Twitter and in responses to Parliament, Prasad said the government would look into the issue, including by sending notices to WhatsApp and the NSO Group.
But as Sibal asked in the Supreme Court nearly two years later: What happened to that?
This journalist has sent multiple Right to Information (RTI) queries to the union government regarding this question, made even more important by the recent revelations that the extent of Pegasus snooping was even greater than had been believed back in 2019.
The responses to these RTI queries, which should have detailed a thorough investigation over the past two years, are extremely concerning.
The union government has no information about their inquiries to WhatsApp.
The government has failed to reply to RTI queries about its inquiries to the NSO Group, despite the exhaustion of 30 days.
The government has not undertaken any dialogue with Israel over the use of the spyware, sales of which have to be licensed by the Israeli government.
1. The 'Notice' to WhatsApp – What Happened Next?
On 20 November 2019, Ravi Shankar Prasad informed Parliament that a notice had been sent to WhatsApp by the Computer Emergency Response Team (CERT-IN), the nodal agency which investigates and deals with cybersecurity threats like hacking and phishing. CERT-IN falls under the Ministry of Electronics and Information Technology (MEITY).
In response to an RTI dated 1 March 2021, however, MEITY said that it has “no information” of the final outcome in the 2019 WhatsApp-Pegasus incident that it was itself looking into.
The answer is surprising because this is the same ministry that was tasked to look into the 2019 revelations, but the RTI response suggests that neither the ministry nor its officials are aware of the final outcome in the matter.
Was a final report prepared? Was it put up before the competent authority for action? If so, what was the action taken? The matter seems to have vanished from its records.
The RTI filed by this journalist asked 5 pointed questions on the action taken by the government regarding the 2019 hacking revelations.
The key answer was provided in a response dated 1 June 2021 to the fifth query in the RTI, by Ajay Lakra of CERT-IN, to whom the queries had been forwarded by the MEITY PIO (given they had been the ones to send the notice and tasked to take any further action on the matter).
Surprisingly, when asked for a copy of this 'notice' sent to WhatsApp, MEITY did provide a copy of the same, which actually looked more like a routine email than a 'notice'.
A mere two-line letter with the link to The Indian Express article had been sent to WhatsApp on 30 October 2019 saying “we are keen to have your response” to the article.
Several weeks earlier, on 20 July 2021, this journalist sent a detailed questionnaire to the MEITY Secretary, seeking his response to additional queries on this matter. He has not chosen to respond.
This article will be updated if a response is received.
2. The Notice to NSO Group – Will MEITY Ever Respond?
A month after the 2019 hacking incident came to light and WhatsApp being issued a 'notice', IT Minister Prasad informed the Rajya Sabha that a notice was also issued to the NSO Group – the Israeli company which makes and licenses the Pegasus spyware.
"CERT-IN has also sent a notice to NSO Group on November 26, 2019, seeking details about the malware and its impact on Indian users," Prasad said on 29 November 2019.
After the recent 2021 Pegasus revelations, this journalist filed an RTI with MEITY on 21 July 2021 asking for a copy of this notice to the NSO Group, the reply received from them (if any) and the final outcome of the matter.
MEITY was also asked if it had conducted any further investigation into the role played by the NSO Group in the snooping of Indian citizens in 2019.
Although MEITY has replied to other RTIs relating to Pegasus since then, this particular RTI has been left unanswered, despite the exhaustion of the mandatory 30-day deadline to reply to an RTI.
It is important to establish whether the NSO Group was “looked into” since they are the creators of the spyware, and, according to some of the more recent reporting, are likely to have been aware of the illegal use of Pegasus spyware on several human rights activists, journalists, and politicians around the world and in India.
3. Bilateral Discussions With Israel?
However, despite several high-profile Indian personalities, including judges, senior politicians, journalists, and activists, figuring on the potential snoop list, India has not yet raised this issue with Israel bilaterally.
Replying to an RTI filed by this author on 22 July 2021, the Ministry of External Affairs in a single-worded reply – “No” – confirmed that India has not raised this issue with Israel. Not since the 2019 revelations, and not at this time either.
Seeking a response from Israel is in fact important because the Israeli Ministry of Defence issues an export licence for every sale of this spyware, without which the purchase cannot happen.
So was the Israeli Ministry of Defence aware of this spyware being purchased and used by nation clients for illegal snooping (since Pegasus is supposed to be sold only to countries, to investigate crimes and terrorism)?
If so, did it take action or did it turn a blind eye and approved the purchase? What exactly did it do after the 2019 revelations came to light?
In light of the newer revelations about Pegasus being used against members of civil society and not terrorists, the Israeli government said on 22 July that it had launched a review of the matter, and that if it finds out that NSO Group violated the terms of its export licences, it will take action against them.
The reply from the MEA to this journalist – that no discussion had been had with Israel about Pegasus snooping – was sent on 24 August 2021, a month after the Israeli government had said there was a need to examine the issue.
Apar Gupta, executive director at the Internet Freedom Foundation, a digital rights advocacy group, says that this response establishes the government’s lack of urgency and interest in the matter.
“It is a matter of concern that there seems to be a complete omission of any kind of diplomatic exchange, requiring Israel to step in and provide clarity as to why a company registered with it and that seeks approval from their Defence Ministry for the sale of this spyware. As per the NSO Group it only sells to vetted governments. This is a matter of national security because if the Government of India did not purchase this spyware, then our politicians, journalists, constitutional functionaries like Supreme Court judges are placed under surveillance by a foreign entity."Apar Gupta
RTI Responses Show Need for Independent Investigation of Pegasus
In response to petitions filed in the Supreme Court asking for documents about the use of Pegasus spyware and a court-monitored probe into such snooping, the union government has refused to answer whether it has purchased and used Pegasus, citing 'national security' and 'national interest'.
It has instead suggested that it will set up a committee of experts to probe allegations of Pegasus snooping.
The replies to this journalist's RTI queries raise considerable doubts over whether this would be an appropriate course of action, given the failure of the ministry responsible to know what has happened to its own inquiries, and the failure to take up the matter bilaterally.
"These are very disturbing disclosures and this government’s response is casual since 2019," says Gupta. "This is leading to a complete breakdown of public trust in the government. The responses to these RTIs fit a larger pattern of non-response and systematic evasion of not only accountability, but also basic probity," he said.
The government's responses to the recent revelations about Pegasus, have been evasive and misleading, with the government reiterating only that no unauthorised interceptions have taken place.
An 'official statement' released to the media on 18 July 2021 had said that a previous response to an RTI reply had been prominently reported and was "in itself sufficient to counter any malicious propaganda about the alleged association between the Government of India and Pegasus."
However, the RTI in question had been filed by this journalist, and the response from the Ministry of Home Affairs had not actually denied that the government purchased or used Pegasus.
Given the government's failure to properly investigate the 2019 revelations about Pegasus – which their responses to the above RTI requests demonstrate – it seems clear that the newer, more extensive series of Pegasus revelations need to be investigated by an independent body, free from any government interference, in a transparent manner.
There is also an urgent need to evaluate the functioning of India’s intelligence gathering mechanisms, as was recommended by the Justice Srikrishna report on data protection.
The increasing prevalence of new technology like Pegasus and even facial recognition tech, suggests a need for a sustained and informed public conversation about surveillance reforms in the modern age.
(Saurav Das is an independent investigative journalist and transparency activist. He tweets @OfficialSauravD.)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.