FAQs on Pegasus in India context

Q. How did the Pegasus revelations happen?

A. Forbidden Stories, a website and Amnesty International had access to a leak of 50,000 phone numbers of NSO clients selected for surveillance. NSO makes the Pegasus software.

Q. Was the investigation targeted against India?

A. The investigation was done by 17 media agencies across the world and covered 45 countries.

Q. What has been the GoI response?

A. The publisher of the report states that it cannot say if the numbers in the published list were under surveillance.

The company whose technology was allegedly used has denied these claims outrightly.

And the time tested processes in our country are well-established to ensure that unauthorised surveillance does not occur, IT Minister Ashwini Vaishnaw said in Parliament.

Q. What did GoI say on surveillance?

A. In India, there is a well established procedure through which lawful interception of electronic communication is carried out for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States. The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act,1885 and section 69 of the Information TechnologyAct, 2000.

Q. How many journalists numbers were under surveillance?

A. 180 all over the world including the biggest media platforms, of which 49 are Indian.

Q. Which countries were found to be using Pegasus against journalists, activists and opposition leaders?

A. The countries named in the reports are : Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, United Arab Emirates (UAE) and India.

Q. Who all were the potential targeted in India?

A.49 Indian journalists, 3 opposition leaders, 2 Ministers, one sitting SC Judge were targeted. Business persons too were targeted.

Q. How sure is the snooping?

A. Amnesty International’s Security Lab, in partnership with Forbidden Stories, performed forensics analyses on the phones of more than a dozen of these journalists – and 67 phones in total – revealing successful infections

They were later peer reviewed by a Canadian tech company which specialises on Pegasus. Both confirmed the infections.

NSO, the company which owns the technology has said: “NSO Group believes that claims that you have been provided with, are based on misleading interpretation of leaked data from basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products.

Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies as well as by private companies worldwide. It is also beyond dispute that the data has nothing to do with surveillance or with NSO, so there can be no factual basis to suggest that a use of the data somehow equates to surveillance.”

Q. Is it possible to snoop and what are the procedures?

A. Each case of interception or monitoring is approved by the competent authority. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, monitoring and Decryption of Information) Rules, 2009.

There is an established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of state governments, such cases are reviewed by a committee headed by the Chief Secretary concerned. The law also provides an adjudication process for those adversely affected by any incident.

The procedure therefore ensures that any interception or monitoring of any information is done as per due process of law. The framework and institutions have withstood the test of time, GoI said.

Q. Has GoI accepted that there was snooping?

A. GoI said it clearly emerges that there is no substance behind this sensationalism. The report itself clarifies that presence of a number does not amount to snooping.It quoted the report, “The presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack.

Without subjecting a phone to this technical analysis, it is not possible to conclusively state whether it witnessed an attack attempt or was successfully compromised”.