The TLDR: Welcome to Day 2 of the global investigation into the use of Israeli spyware to hack phones of prominent politicians, journalists, activists and others. The names released in India are shocking—and yet predictable. If you have no clue what this is about, be sure to check out Monday’s Big Story.

The basic deets

Paris-based media non-profit Forbidden Stories and Amnesty International accessed a global database of more than 50,000 phone numbers—which may have been targeted by a powerful spyware tool called Pegasus. The organisations shared these numbers with key media organisations around the world who helped identify the owners of these numbers. Amnesty’s Security Lab conducted forensic analysis on 67 smartphones, of which 23 were successfully infected and 14 showed signs of attempted hacking. 

Here’s what we now know about the Indian snoop list:

• More than 1,000 phone numbers in India appeared on the list.
• The media consortium verified the identities of the people associated with more than 300 Indian numbers.
• Forensic analyses were performed on 22 smartphones whose numbers appeared on the list.
• Of these, there is clear evidence that at least ten were targeted with Pegasus—of which seven were infected.
• Of the remaining 12, findings were inconclusive in eight cases because they were Android phones which do not store information in a way required to detect Pegasus infiltration. 

The biggest names on the list

Rahul & friends: Two of Rahul Gandhi’s numbers appear on the list of numbers in the global database. His numbers were added to the list in 2018—in the run up to the 2019 elections. Gandhi has since given up both numbers—and he apparently changes devices every few months to avoid surveillance. So there is no definite forensic evidence that he was indeed hacked. What we have instead is circumstantial evidence: the presence of at least nine phone numbers of people in his personal network on the same global database. These include the numbers of two close aides—Alankar Sawai and Sachin Rao. 

The Wire reached out to Gandhi’s friends and social acquaintances on the list:

“The three friends who did speak to The Wire, two of whom are women, were understandably alarmed at the thought of having been targeted for intrusive surveillance and sought advice on how to protect their privacy in the face of spyware like Pegasus. They could think of no reason why any official agency would have marked them out as persons of interest in mid-2019, the period in question. Two of the three no longer used the handset in question while the third said they would prefer to change their phone rather than go in for a forensic examination of their existing instrument.”

Point to note: None of these people are involved in politics. 

Gandhi’s response: Gandhi offered the same statement to all media outlets:

“Targeted surveillance of the type you describe, whether in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India is illegal and deplorable...If your information is correct, the scale and nature of surveillance you describe goes beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished.”

Prashant Kishor: The phone of the grand wizard of electoral politics (profiled here) was available for forensic analysis. It was most definitely hacked—on April 28, right in the thick of the Bengal elections. This may be “the first iron-clad piece of evidence” that Pegasus is being used to spy on electoral rivals—since Kishor is the political advisor to three BJP foes, Mamata Banerjee, Amarinder Singh and MK Stalin. There is also evidence that there was an earlier attempt to hack his phone in 2018.

More eerily, The Wire also notes:

“Traces of Pegasus on Kishor’s phone were also detected in 14 days in June 2021 and 12 days in July 2021, including July 13, the day when he met Congress leaders Rahul Gandhi and Priyanka Gandhi in Delhi. In fact, a hack of Kishor’s phone occurred even on the date that The Wire met him and AI helped conduct forensic analysis on it.”

At least one of these attacks used Apple’s iMessage. Also on the bigger database of potential targets: the number of Mamata’s nephew and closest advisor, Trinamool MP Abhishek Banerjee.

Kishor’s response: He said: “If the use of such methods during Bengal elections are taken as a test case, then it is quite clear that such things hardly have any impact on the electoral outcome.” Lol! 

Speaking of elections: The list of verified numbers also included that of Ashok Lavasa, the only member of the 3-man Election Commission who ruled that then Candidate Modi and Amit Shah had violated the Model Code of Conduct during the 2019 election.

Modi’s ministers: Two cabinet-rank mantris are on the list of 300 verified numbers in the database—which means we don’t know for sure if they were hacked. These are (brace for full-on irony alert) the newly inducted Information Technology minister Ashwini Vaishnaw and the Minister of State for Water, Prahlad Singh Patel. Vaishnaw was added to the list in 2017—before he joined the BJP, while Patel was added in 2019. A great number of their family members and acquaintances are also on the list. As are close aides of two prominent women leaders Smriti Irani and Vasundhara Raje Scindia. The Wire has more analysis on why BJP leaders were on the list.

Vaishnaw’s response: He hasn’t said anything about his number being on the list, but just as his name was released, Vaishnaw was busy declaiming in the Lok Sabha: “Those reports had no factual basis and were categorically denied by all parties... Press reports… also seem to be an attempt to malign the Indian democracy and its well-established institutions.”

Ranjan Gogoi’s accuser: Back in 2019, a Supreme Court employee accused the then Chief Justice of India of sexual harassment. At least 11 phone numbers used by the woman, her husband and two other family members were also on the list of 300 verified numbers—and it is the largest such Indian cluster. She was added to the list just days after she recorded her allegations in a sworn affidavit—and may have been spied upon as she went through the internal inquiry, and while she consulted with lawyers. Why this matters:

“In other words, the legal strategy of a woman who said she was sexually harassed by India’s top judge would have been known to whichever individual or agency was interested in surveilling her, placing them in a powerful position vis a vis not just the woman but, presumably, CJI Ranjan Gogoi too, who was presiding over several important cases in which the government and ruling party had major political stakes.”

Gagandeep Kang: This is possibly the most shocking inclusion on the list of verified numbers. India’s top virologist was added back in 2018 when she was working on the Nipah virus outbreak in Kerala. Her response: “I lead a very, very boring life.”

Foreign-related targets: Also on the list: M Hari Menon who is the India country head for the Bill and Melinda Gates Foundation, and was added in 2019. Menon has not commented on his inclusion on the list. Plus: a British High Commission official, two officials of the American Centers for Disease Control and Prevention (CDC), and other Delhi-based diplomats and ambassadors from Pakistan, Iran, Afghanistan, China, Nepal and Saudi Arabia.

A big government pushback

The government brought out the big guns to respond to the media reports—including Amit Shah who said in a statement:

“Aap chronology samajhiye! This is a report by the disrupters for the obstructers. Disrupters are global organisations which do not like India to progress. Obstructers are political players in India who do not want India to progress… The facts and sequence of events are for the entire nation to see. Today the monsoon session of Parliament has started. In what seemed like a perfect cue, late last evening we saw a report which has been amplified by a few sections with only one aim — to do whatever is possible and humiliate India at the world stage, peddle the same old narratives about our nation and derail India’s development trajectory.”

Of course, it is unclear why a global project that spans a number of different countries would be timed to the Indian parliament’s monsoon session.

Real chronology samajhiye? The Guardian has this to say about timing:

“The selection of Indian numbers largely commenced around the time of Modi’s 2017 trip to Israel, the first visit to the country by an Indian prime minister and a marker of the burgeoning relationship between the two states, including billions of dollars in deals between Delhi and Israeli defence industries. Modi and the then Israeli prime minister, Benjamin Netanyahu, were pictured during the trip walking barefoot together on a beach. Days before, Indian targets had started being selected.”

Big point to note: The Indian government has never once denied purchasing Pegasus. If it has indeed done so, the price tag is fairly steep. As per a 2016 price list, it costs Rs 90 million (9 crore) to spy on just 10 devices.

The Congress’ response: The party is calling for an investigation into the snooping, and the Opposition is likely to create a ruckus in Parliament today. We, however, were most impressed by MP Shashi Tharoor’s perfect tweet: “The original #BhartiyaJasoosParty!”—accompanied by this image:

Also, this is the front page of The Guardian:

Also feeling the heat…

Apple: The exposé is a huge embarrassment for a company that sells itself on preserving user privacy. Of the phones analysed by Amnesty, 34 were iPhones—23 showed signs of a successful Pegasus infection and 11 showed signs of attempted hacking. And they have been found on devices using the 14.0 or more recent versions of the iOS. Most of them used the iMessage app—which allows strangers to send messages without warning or approval (enabling ‘zero click’ attacks). Cybersecurity experts say:

“Your iPhone, and a billion other Apple devices out-of-the-box, automatically run famously insecure software to preview iMessages, whether you trust the sender or not… Any Computer Security 101 student could spot the flaw here.”

Amazon: NSO uses Amazon Web Services (AWS) like CloudFront to target users and ferry back information—which is hardly great advertising for the service. The moment the story broke, Amazon moved quickly to shut down “the relevant infrastructure and accounts.”

The bottomline: Under Indian law, the use of software like Pegasus may be illegal. But the problem is that the government won’t admit to either buying or using it—which makes the hacking impossible to challenge in court. And perhaps that is why ministers like Ravi Shankar Prasad stick to asking absurd questions like: “Is this some kind of revenge for the way India handled Covid—vaccination and more than 75% of population are getting free vaccines?”

Reading list

Washington Post and The Guardian have the best overviews of the Indian targets. The Wire was the key media partner in India, and has individual stories on Rahul Gandhi, cabinet ministers, Gogoi’s accuser and Ashok Lavasa. The Telegraph looks at parallels to Watergate. The Guardian looks at the risk to human rights activists and lawyers across the world. Also in the Washington Post: An excellent piece on Apple’s vulnerabilities.