Apart from the journalists, activists, and lawyers, the hacking software Pegasus sold by the Israeli surveillance company NSO Group, was also used to access the information of Congress leader Rahul Kashmiri leaders, Pakistani diplomats, Sikh activists, businesspeople known to be the subject of police investigations and two numbers registered to or once known to have been used by the Pakistani Prime Minister, Imran Khan.
As per a report by The Guardian, the Indian Prime Minister Narendra Modi’s most prominent political rival, the opposition figure Rahul Gandhi, was twice selected as a potential surveillance target in leaked phone number data. His number was identified as possible targets for the Israeli company’s government clients.
Gandhi’s two numbers were selected as candidates for possible surveillance in the year 2019 before the vote and in the months afterward by NSO. The company’s spying tool Pegasus allows customers to infiltrate mobile phones and monitor messages, camera feeds, and microphones.
Phones belonging to at least five of Gandhi’s close friends and other Congress party officials were also identified as potential targets using the spyware, the report quoted a leaked list of potential targets selected by NSO customers.
The data was accessed by the nonprofit journalism organization Forbidden Stories and Amnesty International and shared with the Guardian, The Wire, and other media outlets as part of the Pegasus project.
The report adds that it is not possible to say whether a phone in the leaked data was successfully hacked without forensic analysis. But the consortium confirmed Pegasus infections, or signs of potential targeting, on phones linked to 10 Indian numbers and on an additional 27 phones around the world.
Gandhi, who changes his device every few months to avoid surveillance, was not able to provide the phone he used at the time for examination. A successful hacking would have granted Modi’s government access to the private data of the prime minister’s primary challenger in the year before the 2019 elections, it said.
“Targeted surveillance of the type you describe whether, in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India is illegal and deplorable,” the report quoted Gandhi as saying.
“If your information is correct, the scale and nature of surveillance you describe go beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished,” he was quoted further saying.
The selection of the opposition leader’s phone as a possible surveillance target in 2019 coincided with the identification of the numbers of two staff members, Sachin Rao and Alankar Sawai, who at the time were working on the forthcoming state election campaigns against Modi’s party in Haryana and Maharashtra.
Forensic analysis conducted on Wednesday on the phone of Prashant Kishor, a political strategist working for the party that defeated Modi’s Bharatiya Janata Party (BJP) in the West Bengal state election earlier this year, established it had been hacked using Pegasus as recently as the day it was examined.
The examination by Amnesty’s Security Lab also found evidence of intrusion by Pegasus in April – in the midst of the election campaign – indicating Kishor’s phone calls, emails, and messages were being monitored throughout the final weeks of the bitter contest, the report said.
Kishor said the findings were “really disappointing”. “Those who did [the hacking] were looking to take undue advantage of their position of power with the help of illegal snooping,” he was quoted in the report as saying.
Analysis of the more than 1,000 mostly Indian phone numbers selected for potential targeting by the NSO client that hacked Kishor strongly indicates intelligence agencies within the Indian government were behind the selection.
Other numbers identified in the records included those of known priorities of the country’s security agencies, including Kashmiri separatist leaders, Pakistani diplomats, Chinese journalists, Sikh activists, and business people known to be the subject of police investigations. The client also identified two numbers registered to or once known to have been used by the Pakistani prime minister, Imran Khan.
NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
Quoting the NSO statement issued through its lawyers, the report said it would “continue to investigate all credible claims of misuse and take appropriate action”.
Following the launch of the Pegasus project, Shalev Hulio, the founder and chief executive of NSO, said he continued to dispute the leaked data “has any relevance to NSO”, but added he was “very concerned” about the reports and promised to investigate them all. “We understand that in some circumstances our customers might misuse the system,” he was quoted as saying.
NSO markets Pegasus as a tool for fighting militancy and crime, but the inclusion of a major Indian opposition leader in the records – alongside political staffers, labor unionists, Tibetan Buddhist clerics, social justice campaigners, and a woman who accused India’s most senior judge of sexual harassment – raises troubling questions about the way the hacking software may have been used in India.
The report said it also reinforces concerns about the health of the world’s largest democracy under Modi. An independent civil rights watchdog this year downgraded India to a “partly free” country, while another classified it as an “electoral autocracy”, both citing increased intimidation of journalists, meddling in the judiciary, and violence against the country’s Muslim minority since the BJP came to power in 2014.
The leaked data suggests phones belonging to numerous members of India’s independent institutions were identified as potential surveillance targets, within a system with little meaningful oversight for the use of surveillance, according to privacy advocates.
Lawyers have argued the use of Pegasus, NSO’s flagship surveillance tool may be illegal under Indian law, which permits monitoring communications in some circumstances but explicitly bans hacking into devices. However, India does not officially admit to being an NSO customer, a significant hurdle to challenging the use of spyware in court.
The leaked database was accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International and shared with The Guardian, The Washington Post, Le Monde, The Wire, among others, as part of a collaborative investigation called the ‘Pegasus Project’.
India was among the 10 countries where the numbers were concentrated with Mexico topping the list with 15,000 numbers. A large share of the numbers was also from West Asian countries such as UAE, Bahrain, and Saudi Arabia, with Pakistan, France, and Hungary being the other prominent countries on the list.
This is the second time that Pegasus has been linked to phone surveillance. In 2019, some WhatsApp users in India, including journalists and activists, were informed that their phones had been compromised.
The Government of India, however, dismissed allegations of any kind of surveillance on its part on specific people, saying it “has no concrete basis or truth associated with it whatsoever”.
Asserting that “India is a robust democracy that is committed to ensuring the right to privacy to all its citizens as a fundamental right”, the GoI dismissed the media report as an attempt to playing “the role of an investigator, prosecutor as well as jury”.