The Indian government has found itself at the heart of a spyware scandal that has sent seismic waves across the entire political world.
A collaborative investigation, based on information accessed by nonprofit Forbidden Stories and Amnesty International and shared with a host of publications, into the Pegasus spyware has revealed a list of potential targets for surveillance.
More than 300 Indian phone numbers were among nearly 50,000 selected worldwide as being of possible interest to clients of the Israel-based NSO Group, maker of the spyware. The leaked database was shared with Le Monde, The Guardian, Washington Post, Die Zeit, Suddeutsche Zeitung and 10 other global news organizations as part of the investigation known as the Pegasus Project.
A majority of the numbers identified in the list were geographically concentrated in 10 countries: India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
In India, numbers belonged to politicians, dozens of journalists, activists, businessmen, a Supreme Court judge and even two ministers in Narendra Modi's government, according to the news website The Wire, which was part of the global investigation.
Modi adversaries targeted
"If you scan the list of journalists and citizens that are on the target list by Pegasus, they are all known adversaries or critics of the current government. Is that not a strange coincidence? It has a chilling effect," media commentator Pamela Philipose told DW.
"Why is this government snooping on its own citizens, including many who are going about their own lawful business? The firm claims the spyware is sold exclusively to vetted governments around the world to combat terrorism and other serious crimes. This is very serious," Congress MP Shashi Tharoor said.
So far, forensic analyses performed on 22 Indian smartphones, whose numbers appeared on the list, showed that at least 10 were targeted with Pegasus spyware, seven of them successfully.
Soon after the report came to light, pandemonium broke out in parliament, with proceedings disrupted and opposition parties demanding that an independent inquiry be set up.
The government went on the defensive, calling it a "fishing expedition," and refused to set up an independent investigation after claiming that it was not involved in the surveillance.
Home Affairs Minister Amit Shah released a statement in which he attacked Congress and various international organizations, calling them "obstructers" and "disrupters" whose only aim was to humiliate India on the world stage.
What is it and how does it work?
Pegasus is a spyware that can be covertly installed on smartphones, allowing operators to extract messages, photos and emails, record calls, and secretly activate microphones and cameras.
The spyware is capable of surveillance on three levels: initial data extraction, passive monitoring and active collection.
Once installed, the spyware leaves no trace on the device, consumes minimal battery, memory and data consumption, and comes with a self-destruct option that can be used at any time.
India's Watergate moment
Among those on the target list are Ashok Lavasa, a former election commissioner of India who had criticized Modi for violations of the model code of conduct; a woman who had accused former Chief Justice of India Ranjan Gogoi of rape in April 2019; and several journalists who had carried out exposes on the government or written about sensitive subjects, such as defense and the contested region of Kashmir.
Congress leader Rahul Gandhi and two of his associates were also on the list, but analyses were not able to determine if they had been hacked.
At least two serving ministers in the Modi government, Ashwini Vaishnaw and Prahlad Singh Patel, also feature in the leaked database of phone numbers.
Constitution at stake
Founder-editors of The Wire Siddharth Varadarajan and M.K. Venu were also targeted. Specific forensic analysis showed evidence of their phones being infected by Pegasus.
"The Wire is clearly the among the most targeted media outfits," Venu told DW. "The government should set up an independent inquiry commission to allay the apprehensions of citizens in regard to their privacy, as guaranteed by the Indian Constitution."
The government so far has tried to brazen it out, saying the leaked data from the Israeli company NSO did not constitute actual use of Pegasus spyware for phone hacking.
Following the expose by the global consortium, messaging giant WhatsApp's chief executive officer, Will Cathcart, called on governments and companies to ensure online security.
"This is a wake-up call for security on the internet," Cathcart tweeted. "The mobile phone is the primary computer for billions of people. Governments and companies must do everything they can to make it as secure as possible. Our security and freedom depend on it."
Increased calls for surveillance reform
It is not the first time that the Pegasus spyware has made headlines. Experts pointed out that there were instances in India prior to the current controversy, where the spyware was being used on citizens.
It was reportedly deployed for snooping on activists and advocates involved in the Bhima Koregaon violence of western Maharashtra in January 2018, many of whom who are still in jail under India's anti-terror law. Some of the activists' names figure in the current list.
"What we are seeing now is a cyberweapon used to mine data completely across the board, and this is frightening. Just look at the target selection, and this is clearly a threat to constitutional democracy," Apar Gupta, executive director of the Internet Freedom Foundation, told DW.
"The Israeli government also needs to be pressured to stop issuing export licenses to NSO if such breaches continue," Gupta added.
Lawyer Vrinda Bhandari, who helped to draft the model India Privacy Code of 2018, believes surveillance reforms are a necessity in India if privacy is to be respected.
"We must first of all have an independent inquiry into the Pegasus controversy to establish facts. The government should not shy away from it if it is in the clear," Bhandari told DW.
Data protection bill favors Indian government
Free speech activists and privacy advocates maintain that the Personal Data Protection Bill, in its current form, is not a solution to government surveillance as it exempts the Indian government from accountability.
"Our intelligence agencies need to be held accountable. Usage of such software against parliamentarians and Indian citizens needs to require judicial sanction and future declassification," Bhandari said.
Founded in 2010, the NSO Group is best known for having created Pegasus, which allows those operating it to remotely hack into smartphones and gain access to their contents and functions.
Cyber experts say it is the most powerful spyware currently available — and almost impossible to detect.