Pegasus panel did not find snooping proof on devices?

A panel of experts appointed by the Supreme Court has found no evidence that the spyware tool Pegasus was used to snoop on the phones it studied, a person aware of the matter told HT, citing technical analysis that may be part of the report submitted to the top court.

The committee, headed by former Supreme Court judge RV Raveendran, analysed more than 100 devices and details of the finding are in an over 600-page document submitted to the court over a week ago, the person said on condition of anonymity.

The submission stating a lack of evidence was in reference to the first question in the committee’s terms of reference, which was to determine “whether the Pegasus suite of spyware was used on phones or other devices of the citizens of India to access stored data, eavesdrop on conversations, intercept information and/or for any other purposes not explicitly stated herein”, the person cited above said.

HT has not seen a copy of the report.

“This is a pending matter,” Raveendran told HT. “This is not an independent inquiry and the matter is sub judice. The court will disclose the details in its own time.”

Also read: Jharkhand: Pegasus ‘target’ journo, arrested a day ago, has ‘Maoist links’

To be sure, HT could not verify if there were any caveats to the findings that were pointed out by the panel. A date of hearing of the case has not yet been set but the case is likely to be listed on August 12 before a bench comprising Chief Justice of India NV Ramana and justices Surya Kant and Hima Kohli, according to the court registry.

The mandate of the panel also included determining details of those targeted with the spyware, the actions taken by the government of India following the alleged illegal infiltration, whether the government acquired Pegasus to spy on Indian citizens in the first place, and if it did, under what rule or guideline.

“The rest of the questions fail to be relevant once the panel has concluded that there is no evidence that the spyware was used to snoop on the devices at all,” said the person mentioned above.

The person quoted above added that the report indicated the findings were based on “sophisticated tests” conducted by the panel on the devices people voluntarily turned in.

Among the tools used was one made by Amnesty International, which was among the non-profits that examined Pegasus infections, and the programme was also used in other countries for forensic analysis. The government also used its own tools and devices and over a 600-page document refers to the technical analysis and the methodology, the person said.

The controversy began in July 18, 2021, when a consortium of media outlets and investigative journalists reported that the phone numbers of Indian ministers, politicians, activists, businessmen, and journalists were among the 50,000 selected for infection with the Pegasus malware. Three HT journalists were a part of the list.

The malware is regarded as a military-grade tool, deploying cutting-edge methods to infect a person’s device and intercept calls, turn on the microphone or the camera, and access any device data, including messages, photos and videos.

From among the 50,000 phone numbers reported in the media stories, several were later found to have been infected through independent forensics by other countries and organisations.

According to cybersecurity expert Anand V, it is “in general difficult, if not impossible to ascertain infection by Pegasus on Android phones”. “The two iPhones I had a look at are from journalists Siddharth Varadarajan and Sushant Singh. Both of which had traces of Pegasus infection,” he said, adding that the analysis was based on the presence of process names documented to be used by Pegasus over seven years of research by numerous researchers and cyber security companies including Google, Apple, Lookout and Trend Micro.

The malware is made by Israel-based NSO Group, which has maintained it only supplies to government clients

Among the Indians who featured on the list of 50,000 numbers were those of 38 journalists, former Congress party leader Rahul Gandhi, two of his aides, political strategist Prashant Kishor, former election commissioner Ashok Lavasa, former Union minister Ravi Shankar Prasad, and incumbent Union ministers Prahlad Patel and Ashwini Vaishnaw.

At the time, Vaishnaw dismissed the allegations, saying in Parliament that there were inconsistencies in the media reports. “One report clearly states that the presence of a number on NSO’s list does not mean it is under surveillance,” he said. “The consortium has accessed a leaked database of 50,000 numbers. The presence of the number does not indicate whether there was an attempted hack, or a successful one,” he added.

Among the people who turned in their phones for analysis and gave testimonies to the panel were Sashi Menon, Sandeep Shukla, N Ram, Rupesh Kumar, Jagdeep Chhokar, John Brittas, Siddharth Vardarajan, professor David Kaye, J Gopikrishnan, and Paranjoy Guha Thakurta.

Also read: US government hackers using spyware to target diplomats’ phones, alleges House intel panel chief

In October 2021 — while hearing the Pegasus case – the Supreme Court held that the Union government cannot get “a free pass every time” by raising the spectre of “national security” when the issues concern the “potential chilling effect” on right to privacy and freedom of speech.

It appointed a committee, under the supervision of retired justice R V Raveendran, to be assisted by former IPS officer Alok Joshi and cybersecurity expert Sundeep Oberoi.

The technical panel comprised Dr Naveen Kumar Chaudhary, dean of the National Forensic Sciences University in Gandhinagar, Dr Prabaharan P, professor at Amrita Vishwa Vidyapeetham in Kerala, and Dr Ashwin Anil Gumaste, an institute chair associate professor at IIT Bombay.

The first deadline for the report was May 20, prompting the Supreme Court to ask the panel to expedite its investigation. The deadline was then extended, and the report finally submitted over a week ago after multiple delays.