Issue 19

The Pegasus Controversy: Locking the Stable Door

Born of the gorgon Medusa, Pegasus was a winged horse so powerful and valiant that the god Zeus turned him into a constellation, sharing the sky with Leo, Draco, Gemini, Orion, and the like. The flying white horse is a compelling emblem: the Israeli cybersecurity firm NSO Group clearly found it so, naming one of their deadliest systems after it. Their Pegasus was a chimeric attack software, capable of infiltrating the latest and most expensive smartphones. Critically, unlike many others, it did not require a target to make a mistake: you didn’t have to click a dodgy link or download a file to get infected. These were “zero click” attacks, which leveraged vulnerabilities in common software, like Apple’s iMessage.

Pegasus clients could get access to phone data in many ways: if a targeted “spearphishing” email with a link worked, fine. If it didn’t, then they’d use zero-click attacks or other means, including physically getting access to a device and infecting it. The latter was necessary in some cases where the target had reduced their vulnerability to attack by having separate devices which they did not otherwise use. Once installed, it could intercept phone calls, chats, and emails, access photos and videos, grab location data, and even activate the microphone or camera remotely. Finally, it could erase itself, practically without a trace, once access was no longer required.

While the tool has been around for over a decade, it came to public attention in mid-2021, due to a data leak (the irony!). This leak comprised around 50,000 phone numbers that were allegedly targeted by Pegasus. What alarmed the group of journalists analysing the leak was the fact that the numbers included many journalists and activists. In other words, a military-grade cyberattack tool, intended to target terrorists and the like, was being used against innocent citizens.

There are three questions we must tackle: (1) How bad is this? (2) Clearly, some bad things have happened, so who is to blame? (3) What can we do this fix things in the long term, so that such incidents do not occur in the future?

The answer to the first question isn’t as obvious as it first appears, especially in the backdrop of planetary-scale mass surveillance by the US government and many others. The level of utter betrayal involved in things like the Belgacom scandal (where the British government infiltrated a government-controlled Belgian telecom giant) or the Gemalto hack (where the US and the UK together broke into a Dutch company’s systems to obviate the new security systems it was installing on SIM cards) might make this particular case seem banal. It is critically different, however: this is a private company producing military-grade products and should be treated like a missile producer. Worse, unlike a missile, code can be replicated with ease. If Lockheed-Martin sells one Hellfire missile to the wrong client, it is still practically impossible for that client to make more. Not so with this (though, of course, this kind of attack software needs to be constantly updated in a cat-and-mouse game with companies patching their defences). Clearly, there needs to be strong, international regulation of the sale of such systems, with sufficient sanctions built in to prevent misuse.

When it comes to blame, there is a lot to go around. It is important to note that the sale of NSO’s cyberattack software is regulated by the Israeli defence minister, who grants individual export licences, presumably making sure that only vetted, “good” nations get access to it. The leaked data and subsequent forensic analysis, however, indicate that the majority of these vetted nations swiftly reneged on their promises (to use this power to target criminals) and started targeting journalists and activists. This is not to say that the blame lies only with these nations: it beggars belief that NSO and the Israeli defence ministry, both supremely competent institutions, were unaware that their vetted clients were doing bad things. It would appear that they decided to look the other way. In India’s case, we have neither a strong data protection bill nor real public pressure around data security and privacy (along with outdated laws and oversight in this area). Misuse is practically inevitable, especially given that it would be almost impossible to prove in court.

What can be done? Here, I strongly agree with many other experts: laws, technical defences, and good cyber hygiene are all necessary but not sufficient. At the end of the day, the main thing that will stop this from happening in the future is strong and steady public awareness, and anger at such incidents: a government must know that this is an issue that can lose it an election. We do not have anything of the sort in India today: outrage at a privacy breach is a coffee table conversation, and, frankly, not even a heated one. If Shark Tank produces more emotion than Pegasus, don’t expect privacy breaches to be taken seriously. Until that time, the Indian government, among others, will pay only lip service to protecting privacy and security. After all, the government represents its citizens – and we, clearly, don’t seem to care.

Debayan Gupta is currently an Assistant Professor of Computer Science at Ashoka University. He is also a visiting professor and research affiliate at MIT and MIT-Sloan. Debayan’s primary areas of interest include secure computation, cryptography, and privacy.

Picture Credits: Kaspersky Daily

We publish all articles under a Creative Commons Attribution-NoDerivatives license. This means any news organisation, blog, website, newspaper or newsletter can republish our pieces for free, provided they attribute the original source (OpenAxis).

Issue 2

Culture Wars: When Private Goes Public

India and China have been engaged in a military standoff in eastern Ladakh for over 150 days now, with the worst cross-border violence since the 1962 war between the two nations. There is a heightened sentiment of nationalism in the country, which has made its way into the digital lives of several students of Ashoka University. On 24th September, two right-wing social media accounts, one on Twitter and the other on Instagram, publicly shared screenshots from a closed Facebook group of Ashoka’s undergraduate students. The screenshots were of comments made by Ashokans on a months-old post in the private group. Some of the comments in the screenshots, which were not blurred to hide the names and profile pictures of the students, were critical of “Indian culture” and the “armed forces.” 

Those who posted the screenshots claim that these comments amount to cyberbullying and point to the “anti-national” and “vile mindset” of the “activist lobby and left-wing students” of Ashoka, who “celebrated the death of Indian Army.” The comments on these posts include the use of misogynistic slurs, a call for “public execution”, and even one threat of worse-than-Hitler treatment. As of now, the Facebook group has been disbanded by Ashoka’s Student Government out of fear of other students being doxxed for their older posts. Deliberations are underway as to what should be the way forward, bearing in mind the safety and privacy of all members of the student community. 

Since the accounts are public, and the posts continue to remain online, many of the students whose identities were revealed have had to temporarily, or in some cases permanently, deactivate their social media handles. There are credible accounts of some of these students being flooded with unknown friend requests and receiving threatening messages in their inbox. While such an incident may be a first in the history of the student body, many Ashokans have individually had prior encounters with such hate and vitriol online. 

There is a sense of deep division and distrust within the student community, as comments made in a closed group with the pretext of privacy have somehow been “leaked” and put on public display. This polarisation over social media is certainly not unique to Ashoka, and it has largely characterized political discourse on social media over the past few years. Several hot-button political issues have emerged in India in the recent past. This has sharply divided many Indians. 

While there are commercial antecedents to this phenomenon (i.e. confrontational posts on social media get more engagement and therefore increase ad revenue of these platforms), there is also a sociological angle. American sociologist James Davison Hunter provided the framework of “culture wars” in 1991, through which this polarisation can be analysed. While the phrase “culture wars” has mainly been used in the context of the US polity, it can resonate greatly in the Indian context. A culture war can be understood as a power struggle between social groups with competing ideological worldviews that clash over values, moral codes, and lifestyles. Although the conflict may be fundamentally underpinned by genuine disagreement over what is good for the public, instead of positive tactics of constructively reasoning about one’s ideology with others, a negative strategy of systematically discrediting one’s opponents increasingly becomes the go-to one. 

The addition of technology only serves to vitiate this concoction further. The advent of mass media like print and television, for example, in the context of culture wars, meant that public engagement amongst opposing groups over their political differences was increasingly antagonistic and asinine. Likewise, the frontier of social media is historically unique in this regard and much more conducive to the negative strategy, according to research by Samatha R. Holley on social media’s effect on the culture war. Echo chambers and disinformation campaigns cause one’s existing convictions to be reinforced, leading in some cases to cognitive dissonance when confronted with alternative viewpoints. The algorithms that run our social media feeds are meant to psychologically manipulate us into staying on these platforms. 

As the world’s second largest social media market with 35 crore users, India is undoubtedly affected by these phenomena. In attempting to draw a picture of the warring groups on Indian social media, one may reduce it to two sides: the religious/orthodox right-wing and the secular/progressive left-wing. The right would consist of the conservative and Hindutva ideologies and the left would consist of the liberal and socialist ideologies. However, it must be noted that this crude oversimplification of the political spectrum must not obfuscate the fact that the groups are in no way homogenous or equivalent. It would be simply dishonest to deny that the balance of power tilts in favor of the right-wing in India today, in terms of finances, institutions, and human resources.

Both the warring groups claim that their “way of life”, or in some cases, their very lives, are under attack from the other side. The negative tactics manifest themselves in the form of “trolling” on part of the right, and “cancel culture” on part of the left. Many diverse incidents tend to be smoothed over and bracketed under the umbrella term of cancel culture. It refers to vitriolic behavior that is just as harmful as trolling, but justified, not by traditional value systems in society, but by misplaced ideals of social justice and political correctness. The use of the term here is not intended to repudiate the democratising effect of social media, that has led to traditional elites like politicians, authors, and artists, being held accountable for their words and actions. 

The revolution of social media in culture wars has been likened to that of industrial weapons technology in conventional warfare. Some of the strategies deployed on these platforms are dangerously harmful, and in some cases, also fatal. On other occasions, such as the incident involving Ashokans, the boundaries between the public and the private are seriously impinged. These tactics are justified by inflating the political stakes to such an extent that no means seem morally unjustified. 

Granted, in the present political climate, the stakes for minority groups and marginalized folks are indeed unimaginably high. However, many of those indulging in trolling or cancelling are doing so with a sense of speaking and fighting on behalf of the subaltern. One is being naive if they believe that fighting such online battles alone leads to anything but momentary self-gratification. Grassroots change has not been achieved when the privileged abdicate this most basic social imperative by saying “I do not owe it to educate you”. It has been achieved when students and activists heed the Ambedkarite call to “educate, agitate, organize,” with emphasis on the first step.

Deep Vakil is a student of Political Science and Sociology at Ashoka University.

We publish all articles under a Creative Commons Attribution-Noderivatives license. This means any news organisation, blog, website, newspaper or newsletter can republish our pieces for free, provided they attribute the original source (OpenAxis).