Ever since 16 left-leaning media houses in the world reported about an alleged list of 50,000 people under surveillance using the Pegasus software, the opposition in India is using the same to attack the Modi govt. The Wire was one of the media partners of ‘Project Pegasus’, run by France based Forbidden Stories and Amnesty International. It had claimed that several Indian journalists were under surveillance using the Israeli software which is only sol to government agencies.
Media reports have also claimed that several world leaders including French President Emmanuel Macron and Pakistan PM Imran Khan appears in the list of 50,000 names which were allegedly being spied on using the Pegasus software made by Israel based NSO group. Rahul Gandhi’s name also allegedly appeared in the list. The list was provided to the media houses by Forbidden Stories, which claimed that it was ‘leaked’. Amnesty International is the collaborator of Forbidden Stories, which said that the Amnesty International’s Security Lab had did forensic tests on some of the phones belonging to people on the list.
Although this has been used by left-leaning media worldwide to claim that several countries are using the Pegasus program to spy on journalists, political opponents and others, there are several unanswered questions in the story. The statements used by Amnesty International and the text of the articles by Forbidden Stories also raises these questions.
Yesterday, an Israeli media house reported that Amnesty International Israel has issued a statement saying that the list of 50,000 numbers is not directly linked to NSO. They said that the list contains people who are marked as targets for surveillance by NSO customers, which means governments and agencies using the Pegasus software. The group also said that they found evidence of intrusion by the software on 37 phones after their forensic study.
Today Amnesty International issued another statement, saying the statement of Amnesty International Israel in Hebrew was misinterpreted and mistranslated. However, it still does not say that the list came from NSO, and that 50,000 people were indeed under surveillance.
The statement issued by Amnesty says, “Amnesty International categorically stands by the findings of the Pegasus Project, and that the data is irrefutably linked to potential targets of NSO Group’s Pegasus spyware. The false rumours being pushed on social media are intended to distract from the widespread unlawful targeting of journalists, activists and others that the Pegasus Project has revealed.”
The statement says ‘potential targets’ of the Pegasus software, which means there is no evidence that everyone in the list was under surveillance. It is puzzling why Amnesty issued this statement, as this does not make any sense, and it actually does not refute the reports on its earlier statement. If the list contains ‘potential targets’ for snooping, which means they were not under surveillance. Therefore, there was no misinterpretation of its Hebrew statement.
In fact, Forbidden Stories is also ambiguous about the 50,000 numbers on the list, as they also do not say all of them were targeted. In the “About The Pegasus Project” page on their website, they write that more than 50,000 phone numbers were selected for surveillance by the customers of the NSO Group.
They say they have accessed the records of phone numbers selected by NSO clients in more than 50 countries since 2016. NSO clients here refers to governments and government agencies using the software, as it is sold to such customers only. Nowhere does Forbidden Stories say that all of 50,000 were under surveillance using the software, they only say they were ‘selected’ for surveillance by various governments. According to them, more than 50,000 numbers are from more than 45 countries, and at least 10 countries were entering numbers into a ‘system’ for surveillance.
However, the original report by The Guardian on the ‘expose’ itself says that the presence of a number in the data does not mean there was an attempt to infect the phone. It also says that the presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack.
Therefore, Forbidden Stories, Amnesty and their media partners confirm that there is no evidence that 50,000 people were under surveillance using Pegasus, and it was only a list of ‘potential targets’ prepared by various governments. This raises a question, how they obtained this list if they are only potential targets and not real targets.
As Amnesty themselves have clarified, the list didn’t originate at NSO. And that seems to be correct, as it is a list of alleged potential targets by different governments, the respective government agencies will have the list, not NSO. The Guardian report itself quotes NSO saying that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
It is a valid argument, when government intelligence agencies purchase such surveillance software, they operate it on their own, and definitely will not share the data of their targets to anyone, not even to the vendor of the software. That is true with any enterprise software, for example, banks may use database programs made by Oracle, but Oracle will not have access to the database of individual banks.
Therefore, it is a big mystery that the group was able to access a list from several countries located in different continents. The Guardian Report on the ‘expose’ says ten governments, which use the software, were entering the numbers into a ‘system’, from where it was purportedly leaked. But that is a highly improbable scenario. Why different countries like Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the UAE will be entering sensitive information into a common ‘system’, it defies logic and common sense.
If the list of 50,000 number only contained potential targets and not actual targets, there is no reason why different governments will enter those numbers in a single ‘system’. The intelligence agencies of individual countries will be storing such sensitive data in their own internal systems, separated from the internet. It can be said with confident that India can run such a surveillance program on its own, and does not need to use a system also used by countries from Middle East, Europe, Africa and the Americas.
NSO also says that the data could be from general data availably easily, like HLR Lookup services. HLR or Home Location Register contains information about customers of a GSM mobile network, and it is essential to connect the phones with the networks.
Therefore, the list of 50,000 numbers can be from any random list generated automatically by telecom infrastructure around the world, and not necessarily prepared by countries to spy on them.
Forbidden Stories and Amnesty International are yet to reveal the source of their list. They say its genuine, they say customers of Pegasus had prepared it, but does not say from where it was leaked. They also do not say how they were able to obtain the list from different governments all across the world.
Forensic analysis and anomaly in numbers
Amnesty International’s Security Lab allegedly did forensic study of 67 phones from the list of over 50,000 numbers, and found traces of the Pegasus software on 37 of them. Now, this ‘forensic test’ also raises questions.
67 is a very small number for a list of over 50,000. It means only around 0.01% of the numbers were physically checked. Although it is correct that they may not be able to check the phones of politicians and businessmen, they could have accessed more phones from others like journalists and academicians on the alleged list.
There is also a huge anomaly between reports by Guardian and Wire and the article by Forbidden Stories on number of phones checked for attack by Pegasus. The media reports say that 67 phones were analysed and 37 were found to be targeted, which means 55% of the examined phones had traces of the software. On the other hand, the Forbidden Stories does not say how many phones were checked, but says that 37 were infected or attempted to infect. However, it says that this number confirm infection or attempted infection with NSO Group’s spyware in 85% of cases.
This is a big anomaly, because 37 is 55% or 67, not 85%. If we go by the article, it would mean 43 phones were examined. That would mean, even lesser number of phones were analysed by Amnesty to validate the claims.
Another issued that needs to be noted that is that ‘forensic analysis’ was done by Amnesty International, and this was peer-reviewed and confirmed by Canadian organization Citizen Lab, which is funded by George Soros. Both these organisations are far left-wing organisation, with huge bias against conservatists across the world.
All these issues show that there are big holes in the allegations of spying on people using the Pegasus software by various governments. There are no proof that over 50,000 people are under surveillance because they are only ‘potential targets’ allegedly selected by the govts for surveillance. The alleged forensic study also raises questions because of the organisations involved and the very small number of phones examined by them.