WhatsApp has sued the Isreli Company NSO for creating and distributing the Pegasus trojan. Pegasus has been a trojan that infects mobiles (Andoriod and ios) through a mobile call even if unanswered. Once infected, it enables the hacker to silently watch the activities on the phone including reading of the messages. The virus is unremovable even with a factory reset.
It has been alleged to have been used for surveillance of Bhim Koregaon activists and their supporters in India by the Indian Government, which the Government sources predictably have denied.
This is not the first time that Israel or any other hacker group has created such tools and Governments of many countries bought the tools for their surveillance requirements. Stuxnet itself was one such example. While most of the population are not worried about Government surveillance of criminal activities, the technical possibility of a trojan that can infect mobiles through an unattended whatsapp call which can take over the mobile is alarming. If today Israel can develop Pegasus, tomorrow a criminal gang can develop a variant for similar purpose.
We already know that a virus called Xhelper has already been infecting some of the phones with properties similar to Pegasus.
While the NSO has stated that it has sold Pegasus only to some Governments and the Indian Government has itself issued a notice to WhatsApp to explain how the virus was used to snoop on Indians, WhatsApp itself has filed a complaint against NSO.
A Copy of the Complaint available here makes an interesting academic study.
The Complaint mainly alleges that WhatsApp violated the terms of use since the planting of the virus involved creation of WhatsApp accounts and making WhatsApp calls for sending the malicious codes to target phones. This also resulted in “Unauthorized Access” to WhatsApp servers which is an offence under Computer Abuse Act. It appears that WhatsApp has provided some evidence and the phone numbers used for infection which indicates the area code of Washington, USA.
The Complaint has been filed at the US district court, Northern District of California naming NSO group as the defendants. The telephone company which was a party to the activity has not been arraigned.
Charges have been brought under Computer Fraud and Aubse Act, California Comprehensive Computer Data Access and Fraud Act, Breach of Contract and Tresspass to Chattels.
Relief sought includes permanent injunction besides damages.
As regards the allegation that Indian Government has used Pegasus for snooping on some activists, it is a Canada based organization called Citizen’s Lab which has released a report. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
According to Citizenlab after the report from the Lab in May 2019, WhatsApp fixed the vulnerability. Hence the current versions of WhatsApp may not be vulnerable to this attack.
Behind this Pegasus incident lies the discussion on ethics and security. While criminals continue to make use of all the tools of crime available in the deep web to create havoc on the organized society, when the Governments try to use similar counter Cyber crime strategies, the human rights activists start complaining.
Should Human Rights be used to defend the rights of criminals? is itself a question that needs to be answered by Courts. It is not uncommon in India that a large part of the time and energy of Supreme Court is spent in hearing cases of these “Human Right Activists” who specialize in defending the criminals by invoking the human right principles. Most of the times, the beneficiaries are the inhuman terrorists and criminals.
It is time for the Courts to draw a line on who can invoke “Human right” protection before trying to adjudicate on the ethics of Governments using tools such as Pegasus as”Tools of War”. Just as weapon manufacturers need to restrict the sale of military grade weapons only to sovereign Governments, any agency developing such tools should be considered responsible to ensure that it does not fall into wrong hands.
Perhaps the Court case in USA will determine whether NSO is a “Cyber Weapon Manufacturing Company” that deals with sovereign Governments only or tries to commercialize its weapons by selling it over to criminals and terrorists.
Naavi