The origin of the Israeli NSO Group, which is behind the WhatsApp snooping incident in India, is rather mundane. Two high school friends, Shalev Hulio and Omri Lavie, from northern Israel started a company in 2008 to allow cellphone firms to gain remote access for maintenance.
By 2011, the pair saw more lucrative opportunity elsewhere. Using the same technology, they launched the early version of Pegasus – for mobile surveillance.
Now, the NSO Group represents a growing trend of new-age defence contractors – internet mercenaries, as The New York Times called them. From The Washington Post columnist Jamal Khashoggi’s murder to surveillance of rights activists, from Saudi Arabia to India’s Bhima-Koregaon, Pegasus is flying across the world.
Through Pegasus – the name of a winged horse in Greek mythology – government agencies can collect data from smartphones without a trace. That includes phone calls, GPS location, contacts, passwords, calendar entries and any data transmitted over apps like WhatsApp and Skype. For an intelligence officer, that is the equivalent of a kid in a candy store.
By 2013, the NSO Group got its first client – the Mexican government. To crack down on the drug cartels, Mexican agencies paid the company about $77 million.
As The New York Times reported, the NSO Group is selling its software to governments on every continent except Antarctica. While NSO offers several services, Pegasus is the duck that lays golden eggs.
Also read: WhatsApp surveillance: Are Supreme Court guidelines on tapping outdated & need strengthening?
Surveillance states
WhatsApp Tuesday filed a lawsuit against NSO Group, whose spyware Pegasus was used to target around 1,400 users globally during a two-week period in May. That included several Indian journalists and human rights activists.
Facebook is no champion of privacy. The lawsuits are part of a larger strategy – one that allows Facebook to divert attention and improve its image. Facebook would like to retain monopoly over surveillance. And one can’t rule out a larger geopolitical calculus at play.
Surveillance is as ancient as humanity itself, it existed in ancient Rome as it did it during Hitler’s rule. However, these recent events shed light on how easy it has become in the digital age and how lucrative it is for the authorities.
While Android phones are the easiest to exploit for data, the NSO Group has a near-global monopoly on exploiting Apple’s iPhones. Spyware can infiltrate a phone and turn it against you through a simple WhatsApp call, even if you do not pick up the call, reported University of Toronto’s Citizen Lab.
Also read: WhatsApp hack lasted 2 weeks, but Israeli spyware used on Indians since 2017
Rise and rise
Over the years, the NSO Group’s value kept rising. In March, the NSO Group’s co-founders raised money to buy back a majority stake in the company at a valuation of $1 billion. The London private equity firm Novalpina Capital backed the deal — whose investors include Oregon state employees’ pension fund and Alaska’s sovereign wealth fund. The NSO Group finished 2018 with a revenue of $250 million.
The firm has launched a charm offensive. A new website, spending on Google adverts, giving interviews to TV channels – the NSO Group is doing it all. In September, it even launched a fresh “human rights policy and governance framework”.
Unit 8200 – global incubator of spy tech
The NSO Group’s founders come from Unit 8200 – Israel’s elite defence force. It is also the Israel Defence Force’s largest military unit. According to Peter Roberts, a senior research fellow at Britain’s Royal United Services Institute, “Unit 8200 is probably the foremost technical intelligence agency in the world.”
Unit 8200 plays a significant role in Israel’s “startup machine”, with its graduates going on to build leading technology companies such as Checkpoint. Cybersecurity is Israel’s selling point now. The country has more than 450 firms with more than $10 billion in exports a year.
Privatised spying
The global mobile hacking market is pegged at $12 billion. The NSO Group rented its services for a monthly subscription of $650,000 for every 10 targets in 2016. The Saudis paid the NSO Group $55 million to track 150 phones.
It had a “solid 20% growth in product bookings,” according to reports.
The NSO Group and its competitor, the Emirati firm DarkMatter, best exemplify the gold rush to privatise spying. Dark Matter’s “Karma” tool has similar capabilities as Pegasus.
Also read: Liberal democracy is under threat from digitisation as govts, tech firms gain more power
Necessary evil?
With terror groups increasingly going dark, states have started using mobile malware to stay ahead. These tools of espionage have become a necessary evil.
The problem arises when state powers go too far. Enemy of a particular politician does not mean enemy of the state. The list of victims is long with a report tracking Pegasus’s software to more than 45 countries.
Jamal Khashoggi was a journalist. Not only was his privacy violated using NSO tools, but he was also hacked to death in a Saudi embassy.
From Rwanda’s dissidents to Egypt’s journalists, Pegasus was watching almost everyone.
In India, the problem is particularly vexing. First, we lack an appropriate legal doctrine. We have low-tech laws for high-tech problems. While privacy has been recognised as a fundamental right, there are no data protection and encryption laws. Moreover, unlike the US FISA Court, India has no secret court to regulate eavesdropping for national security.
Second, it is bad enough that we end up misusing these tools, it becomes worse when we exclusively rely on foreign vendors to do so. Barring the DRDO-funded NETRA, there is no serious effort to invest in indigenous technologies. Unlike Israel, we do not even have appropriate laws to allow such startups to legally exist.
In the garb of improving our national security, we are only worsening it. The foreign vendors know what India is spying on. And that’s the problem with hiring digital mercenaries – they can reveal all for a price, even to friendly neighbours.
Also read: Indian govt’s regulation policy for drones covered everything but privacy
India’s way forward
Cyber offensive is a necessary tool, and no stone must be left unturned to further national security. However certain reforms are needed.
First, cyber offensive companies should be categorised as private defence contractors. Second, India should have a phase-wise system to wean off from foreign technologies. Third, there needs to be an urgent debate on “global moratorium” on sale of spyware. Fourth, a code is a weapon, and buying and selling it needs to be looked at as acts of aggression. Fifth, we need to revisit the notion of sovereignty in the digital era. Sixth, there needs to be a regulator whose permission is needed to purchase and deploy such tools. Seventh, the vendors should have stricter policies on ultimate use of their weapons.
Meanwhile, the Indian IT ministry is waiting for a response from WhatsApp on which Indian agency used Pegasus.
Note: At the time of publishing, the founders of the NSO Group or those in know had not responded to a request for a comment or statement.
The author is a lawyer and writer. He’s an expert on issues of national security, technology, geopolitics & foreign affairs. Views are personal.
“You know very well, and the stupid Americans know equally well, that we control their government, irrespective of who sits in the White House. You see, I know it and you know it that no American president can be in a position to challenge us even if we do the unthinkable. What can they (Americans) do to us? We control congress, we control the media, we control show biz, and we control everything in America. In America you can criticise God, but you can’t criticise Israel…” Israeli spokeswoman, TziporaMenache
“Israel need not apologise for the assassination or destruction of those who seek to destroy it. The first order of business for any country is the protection of its people.” Washington Jewish Week, October 9, 1997
Whatever the case-by-case reality, the popular notion that, through the Mossad, Israel knows everything and can reach anywhere is one of the most valuable assets available to a state whose entire doctrine of defence can be summed up in the word deterrence. TIME
A bill giving the UK intelligence agencies and police the most sweeping surveillance powers in the western world has passed into law with barely a whimper, meeting only token resistance over the past 12 months from inside parliament and barely any from outside. GUARDIAN
Israel has its universities among the best 100 in the world. India is nowhere in that list. Rather than whining about the Israeli prowess in technology, India should gather its brilliant people and put them in research work in cyber security. When your enemies are taking unconventional methods to kill you, you cannot afford to hide under the umbrella of human rights and all nonsense. The world has changed a lot since you went to nursery and so should you.
No one likes their govt to know through hackers what color underwear they wear.
The first business of a state is the security of its people. And in that effort, it should spend money to neutralise its enemies.