 Hello and welcome to NewsClick. Project Pegasus is making waves around the world. This follows reports by 17 media organizations globally, which state that the phone numbers of a number of activists, politicians, judicial officers, etc., have been found in a database and the phones could have been infected with the Pegasus spyware. Now there's a lot of focus on which are the politicians, which are the activists who are in the list, who's being spied upon, etc. But what exactly is this Pegasus spyware and what is why is it so dangerous? To talk more about this, we have with us Praveer Purkayastha. Praveer, thank you so much for joining us. So, of course, we've all heard about malware and spyware in various contexts, but Pegasus is something quite different and we've been hearing about it for a couple of years now. There have been reports of activists being targeted and this is considered the motherload of information on this, so to speak. So, could you maybe first take us through what exactly Pegasus is? Well, that's a good question, but you'll have to ask Enes, so far, that rather than me. We can only talk about what we know about Pegasus software. It is the flagship of NSO because more than three-fourth of the revenue of NSO comes from this and now it's more than this company is worth more than a billion dollars. So, it's reached big league. Israeli company. Israeli company. It's reached big league. It also works very closely with the US Defense Department because it has to be licensed if it has to be sold outside Israel and the Defense Minister or the Defense Ministry has to give it the clearance. So, it seems to be very much a part of the larger strategic infrastructure of Israel itself because it has a role in its foreign policy. Now, coming to what you were asking, what does Pegasus do? You know, we have been talking about computer viruses and also computer malware. That's how we normally talk about malware that it is basically comes to your computer, to the internet, when you go to certain sites, you click certain things or the more what is commonly called as phishing. That is something comes to you, you click and then the malware is installed in your system. Pegasus is basically has two things. Once it is targeting essentially smartphones. Now, smartphones are much more commonly used and of course, they're also they go with us wherever we go and Pegasus not only infects the phone and we'll come to that later. But what it does, it also gets access not only to your data, but also to the mic on the phone and also the camera. That means even if you are not doing anything with the phone, it can actually record a conversation if the phone is there. So that's the level at which it is able to monitor. So as I said, not only data, but it can be also used to record, activate the camera, record what the video is, and also activate the microphone and record the conversation. And then of course, what is called exfiltrate, we send it out to what would be called the Pegasus service, which is generally deployed by the agency, which buys the software. So this is the structure on which it works. The second dangerous part of the Pegasus software is unlike other examples that we gave fishing, meaning that you click something under the malware gets installed, you visited certain sites, you click certain thing there, then of course, your computer gets infected. This particular thing is supposed to be what is called zero click installation. That means something has been sent to your phone. You have not done anything. You have not looked at it. You have not clicked anything. Even then it's able to install itself on the phone. And normally the belief was the iPhone was a safe phone. iPhone has also been cracked. And in fact, iPhone has, as we know, people who believe that iPhone would give them some security have found to their horror that iPhone also has been infected. I'm not going to details into how it has been infected or what are the weaknesses that iPhone had for to permit this kind of hacking of their systems. But essentially, whether it's an Android or it's an iPhone, both have been compromised. iPhone has one advantage that at least you can find the logs of iPhone. And therefore, if you check, for instance, the phone and see whether it has been installed or not, you will know the suspicious logs, same certain things being common. You know that most probably or with the almost near certainty that this phone has been compromised. Android is more difficult because Android does not maintain these kind of logs. So this is the part of why Pegasus is so dangerous because it takes control of your phone and then acts as a spy. You have a spy in your pocket, so to say, which can track you where you go as well as track what you are saying and at an extremity, also able to record videos of whom you are meeting, where you are and so on. So this is a highly dangerous piece of software. And honestly speaking, the security experts were asked, what can we do to protect ourselves against this? And the answer was virtually nothing. That means we as individuals, we cannot do it. The real issue is, and this we can talk later, is that only if a societal protection is sought, which means we decide that certain things should not be done and should be internationally forbidden, both under treaty provisions as well as companies who work in jurisdictions, because all companies are in some jurisdiction or the other. So it is a sovereign states which have to accept that hacking is not okay. And this is something which has been talked about earlier as well, that countries are now hacking on a mass scale and that is far more dangerous because you are putting 500,000 highly trained software people to develop this kind of quote unquote weaponized software. And that poses enormous dangers to everything that we have. So it might seem very attractive for a state to say, okay, we will spy on the people we don't like. And at the moment this government for instance in India might do that. But the larger danger is that anybody who has access to this can do it to anybody. And that opens a panderous box which I think is very dangerous for society. Absolutely. And right now of course, NSO agency says that this is only sold to governments, which is very indicative then and throws a lot of questions at governments across the world. But I think like we have discussed in the past, there's always a possibility that a version of this could leak out at which point then it becomes a fair game for anybody. Let's first take the claim that's been sold to governments. Now as we know, there are governments and governments. The point also is that there are governments which also deal with similar kind of software weaponizing spyware so to say. And we know of course after the Snowden revelations that the United States, the NSA, the CIA and the Five Eyes, they all have done this to various people they have suspected or attacking others. As you know, we had even Angela Merkel's phone for instance being tapped by the NSA. So all those things are already in public domain. What this makes it makes available is that what was the prerogative of a few states, this has now become something you can buy. Any country which has money can buy this service. There is an installment I guess you have to pay up front and after that maybe you have to pay every few months the license fees or certain things. You have to pay for the NSO server that has the Pegasus server which has to be installed. All of that costs money. So we are not privy to what the money transactions are but I guess it also depends on how many people that you are surveilling. So I think that has some relationship to the amount of money that has to be paid. But if you take all of this into account, the threat is that governments now much larger number of governments now have access to this software thanks to Pegasus and they seem to be delegate to all in summary irrespective of the claims that they are very selective sell it to only government agencies. But the question is which government agencies and which governments are repressive governments and no government is safe as we saw. If you remember the Nixon case for instance President Nixon was also mugging everybody that he could. So given that kind of scenario to argue that you can have malware being made available globally is I think extremely dangerous even if it is in the hands of the governments and even if it is the hands of quote unquote good governments because there aren't no good governments in the sense. The other question that you asked what happens if it falls in the hands of criminals. The argument is very simple that you need one person in NSO to be able to infiltrate their software just as CIA and NSA's. NSA's whole toolbox was dumped on the internet after they try to get money from the from NSA or the US government to saying that we have your software your whole box of tricks unless you give us we will dump it on the internet they would they did not give money or to the extent the money was asked and then they did dump it on the internet what happens is what the Microsoft CEO had said at one point that if nation states develop this kind of software that's far more dangerous because a bunch of crooks sitting in a garage can only do some damage but they can't do the extent of damage say 500,000 as I said well trained software engineers can and this is the risk that we now are seeing extended to civilian areas where all this kind of software is now slowly coming in and at some point this is going to leak into public domain it's going to leak into unscrupulous hands. So criminalization at some point is going to take place even if we accept that what NSO does is give it to governments who are repressive but give it to only governments but the step is not too far away when it will actually also fall into the hands of unscrupulous individuals who can create havoc with this kind of software and probably finally I think this also calls for at a governmental level far more transparency in terms of issues like who the government intends to surveil or who agencies intend to surveil because one feature of this spyware is that you don't even necessarily have to surveil a prominent person you can always surveil someone in the immediate circle friends you know staff members we have already seen reports of that so it actually just expands the dragnet of people who can potentially be brought under the radar. Yes of course but that's the known part of surveillance that you don't just surveil the person that you are targeting you also surveil his driver because it's known that a lot of the ministers would use the driver's force for instance so political figures use the driver's force so that that's why the dragnet is larger than merely the person you are targeting but that's a part of the surveillance game as it were you know the problem that we have is what are the checks and balances in any country with regards to use of this software and unfortunately whether it's the United States whether it's India whether it is the UK for instance three different countries all of them are quite opaque when it comes to what they call national security you have a blanket national security state of the United in the United States say with what the GCHQ does in UK and now we are finding that the government of India has used most probably it's still not willing to say yes or no except to say that we have not done unauthorized use we have not unauthorized unauthorizedly tapped people so authorized who is authorized what has been authorized is still an open question so we leave it at that because you are asking me more about the technical nature of what we what we are discussing so I think the long-term solution is the world has to accept that unless it is willing starting with nation states to stamp out this kind of snooping software and weaponizing of software I think we're in entering very dangerous territory so like we banned chemical weapons like we banned biological weapons at the time has come to ban cyber weapons and this is actually weaponized software if you take what it really does thank you so much Praveen for talking to us that's all we have time for today keep watching news click