 Hello and welcome to NewsClick. Today, we're going to discuss the implications of the news that a number of Indian activists were among the people targeted by Pegasus, a spying software developed by an Israeli company. The news came out after WhatsApp told the Indian Express that at least two dozen activists were among the 1,400 people targeted by this software. A number of lawyers and activists have also come out and told the media that they got messages from WhatsApp and another organization telling them that they were being targeted. To talk more about this, we have with us Prabir Prakash. Hello Prabir. Prabir, so could you first start by telling us what exactly is Pegasus and how does it work and how can it be used to target people, especially on WhatsApp since it's a safe software? Well, a lot of people have used WhatsApp in the belief that it is end-to-end encrypted and therefore it is safe. Now, we know that 24 people at least in India were targeted and who targeted them is a question we need to return to and the total number targeted in the world is about 1,400. So, as you have said, and one of them is supposed to be Khashogji who was targeted obviously by Saudi Arabia who had bought the software from Israel. Now, of course, this case also Israel has sold the software to Indian government because they claim they sell it only to government agencies because the targets that have been revealed to have been considered, who have been really targeted are people who obviously were targeted by the government of India. They're involved in the Bhimakoregao case, charging Maoists for trying to infiltrate and create various things, activist Bela Bhatia in Chhattisgarh. So, if we look at the profile of these people, these are also exactly the people who are sought to be targeted in different ways by the government, particularly before the elections. So, this is clearly something we need to now seriously consider that the governments along with agencies of the Israeli government are selling software which is really weaponized software. You asked, what is Pegasus? What does it do? Now, Pegasus is a weaponized software in the sense it is used to penetrate the devices of the people. So, it is not something which penetrates WhatsApp. That is not what happens. What it does is if you actually use the phone to which it has either given missed calls or it has invited you to some group call or you have got a video message which you have tried to open, all of these apparently plant malware in your cell phone, in your smartphone and that in turn compromises the device itself. Once it does that, then it has the ability to set everything you have on the phone to an external node which is then run by the company which is or the institution or the agency which has bought the software from the Israeli company. Now, this is how the devices get compromised. So, it is not that WhatsApp encryption is broken, but since any way your device knows what you have written, what your contacts are, none of this are actually encrypted on your phone. Therefore, what it means is that entire information you have in the phone can be taken out and this is exactly what happens. So, this kind of weaponized software are actually embargoed in different ways. There have been a lot of discussions in international bodies that cyber weapons should not be used or should be banned. Nation state should not be doing it. Unfortunately, the United States has been the forefront of arguing that cyber weapons are difficult to ban for various reasons and they will not enter into any discussions and negotiations of banning cyber weapons. Saying because it is difficult, therefore we do not think we should be banning it, but privately their position has been that we have an edge in cyber war over others and we should not compromise that. If you remember the nuclear weapons, this is exactly what the US had argued that we have an edge on nuclear weapons and therefore we should not have a weapons ban, nuclear weapons ban and it took about four years till the Soviet Union was also secured the capability of nuclear weapons. So, this is unfortunately a policy which only endangers the world much further and the evidence of that is what we are seeing today, but let us also face facts that these also leak. All of these, whatever the government say, unfortunately all of this leak and as you know both the CIA and the NSA suit of Malawi for violating shall we say the phones and computers of people have all been now dumped on the internet is openly available. So, what you have done is armed the whole number of people with Malawi weapons, cyber weapons effectively. So, a key point you mentioned is that the software is sold only to state agencies or state actors. So, the Indian government so far has refused to respond in any way to these accusations and charges and WhatsApp has also filed a case in an Israeli court calling for the cancellation of NSO, the manufacturer of Pegasus, their export license. So, there has been an argument raised of course that traditionally governments have always indulged in some form of surveillance. So, qualitatively what is the difference that this kind of the use of this kind of technology brings about? You see the one issue that comes up when you have a supposedly surveillance where the states they are supposed to do it only under certain legal conditions. So, both in the United States and in India for example, there are supposedly laws which regulate what a state agency can do or cannot do and if it has to create it has to surveil its own citizens, what are the narrow grounds under which it can do so. Now, we also know that these are violated in actual practice because in the case of United States that the secret FISA courts which have allowed blanket surveillance and we that is now public after students' disclosures, nothing really has changed with all of that. Still the FISA courts are completely opaque what they allow government to do or not do we do not know. We have known it for more than 10 years that AT&T was allowing all the traffic to be accessed through its network to be accessed by NSA which was verified when student disclosures became public and we also learned so when the other telecom companies doing it. In Indian case, again we now know that there is blanket clearance that the government has got which is post facto signed as a bulk order by the secretary of the Home Department and I think also it also involves the telecom department in some way but all of this means these are post facto signatures which allow for bulk surveillance. So bulk surveillance instead of targeted individual surveillance has become the de facto legal norm by either the FISA courts in the US or the way the Indian courts had given the instructions in the way government has implemented them. These are all public at the moment though government takes the usual position they will neither confirm nor deny it but as we know we work this calculation out I think the secretary has to sign something like 1700 individual orders a day if this is what is supposed to be done and we know that this is not being done in that way this really bulk clearance is taken with one signature and then of course lower down the line people just pass it on. So given this this is the around bulk surveillance so what's the difference between this and that this is actually without any surveillance this is not even going through the legal route that is there this is basically hacking into somebody's phone it is not even taking a legal permission of the kind we talked about in which case you do it through the exchange and you only look at the traffic here you are hacking into the private property without a warrant it's effectively carrying out a search on somebody's computer extracting whatever you want out of it without any legal permission it's equivalent to stealing say if my phone is hacked it's equivalent to stealing my property. Now government can has a legal right to seize property under certain conditions can it steal property that's really the question because you are not monitoring traffic which is what you do when you talked about surveillance this is hacking into somebody's phone goes qualitatively beyond that because you are trying to get my information which I have stored believing it's my property it's on my phone and please understand that for instance my passwords for banks may be here so if I if that all of that is there I could also keep secret documents over here all of that is commercial value and it has of course huge safety issues for me because the kind of information I can keep on phone if it falls not into government hands alone it don't forget it falls into the hands of the people who are running the government machinery and as we know even under RSA people who are using it to see private private messages husbands and wives are sending images of the themselves all of this was feast for the eye of the RSA people who are doing the surveillance. So this is the kind of secret sensitive shall we say absolutely completely private intimate information people will be storing on the phone all of which can be then taken out by the government and a government agency which is unaccountable with no legal procedure whatsoever and this is as I said seizure of not only invasion of privacy is seizure of my property so and this all is being done without any legal sanction. So both the illegality of it but illegality of not with respect to traffic what I'm talking to you on the phone but illegality of it because you're seizing my private property without any order whatsoever. So when an activist computer or phone is seized under an order some legal document is given he signs it and say yes I've had it over my computer but this is none of that. So I think this goes far beyond anything which is legally permissible either under Indian law or any other law. So I think this is a very very serious cause cause for concern and it is certainly not on par with surveillance. And finally you mentioned the debates regarding some sort of an international framework on some of this kind of software. So according to you what would be say the kind of contours of such a framework which would actually effectively stop the use of such software? Well you know weaponizing this kind of software or what would be called cyber weapons is a threat we have to understand is far beyond what is simply compromising my phone. Yesterday for instance Kudankulam's administrative computer was hacked. Now the point is in the case of Iran as you know the uranium centrifuges were hacked. Now this could have led to destruction of say some of the centrifuges you could have also been far more serious in terms of a public health issue it creates by dispersion of uranium you purified uranium in the atmosphere. So all those are threats but the much bigger threat is for instance I use a cyber weapon and I blow up a nuclear reactor which is theoretically possible it is like a nuclear bomb. So these are the kind of threats that come out with cyber weapons. Why does malware and cyber weapons differ? Malware in general is something you and I can sit in some basement and try and create something which is a virus which compromises computers can do various things but they do not have the kind of scale or ability to penetrate really things or computers which are in the heart of various systems which are physical systems and those physical systems are controlling processes which can be extremely hazardous. So only nation states really have the ability to create this kind of malware this class of malware which poses a threat to grid and to physical equipment and therefore life and property and this are all therefore equivalent to what are called kinetic weapons which create physical damage. So therefore cyber weapons today are the same class of weapons as any other kinetic weapons and therefore nation states not doing this would remove a huge risk from the world as I talked about earlier such weapons do get into public domain the fact that the entire CIA surveillance suit as well as weaponized malware is out there so is NSAs all of it means we have just put the world at far more risk today and this is why cyber weapons are sought to be repeatedly brought to public fora international negotiations there is a UN committee on that it's word finally virtually given up work on that this came up in the telecom conference called wicket in Dubai but all the global countries had met for revising for purposes again of internet how to revise the telecom rules and laws which have been internationally agreed upon the international treaty with regard to telecom and the United States led the abandoning of the wicket of course a number of other countries signed it but the leading countries the western democracies as it is called walked out of it and one of the reasons they walked out of it was trying to control how internet should be used by nation states and the fact they should not be used against each other and that's what's really led to the rupture right. Thank you Praveer that's all we have time for today keep watching news click