The chief minister of the Indian state of Assam has called for Amnesty International to be banned in the country and accused it of a conspiracy to “defame” the prime minister, Narendra Modi, over its role in the explosive Pegasus leaks, which have put heavy pressure on Modi’s government.
Himanta Biswa Sarma, the chief minister of the state of Assam and a member of Modi’s Bharatiya Janata party (BJP), claimed that Amnesty’s role in the investigation into numbers of citizens and political leaders in countries across the world, including India, appearing on a leaked data list was part of a “long history of hatching conspiracies against India’s democratic fabric and its leadership”.
He alleged that Amnesty International worked “to encourage leftwing terrorism in India and defame India and PM Modi” as well as “create dissatisfaction among the sections of Indian society”.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
Amnesty, a global human rights organisation, had initial access to the leaked list of more than 50,000 telephone numbers believed to have been selected for possible surveillance by government clients of NSO Group, which sells the surveillance software Pegasus.
Among the numbers on the leaked list were dozens of Indian journalists, activists, lawyers and critics of the government, including key Modi rival Rahul Gandhi. The opposition Congress party has alleged that Modi’s government was a client of NSO and had deployed Pegasus spyware against its own citizens and political opponents.
NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”.
In statements issued through its lawyers, NSO said it would “continue to investigate all credible claims of misuse and take appropriate action”. It has said the fact that a number appeared on the list was in no way indicative of whether that number was selected for surveillance using Pegasus. But the list is believed to be indicative of individuals identified as persons of interest by government clients of NSO.
Amnesty also offered technical support to the investigation, with its security labs conducting tests and forensic analysis on several phones to determine if they had been hacked by Pegasus spyware.
Amnesty has already faced growing pressure from the Modi government, including multiple raids on its offices, after it published several reports critical of the government’s human rights record. In September last year, Amnesty had to halt operations in India after its accounts were frozen by the government in what it described as a “witch-hunt”.
The Congress party has called for an independent investigation into whether Modi’s government was using Pegasus spyware.
Sarma was among several senior BJP figures who alleged that the Pegasus leaks had no basis in truth and that Amnesty’s role proved it was part of a global conspiracy against India. “I strongly condemn this conspiracy and demand a ban on activities of such organisations which are hell-bent on defaming and harming our nation,” he said.
Related: Response from NSO and governments
Nonetheless, pressure continued to mount on the Modi government over the Pegasus allegations, including accusations of treason. Mamata Banerjee, the chief minister of West Bengal who recently defeated the BJP in state elections, urged the opposition parties of India to unite to challenge the “surveillance state” of the Modi government, and called Pegasus “dangerous” and “ferocious”.
“Three things make democracy: media, judiciary and the Election Commission – and Pegasus has captured all three,” said Banerjee, whose own nephew’s phone number was on the leaked data list.
Banerjee called on the supreme court to intervene and investigate the surveillance of Indian citizens.
“Save the country, save democracy,” she said.