The Indian prime minister Narendra Modi’s most prominent political rival, the opposition figure Rahul Gandhi, was twice selected as a potential surveillance target in leaked phone number data, making him one of dozens of Indian politicians, journalists, activists and government critics whose numbers were identified as possible targets for the Israeli company’s government clients.
Two numbers belonging to Gandhi, who led the Congress party during India’s 2019 national elections, were selected as candidates for possible surveillance in the year before the vote and in the months afterwards by a client of NSO, whose spying tool Pegasus allows customers to infiltrate mobile phones and monitor messages, camera feeds and microphones.
Phones belonging to at least five of Gandhi’s close friends and other Congress party officials were also identified as possible targets, according to a leaked list of potential targets selected by NSO customers. The data was accessed by the nonprofit journalism organisation Forbidden Stories and Amnesty International and shared with the Guardian and other media outlets as part of the Pegasus project.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
It is not possible to say whether a phone in the leaked data was successfully hacked without forensic analysis. But the consortium confirmed Pegasus infections, or signs of potential targeting, on phones linked to 10 Indian numbers and on an additional 27 phones around the world.
Gandhi, who changes his device every few months to avoid surveillance, was not able to provide the phone he used at the time for examination. A successful hacking would have granted Modi’s government access to the private data of the prime minister’s primary challenger in the year before the 2019 elections.
“Targeted surveillance of the type you describe whether in regard to me, other leaders of the opposition or indeed any law-abiding citizen of India is illegal and deplorable,” Gandhi said.
“If your information is correct, the scale and nature of surveillance you describe goes beyond an attack on the privacy of individuals. It is an attack on the democratic foundations of our country. It must be thoroughly investigated and those responsible be identified and punished.”
The selection of the opposition leader’s phone as a possible surveillance target in 2019 coincided with the identification of the numbers of two staff members, Sachin Rao and Alankar Sawai, who at the time were working on forthcoming state election campaigns against Modi’s party in Haryana and Maharashtra.
Forensic analysis conducted on Wednesday on the phone of Prashant Kishor, a political strategist working for the party that defeated Modi’s Bharatiya Janata party (BJP) in the West Bengal state election earlier this year, established it had been hacked using Pegasus as recently as the day it was examined.
The examination by Amnesty’s Security Lab also found evidence of intrusion by Pegasus in April – in the midst of the election campaign – indicating Kishor’s phone calls, emails and messages were being monitored throughout the final weeks of the bitter contest.
Kishor said the findings were “really disappointing”. “Those who did [the hacking] were looking to take undue advantage of their position of power with the help of illegal snooping,” he said.
Analysis of the more than 1,000 mostly Indian phone numbers selected for potential targeting by the NSO client that hacked Kishor strongly indicate intelligence agencies within the Indian government were behind the selection.
Other numbers identified in the records included those of known priorities of the country’s security agencies, including Kashmiri separatist leaders, Pakistani diplomats, Chinese journalists, Sikh activists and businesspeople known to be the subject of police investigations. The client also identified two numbers registered to or once known to have been used by the Pakistani prime minister, Imran Khan.
NSO has always maintained it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”. In statements issued through its lawyers, NSO said it would “continue to investigate all credible claims of misuse and take appropriate action”.
The Pegasus project is a collaborative journalistic investigation into the NSO Group and its clients. The company sells surveillance technology to governments worldwide. Its flagship product is Pegasus, spying software – or spyware – that targets iPhones and Android devices. Once a phone is infected, a Pegasus operator can secretly extract chats, photos, emails and location data, or activate microphones and cameras without a user knowing.
Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organisations, including the Washington Post, Le Monde, Die Zeit and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
Following the launch of the Pegasus project, Shalev Hulio, the founder and chief executive of NSO, said he continued to dispute the leaked data “has any relevance to NSO”, but added he was “very concerned” about the reports and promised to investigate them all. “We understand that in some circumstances our customers might misuse the system,” he said.
NSO markets Pegasus as a tool for fighting terrorism and crime, but the inclusion of a major Indian opposition leader in the records – alongside political staffers, labour unionists, Tibetan Buddhist clerics, social justice campaigners and a woman who accused India’s most senior judge of sexual harassment – raises troubling questions about the way the hacking software may have been used in India.
An ‘electoral autocracy’?
It also reinforces concerns about the health of the world’s largest democracy under Modi. An independent civil rights watchdog this year downgraded India to a “partly free” country, while another classified it as an “electoral autocracy”, both citing increased intimidation of journalists, meddling in the judiciary and violence against the country’s Muslim minority since the BJP came to power in 2014.
The leaked data suggests phones belonging to numerous members of India’s independent institutions were identified as potential surveillance targets, within a system with little meaningful oversight for the use of surveillance, according to privacy advocates.
Lawyers have argued the use of Pegasus, NSO’s flagship surveillance tool, may be illegal under Indian law, which permits monitoring communications in some circumstances but explicitly bans hacking into devices. However, India does not officially admit to being an NSO customer, a significant hurdle to challenging the use of the spyware in court.
“The government has only said that if they do something, it would be done according to the proper process,” said Raman Jit Singh Chima, senior international counsel at the digital rights group Access Now.
“The allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever,” India’s ministry of electronics and information technology said in a statement. “Any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.”
The selection of Indian numbers largely commenced around the time of Modi’s 2017 trip to Israel, the first visit to the country by an Indian prime minister and a marker of the burgeoning relationship between the two states, including billions of dollars in deals between Delhi and Israeli defence industries.
Modi and the then Israeli prime minister, Benjamin Netanyahu, were pictured during the trip walking barefoot together on a beach. Days before, Indian targets had started being selected.
A net cast wide
The Indian candidates for surveillance went beyond opposition politicians. The phone number of a woman who accused India’s then chief justice of sexual harassment was selected shortly after her claims became public, along with 10 other numbers linked to her including those used by her husband and two other family members. The judge – recently nominated to parliament by Modi’s party – strongly denied the allegations and was cleared by a supreme court panel.
At least two employees of the US Centers for Disease Control and Prevention based in India, including a US citizen, were also identified, along with Gagandeep Kang, a virologist and the first Indian woman to be accepted into the UK’s Royal Society. M Hari Menon, the director of the Bill and Melinda Gates Foundation’s Indian operations, was also selected as a target, alongside several researchers and campaigners working for anti-tobacco NGOs.
The motive for the scrutiny is unclear, though the Modi government has expressed suspicion of foreign funding for charities, research institutes and NGOs and has sought to tighten restrictions for bringing in money from overseas.
More than a dozen people associated with an Indian cabinet minister, Prahlad Singh Patel, are listed in the data including the elected official himself, his family members, advisers and personal staff including a cook and gardener in 2019, the records show. It is unclear why Patel and his associates were selected.
A second cabinet official, India’s newly sworn-in minister for electronics and information technology, Ashwini Vaishnaw – whose portfolio includes the regulation of the use of digital surveillance – was also selected as a potential surveillance target in 2017. Again, the NSO client’s motives for doing so are unclear.
Journalists emerge as a major focus in the records, including several covering defence and politics at major newspapers, such as the Indian Express and the Hindu, and others associated with the Wire, a media partner of the Pegasus project.
Forensic analysis detected Pegasus activity as recently as this month on a phone used by Sushant Singh, a journalist who investigated a controversial billion-dollar contract awarded to one of Modi’s close allies in business to build a fleet of fighter jets with the French manufacturer Dassault. The deal is reportedly being investigated in France for evidence of possible “corruption and favouritism”.
The Wire reporter Rohini Singh is facing civil and criminal defamation charges over an investigation she produced into the finances of the son of India’s home minister, Amit Shah. She was selected as a target over the two years that followed the publication of the story, along with one of the Wire’s columnists, Prem Shankar Jha, and its diplomatic editor, Devirupa Mitra.
The election official
The leaked records also suggest that critics of Modi inside independent government agencies were also selected as possible targets. Ashok Lavasa was appointed by the government to the Election Commission of India, which regulates campaigning and polling, and which has for decades enjoyed a near-sacrosanct status as a symbol of the integrity of Indian democracy.
In a series of meetings in 2019, Lavasa was the sole commissioner to argue for imposing sanctions on Modi for several heated speeches he had made on the campaign trail that year, including one that critics said had incited tensions against India’s Muslim minority.
A few months after Lavasa’s criticisms of Modi became public, Indian law enforcement agencies launched what became a series of investigations into him and four other members of his family. The Pegasus project records show his phone was identified as a target for possible surveillance soon after. Lavasa, who as an election commissioner, could only have been impeached by a two-thirds majority of the Indian parliament, retired early from the organisation last year.
A national newspaper journalist who reported on the story of Lavasa’s dissenting views was also selected around the same time, along with Jagdeep Chhokar, a member of the Association for Democratic Reforms, a watchdog group that was among those sounding alarm bells about the erosion of India’s democratic norms.
Additional reporting by Shah Meer Baloch in Islamabad, Phineas Rueckert and Julien Bouissou in Paris, Joanna Slater, Siddharth Varadarajan, Kabir Agarwal and Anuj Srivas in Delhi.
Show your support for the Guardian’s fearless investigative journalism today so we can keep chasing the truth