Pegasus Spy Row: Will The Government Ever Answer Why It Breached Its Citizen’s Privacy?

During the times of peace prior to COVID-19 altering our existence, there was another type of invasion taking place—a one which entered quietly into the private online existence of individuals across the globe. The Pegasus spyware controversy ranks among the largest privacy violations of our era, but years down the line, we still have more queries than solutions, particularly in India where 100 individuals were surveilled unknowingly.

The story is a sort of virtual spy thriller, with spy agencies, powerful surveillance gear, and governments that refuse to give straight answers. Considering this complicated story, we must fac

e a tough question: In a democracy, what do you do when the institutions that are charged with protecting citizens might be spying on them?

Pegasus Row: The Revelation of a Global Spying Program

Six years since WhatsApp informed the Indian government of 121 Indian WhatsApp users being targeted by the Israeli spyware Pegasus, fresh court documents have revealed that 100 Indians were directly targeted by the spying app. That puts India at the world’s second highest number of Pegasus victims, second only to Mexico at 456 victims. The documents were filed in WhatsApp’s lawsuit against NSO Group (the creators of Pegasus) and disclosed 1,223 individual victims across 51 countries. Mexico and India follow, and then Bahrain (82), Morocco (60), Pakistan (58), Indonesia (54), and even Israel (51).

This comes after a long court fight that started in 2019 when WhatsApp sued NSO Group. The messaging application accused the Israeli company of taking advantage of a vulnerability in its platform to infect more than 1,400 devices worldwide with Pegasus spyware. Targeted were journalists, human rights activists, and other public figures; people whose work has the tendency to keep powerful groups accountable.

The lawsuit made major progress in December 2024 when US District Judge Phyllis Hamilton decided that NSO Group had broken the Computer Fraud and Abuse Act and WhatsApp’s terms of service. The ruling gave WhatsApp a legal win, showing that NSO’s behavior was illegal. The lawsuit will now continue to decide how much the surveillance company will have to pay.

Will Cathcart, WhatsApp’s Head, was pleased with this move. He asserted that “We invested handful of years making the case because we firmly believe that spyware entities can’t hide behind protection or avoid liability for their unlawful acts.” He also issued a warning that needs to be heard in the boardrooms of surveillance businesses worldwide: “Surveillance businesses ought to know that unlawful spying will not be tolerated.”

Indian Government: A Web of Denial and Deflection

The government of India quickly responded to such reports in the news by dismissing them and pointing fingers. As the scandal emerged in 2019, the government swiftly pinned the blame on WhatsApp instead of focusing on the fundamental issue—the fact that Indian citizens’ surveillance was done behind their backs. At the same time, WhatsApp accused NSO Group, maintaining that it only sells its spyware to governments. In all this, the Indian citizens remained confused over the person really responsible for breaking their privacy.

The Citizen Lab is a well-known Canadian non-profit organization that partners with the University of Toronto. They’ve been tracking NSO Group since 2017 and reported that there is “reckless abuse” of the spyware by “government clients” in some countries. Their research indicated that a government department might have used Pegasus in India too, but the Indian government denied this completely.

These developments happened at a most inopportune time for the government, which had just tabled its Personal Data Protection Bill in 2019. The bill had been criticized by some cyber security professionals as “data snooping-centric.” Even Justice BN Srikrishna, the head of the committee that had drafted the bill, had expressed fears that some of the provisions would make India an “Orwellian State”—a reference to George Orwell’s novel “1984,” in which the people live under the constant surveillance of “Big Brother.”

IT and Telecom Minister Ravi Shankar Prasad dismissed these assurances, backing the government in the Lok Sabha by stating, “We are protecting the privacy of citizens.” But such assurances ring hollow when contrasted with the government’s reluctance to provide categorical answers to the question of whether it was actually an NSO client.

What Is The Pegasus Machine: Is It A Digital Trojan Horse?

In order to realize just how bad things are, we have to understand how invasive Pegasus spyware is. It takes its name from the winged horse in Greek mythology, standing for imagination, but this online Trojan horse exists for a different reason altogether. NSO CEO Shalev Hulio explained they gave it the name Pegasus “because what we created was in fact a Trojan horse that we launched airborne into devices.”

Even Alexander Graham Bell, the inventor of the telephone, could never have dreamed that his device would someday be used for such invasive eavesdropping. Pegasus is not just any malware; it’s a very effective spyware. Once installed on a device, it can:

1. Enter cellphones without being detected so that the users are unaware that they are being tracked.
2. Gather all the data that is not encrypted, like personal photos, messages, and location data.
3. Grab data right before encryption, avoiding security barriers.
4. Obtain complete access to a cellphone, including intercepting calls and reading all messages.
5. Utilize the microphone to listen in on conversations around you and take photos with the phone camera.
6. Access all the login details required for bank accounts, emails, and other important websites.
7. Control and track battery usage so that the target is unaware that they are being spied on.

In effect, once Pegasus infects a device, everything is no longer private. The victim’s entire digital life, and a great deal of their actual life, is accessible to whoever operates the spyware.

NSO Group’s Defense: Preventing Terrorism or Facilitating Spying?

NSO Group has always maintained that their products are employed in combating terrorism and serious crime. The company asserts that their technology is “licensed only to government intelligence and law-enforcement agencies” to prevent and investigate serious threats. They contend that they have a rigorous checking procedure that goes “well beyond legal requirements” and that all prospective clients are required to meet rigorous export-authority controls.

“We regard any other application of our products than for the prevention of serious crime and terrorism as an abuse, which is prohibited under contract. We take measures if we notice any abuse,” the company says. “This technology is based on the defense of human rights, including the right to life, security, and integrity of the body.”

But these allegations are difficult to reconcile with the consistent accounts of journalists, activists, and political dissidents being targeted, as chronicled by groups such as Citizen Lab. The UN special rapporteur on freedom of expression, David Kaye, has called for a moratorium on the sale of spyware pending strong international controls. He believes that “it is time for a genuine campaign to end unaccountable surveillance.”

The Israeli government, when questioned for a response, defended NSO Group but provided a generic response. They stated: “Israel does not comment on individual export-control licenses. The Israeli export-control regime has a robust licensing system that meets international export-control standards and regulations.”

India’s Spy Network: Legal but Alarming

India already has a precedent of online surveillance. The Telegraph Act of 1885 and the Indian IT Act of 2000 legally authorize intelligence agencies to intercept information for several purposes, including “public safety,” “public emergency,” and “the interest of the sovereignty and/or integrity of India.” The new Data Protection Bill also grants the government considerable powers in Chapter VIII, with Section 35 granting the “central government to exempt any government agency from complying with the act” on grounds of sovereignty and national integrity.

These broad powers of the law are raising extremely serious questions about oversight and abuse. Where surveillance tools as powerful as Pegasus are involved, the line between legitimate national security interests and infringement on civil liberties becomes dangerously thin.

Surveillance experts across the globe have seen a clear contradiction in what the Indian government has been claiming. Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Centre for Internet and Society, thinks it is “very strange that the Indian government is accusing WhatsApp of user-privacy violations when WhatsApp promptly remediated the vulnerability claimed to have been exploited by NSO and informed affected users.”

“The position of the Indian government is bizarre in that it is accused of being among the clients of NSO and spying on its own citizens but will not directly refute that accusation,” Pfefferkon said. “It is also bizarre that the government is accusing WhatsApp of privacy infringements while MeitY (Ministry of Electronics and Information Technology) is drafting regulations that would compel WhatsApp to compromise its own security and privacy measures to assist Indian authorities in investigating its activities.”

This glaring contradiction highlights a disturbing trend. As Pfefferkorn stated: “In general, it appears that the Indian government is attempting to compel WhatsApp to provide less privacy to Indians. Until it can coerce WhatsApp into doing so, it may be employing NSO or other ‘hackers for hire’ in order to circumvent WhatsApp’s protections and spy on its citizens. So, it appears highly hypocritical of the government to fault WhatsApp. The government is attempting to divert people and finger-point, hoping Indians won’t notice who is actually to blame for privacy intrusions.”

A Thriving Enterprise: The Business of Observing People

The Pegasus case has highlighted the rise of a disturbing industry—small cyber-intelligence companies creating and selling advanced spyware. Israel is now a leading player in the industry, a close second only to the United States in dollars invested in cybersecurity companies. Companies that create spyware are now banding together to challenge big players like NSO Group and Verint Systems. A partnership called “Intellexa” has just been established by a group of surveillance startups like Nexa Technologies (formerly Amesys), WiSpear, and Cytrox, stating that they will “be a one-stop shop for all of our customers’ field intelligence collection needs.”

The marketing of intrusive surveillance technology raises grave ethical issues. If profit is the primary motivation for developing and selling technology that intrusively penetrates privacy, what can actually constitute adequate precaution? It has been observed by experts that while these products are claiming to be developed to combat terrorism, firms selling spyware are ready to sell it to almost anyone. Some surveillance software is available over the Internet for as little as $20 to spy on a spouse, track business competitors, or appease excessively paranoid employers.

The Questions That Need Answers

Following the US court decision against NSO Group, Congress leader Randeep Surjewala raised some pertinent questions which are yet to be answered:

1. Who are the targeted individuals?
2. Who are the two Union Ministers?
3. Who are the three Opposition leaders?
4. Who is the Constitutional Authority?
5. Who are the journalists?
6. Who are the business individuals?”

He also inquired, “What data was gathered by the BJP government and the agencies? Was it misused and what happened as a result of it?”; “Will criminal charges be properly filed now against political leaders/officers of the present government and the NSO owning company?”

Surjewala also asked if the Supreme Court of India would pay heed to the ruling of the US court and if it would release the report of the technical expert committee on the Pegasus case, which was submitted in 2021-22. He also asked if Meta (the group behind WhatsApp) should now reveal the names of the 100s of Indian targets.

These are at the core of how democracy works. If a government is using powerful spyware on its people—especially people who might disagree with its policies—it destroys the trust that democracy needs. Targeting journalists, activists, and opposition politicians would be deeply alarming, as these are the groups most crucial to keeping democracy in line.

Can We Call This A Landmark Decision Of Tremendous Significance?

The recent court decision against NSO Group is a major victory against unaccountable surveillance. NSO’s efforts to assert “conduct-based immunity” were rejected by the court, which held that the company’s involvement in offering technical assistance to the spyware did not qualify it for immunity. This comes after a series of previous legal defeats for NSO, including a 2021 US 9th Circuit Court of Appeals decision denying the company immunity under the US Foreign Sovereign Immunities Act, and the US Supreme Court’s dismissal of NSO’s appeal in 2023.

John Scott-Railton, a senior researcher at Citizen Lab, called the ruling a “landmark decision” with broad implications for the spyware industry. “The entire industry has taken cover behind the argument that whatever their clients do with their hacking tools, it’s not their fault,” he said. “The decision makes it clear that NSO Group is indeed responsible for breaking many laws.”

This decision can have profound ramifications for the larger surveillance tech industry. By making NSO Group responsible for the use of its products, the court has set a precedent that can be applied to other companies that develop and sell such tools. The verdict is out that developing and selling technology used for illegal surveillance can land you in legal trouble, no matter who uses it or for what ends.

WhatsApp’s Success and the Way Ahead

WhatsApp won a court case against NSO Group, a huge step towards putting an end to rogue spying. By standing up for its users against a company that had spied on them, WhatsApp shows that tech companies can and will do something to defend user privacy. A WhatsApp spokesperson said, “We’re proud to have stood up to NSO and thankful to the many organizations that were supportive of this case. WhatsApp will never stop working to protect people’s private communication.”

This is a significant victory, but only one battle in a larger war. The diffusion of sophisticated surveillance technology continues to expand, and without robust international norms and effective local regulation, the risk of abuse is enormous. As India and other democracies struggle with the difficult questions of cyber attack, they must strive to find a balance between legitimate security needs and safeguarding individuals’ freedom and right to privacy.

What Is The Most Important Underlying Question?

The Pegasus scandal leads us finally to the question of whether spyware technology should be employed by the state against citizens of the state, even if the law allows it technically. It is more a matter of profound ethical concern than of law, one that gets to the very heart of what sort of society we want to construct in the internet age.

In a democracy, citizens ought to be able to speak, congregate, and express themselves freely without the risk of being surveilled. Journalists ought to be able to investigate matters and report news without fear of placing their sources at risk. Government critics ought to be able to criticize the government without fear of their private messages being used as evidence to incriminate them. When freedoms are infringed, democracy is undermined.

India’s and the world’s engaged civil society need to take these issues at the earliest. Spyware technologies are now a reality, but their manufacture, sale, and deployment must be in the hands of democracy. Transparency, accountability, and respect for privacy must be the prime concern of any approach to digital surveillance in a democracy.

As we await comments from the Indian government about its role in the Pegasus case, we must remember that quiet may be persuasive. The absence of precise answers on whether the government acquired and utilized Pegasus spyware on Indian residents raises major concerns about its commitment to openness and democratic values. 

In the digital age, privacy is not just a nice amenity but a basic right that must be aggressively protected from encroachment, by private entities or by the government itself.

The Pegasus saga continues, but this much is certain: the fight for digital privacy and against mass surveillance is a pressing issue now. As citizens of a democracy, we not just have the right but also the responsibility to question our leaders. The question is: will we ever receive those answers?