Mumbai, India – Several activists and lawyers, who were targeted with surveillance in India, have accused the government of spying on them.
On Thursday, WhatsApp said Indian journalists and human rights activists were among the 1,400 users globally whose phones were hacked using the spyware, Pegasus.
The messaging app, owned by social media giant Facebook, has sued NSO Group, an Israeli surveillance company, saying it was behind the sophisticated cyberattacks affecting users in 20 different countries between April and mid-May.
English daily Indian Express reported that nearly two dozen activists, lawyers and academics critical of India’s Hindu nationalist government had been victims of WhatsApp hacking. Most of them were working with the most marginalised communities of Adivasis (tribals) and Dalits.
Nihalsing Rathod, a human rights lawyer based in the western state of Maharashtra, claimed he was being targeted by the government for his involvement in the Bhima Koregaon case, in which nine activists were arrested for alleged links with the banned Communist Party of India (Maoist).
Opposition and human rights groups have condemned the arrests, saying the government wanted to silence critics.
Rathod is representing advocate and activist Surendra Gadling, who has been in prison since June 2018.
He claimed to have been receiving video calls from anonymous numbers since 2017.
According to the findings by Citizen Lab, a research group at the University of Toronto investigating the snoopgate scandal for WhatsApp, shadowy agents can infect a user’s device either by sending a clickable link, or by just calling the phone.
“In early 2019, the calls became a daily affair. I complained to WhatsApp in March 2019 but nothing came of it,” Rathod told Al Jazeera.
Rathod received a message from WhatsApp on October 29, confirming that his phone number had been impacted.
John Scott-Railton, senior researcher at Citizen Lab, told Rathod that an earlier modus operandi of Pegasus involved sending emails with clickable attachments.
Rathod, who used to work with Gadling, alleged the activists may have been framed in this manner.
The police had claimed to recover letters, in the form of emails, from the computers of one of the arrested activists, which allegedly contained references to banned organisations and an assassination attempt on Prime Minister Narendra Modi.
Lawyers have questioned the veracity of the unsigned letters, on the basis of which the arrests were made in June 2018 and August 2018.
“I remember Gadling receiving emails with suspicious attachments. When you clicked on it nothing would happen. I believe it was a way to plant letters and so-called evidence to frame Gadling and others,” Rathod said.
Civil society groups have condemned the arrest of the activists and their continued incarceration. The case has witnessed endless delays during bail proceedings, while a copy of the evidence has still not been made available to the accused as per the law.
Of the 20 people who confirmed that they had been contacted by WhatsApp regarding a breach, 13 of them knew at least one of the arrested activists in the Bhima Koregaon case.
Shalini Gera, a member of the Jagdalpur Legal Aid group, was contacted by Citizen Lab in the first week of October. Gera is part of the legal team representing Sudha Bharadwaj, a trade union leader accused in the Bhima Koregaon case.
“As human rights lawyers in Chhattisgarh, we know we’re being watched. But in my case, the state had no reason to as I was not involved in any cases in the past few years. Except for Sudha Bharadwaj’s,” she told Al Jazeera from Chhattisgarh state.
Gera recalled getting video calls on WhatsApp from an unknown number from Sweden, around April 2019. “I never picked up those calls, but Scott-Railton told me I didn’t need to answer the call for the breach to work,” she added.
In Mumbai, Vivek Sundara was contacted by Citizen Lab but the environmental and civil rights activist claimed he deleted the messages suspecting them to be spam. “It was only when Gera, who’s a friend, told me about this list that I put it all together,” said Sundara.
Jagdish Meshram, a lawyer from the Dalit community who worked with Gadling, and one of those contacted by WhatsApp, also reported getting video calls from anonymous numbers between March and April 2019. “When I answered the calls, they would get disconnected,” Meshram told Al Jazeera.
Anand Teltumbde, a writer, and management professor at the Goa Institute of Management is one of the accused in the Bhima Koregaon case.
Six hundred scholars from universities worldwide had signed a statement condemning the “witch-hunt” against Teltumbde. He was granted protection from arrest by the Bombay High Court in February 2018.
Since Modi came to power in 2014, he has banned hundreds of non-government organisations and stopped funding worth millions of dollars.
Teltumbde told Al Jazeera that his phone had been “acting up” for quite some time but he never had the time to investigate it.
“Citizen Lab contacted me two weeks back alerting me about this sophisticated software that could hack my phone without me even acknowledging it in any way,” Teltumbde said.
“The moral of the story is that anyone can be targeted, even you or your neighbour.”
Writer and human rights lawyer Bela Bhatia based in Chhattisgarh’s Bastar district also received the malicious video calls but never answered them.
“I was told by Citizen Lab that the malware turns your phone into a pocket spy. It activates the phone’s camera and microphone to start spying on the environment you are in,” she said.
Sophisticated mobile malware
The victims did not know about the surveillance until an independent research group notified them weeks back.
Pegasus has been described as one of the most sophisticated mobile malware ever made. The spyware allows hackers to take control of a phone by simply ringing the number of a target’s device.
Once installed, it sends back the targeted user’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular apps.
This is not the first time Pegasus has been in the news for being used as a tool by governments to snoop on dissidents and activists.
In 2016, Citizen Lab had unearthed an attempt by the United Arab Emirates (UAE) government to infect the phone of human rights activist Ahmed Mansoor through Pegasus.
In 2018, two activist friends of the Saudi journalist and Washington Post columnist Jamal Khashoggi had their devices infected by the Pegasus spyware.
According to an investigation by Forbes, Saudi officials were able to ferret out crucial information from the activists that would lead to the assassination of Khashoggi in the Saudi consulate in Istanbul.
As the lawsuit by WhatsApp claims, the latest tranche of Pegasus data has targeted at least 100 human rights defenders, journalists and civil society members across the world.
India demanded answers from WhatsApp, which has some 400 million active users.
In a statement on Twitter, Union Minister for Information Technology Ravi Shankar Prasad sought an explanation from WhatsApp over the breach.
“We have asked Whatsapp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens,” he tweeted.
The Bharatiya Janata Party (BJP) spokeswoman Shaina NC told Al Jazeera that the government’s only interest was to ensure that there are no “terror” attacks or anti-national sentiments.
“Those are the limits to which the investigative agencies would choose to intrude. Otherwise, the clarification should really come from WhatsApp, as to how they allowed this breach to take place,” she said, adding that Prasad would make an official statement soon.
The Israeli firm has rejected the allegations saying that its software is used by governments for “fighting crime and terror”.
Prasad also maintained that government agencies have a “well-established protocol for interception … for clear stated reasons in national interest.”
Raman Jit Singh Chima, a senior international counsel at Access Now, an organisation defending the digital rights of global users, said “hacking of devices in India is a criminal offence, with no exceptions”.
Chima said that the government’s own expert committee on data protection had labelled the surveillance mechanisms followed by government agencies in India as likely being unconstitutional.
“Particularly after the Supreme Court ruling on privacy, India must reform its privacy law framework, and commit to including these measures in any privacy and data protection bill it brings to parliament,” he said.
Phone calls, messages and emails to officials and ministers at the Ministry of Home Affairs, the Ministry of Electronics and Information and Technology went unanswered. The story will be updated following their response.