GS 3: Role of external state and non-state actors in creating challenges to internal security.
In news: The WhatsApp Pegasus spyware controversy has raised the issue of user privacy on smartphones once again. The Pegasus scandal showed how the government agencies, law enforcement could use this sophisticated and expensive software to track and spy on their intended targets. And while there’s not enough evidence to show Pegasus was used for mass surveillance, given it has an exorbitant cost, the easy availability of other kinds of spyware such as ‘stalkerware’ means the privacy risks continue.
The Whatsapp Pegasus spyware controversy
On 29 October, WhatsApp revealed that it was suing Israel-based NSO Group for developing the Pegasus spyware that was used to target 1,400 civil rights activists, lawyers, and journalists across the world, including several in India. While WhatsApp is being singled out here, the fact remains that WhatsApp was one of several services used to help spread Pegasus.
WhatsApp also claims that it informed the Indian authorities about the vulnerability in May 2019, however, a government official recently said that India's Computer Emergency Response Team (CERT-IN) could not fathom the magnitude of the situation due to the advisory being full of 'technical jargon'.
What is Pegasus?
Pegasus is a spyware that can be installed on devices running certain versions of iOS, Apple's mobile operating system, developed by the Israeli cyberarms firm, NSO Group. Discovered in August 2016 after a failed attempt at installing it on an iPhone belonging to a human rights activist, an investigation revealed details about the spyware, its abilities, and the security vulnerabilities it exploited. Pegasus is capable of reading text messages, tracking calls, collecting passwords, tracing the location of the phone, accessing the target device's microphone(s) and video camera(s) and gathering information from apps.
Apple released version 9.3.5 of its iOS software to fix the vulnerabilities. News of the spyware garnered significant media attention. It was called the "most sophisticated" smartphone attack ever, and became the first time in iPhone history when a remote jailbreak exploit had been detected. The company that created the spyware, NSO Group, stated that they provide "authorized governments with technology that helps them combat terror and crime".
What is a spyware exactly?
Spyware is unwanted software that infiltrates your computing device, stealing your internet usage data and sensitive information. Spyware is classified as a type of malware — malicious software designed to gain access to or damage your computer, often without your knowledge. Spyware gathers your personal information and relays it to advertisers, data firms, or external users.
Spyware is used for many purposes. Usually it aims to track and sell your internet usage data, capture your credit card or bank account information, or steal your personal identity. How? Spyware monitors your internet activity, tracking your login and password information, and spying on your sensitive information. Some types of spyware can install additional software and change the settings on your device, so it’s important to use secure passwords and keep your devices updated.
The chosen tool for open surveillance
Once on your phone, Pegasus has access to data that’s already on your phone, including photos, videos, text messages, email apps, browsing history, contact list, location, files, other messaging apps (like Viber, Skype, Messenger) etc. It can also listen to you and sounds around you through the phone’s microphones, record incoming and outgoing calls, capture screenshots and use the phone’s camera to take photos.
Further, Pegasus doesn’t transmit data when a smartphone is on roaming unless it’s on WiFi. This is of course done to hide its tracks, since users might notice high data usage bills while roaming. Instead, the spyware collects and stores data on your phone in an encrypted buffer, waiting to transmit it once you’re out of roaming. It does the same when the phone doesn’t have an active Internet connection or is at under 5% battery.
NSO has created an “intuitive" front-end for users of Pegasus to parse through the data they gather. This allows operators of the programme to easily sift through the tonnes of data they might be getting through Pegasus. Interestingly, there’s no real way to avoid a Pegasus attack other than the regular best practices. Security experts have repeatedly advised against downloading suspicious files, clicking on unknown links etc. and those remain the best way to fight this malware.
Some of the famous surveillance programs:
RCSAndroid: An Android surveillance tool designed by Milan-based company, Hacking Team. It is a data collection tool sold to law enforcement and government agencies. It was disguised as a news app on the Play Store and somehow escaped Google’s security scans.
DROPOUTJEEP: A program which was revealed to have been the go to tool for the US’ National Security Agency (NSA), allowing it to compromise Apple’s iPhones. It could access files on the device, read SMS texts, voicemail messages and more.
XKeyscore: The NSA, in its training material, called this its “widest reaching" system for gathering intelligence off the Internet. XKeyscore was amongst the programs revealed by whistleblower Edward Snowden.
Livestrong: An exploit used by the US Central Intelligence Agency (CIA) to compromise devices running on Android 4.4 KitKat, revealed by WikiLeaks as part of the famous Vault7 data dump.
Previous Year Questions: