A Scanner Darkly

Synopsis
Implementation of strong anti-surveillance laws is the only solution to spyware like Pegasus being exploited by authoritarian entities to snoop on citizens.

---

There's nothing mythical about this spyware. When an Indian Express report, earlier this week, informed that a software called Pegasus (named after the flying horse from Greek mythology) was being used to hijack the phones of lawyers, journalists and activists through WhatsApp, and possibly snoop on them, people reacted with hysteria-level fear.

The truth is that encryption — the process of protecting data using code that prevents unauthorised access — is based on open standards, or mass consensus, and applications such as end-to-end encrypted messaging, encrypted email and such have become the foundation for individual human rights, corporate confidentiality and national technological sovereignty. This is why some enlightened policy makers have given up on their demand for 'backdoor' encryption standards when it comes to proprietary software. Such backdoors signal systemic vulnerabilities that undermine security for all users of that software, and could result in disastrous consequences.

Legal hacking, as exemplified by the Pegasus episode, is one such option. Legal hacking does not require laws that mandate backdoors in software products. Instead, it depends on the availability of 'zero-day vulnerabilities' — those that are yet to be discovered or fixed by the software vendor.

Companies like NSO, the Israeli group that allegedly created Pegasus, build spyware that exploit these vulnerabilities. These companies then sell or provide these tools to various governments as a service.

The danger is, of course, when authoritarian governments become clients or when democratic government use these tools to conduct illegal surveillance.

Multiple layers of legal safeguards are now required to ensure the protection of human rights in the context of this sort of legal hacking. Indeed, the jurisdiction where NSO is based, should have export control laws that prevent the sale of tools like Pegasus, to governments or entities who may appropriate them for illegal purposes. And jurisdictions importing the tool should have laws prescribing specific circumstances where legal hacking is (ideally) in compliance with 'necessary and proportionate' principles.

While legal hacking is not as dangerous as the introduction of system vulnerabilities, this area turns into an ethical minefield, when it comes to cybersecurity policy. By procuring such tools, governments are fueling the black market for zero days: where vulnerabilities that can be exploited are deliberately introduced or left undetected, as the case may be. Because as long as the vulnerabilities remain unpatched, they can be exploited for both good and bad. So any such legal hacking programme must also clarify when such zero days will be disclosed to the software vendor, to affected users and to the public at large. This is the hallmark of a good-surveillance regime. Ideally, those who have been subjected to unnecessary surveillance should be personally informed after the surveillance has been concluded — especially if there has been no evidence of criminal activity.

The trouble, in the Indian context, is that there is no law to regulate either legal hacking or surveillance activities (apart from some rudimentary provisions in the IT and Telecom Act), and there is no comprehensive data protection law either. This could easily be fixed if the government prioritises these areas for law making in the near future.

Unfortunately, most politicians across the world only support privacy as a human right when they are sitting in the Opposition. The day they assume office they, unsurprisingly, fall in love with the power of surveillance technologies.

The urgency to create surveillance laws is compounded by the growing sophistication of spyware. Pegasus documentation from August 2016 (when we first heard of it), reveals its impressive capabilities; so it's safe to assume that the latest version would be even scarier. Among other things, it features an Over The Air (OTA) remote installation, which does not require any cooperation from the target, such as clicking on a hyperlink or reading an infected message.

This installation happens without the user having even viewed or opened a message, and there is a self-destruct option that erases all evidence of snooping that may be left behind. The spyware can also be loaded by setting up a fake 'base station' or attaching data cable. Once the device — in this case, a mobile phone, since the spyware selected WhatsApp as its 'host' — is compromised, all the data on it is sent to the NSO command and control centre in real time. That means the phone can now be monitored by the command and control centre in real-time as well. There is even a 'hidden and encrypted buffer' system — in case the phone is put on airplane mode — which takes up only five per cent of free space, and therefore, may easily go undetected. Only the latest information which provides maximum intelligence, and information that can be compressed, like texts, is stored if the phone goes offline for long periods of time.

Pegasus can also be used to turn on the phone's microphone to engage in 'environmental sound recording'. This is done by 'silent calling' the phone when it is in idle mode, when the device is not in active use, and the screen is turned off. This call is aborted as soon as the target answers the phone — but this is enough for Pegasus to infiltrate it.

For me the most worrying component of Pegasus was the lessons it had learnt from its opponents. Onion ring routing, where messages are hidden by layers of encryption (just like the layers of an onion) is usually implemented by free software applications like TOR that are used by human rights defenders to avoid surveillance and circumvent censorship.

In a similar fashion, NSO offers a customised Pegasus Anonymising Transmission Network (PATN), with anonymising servers located across the world. This, then, enables governments to have plausible deniability when researchers — such as those at Citizen Lab in the University of Toronto — start digging into illegal surveillance of civil society and make discoveries like Pegasus, public.

Solutions such as a largescale shift to open source alternatives like Signal will only work in the short run, since these are likely to then become the target of companies like the NSO. So free software is part of the solution — but not the whole solution. WhatsApp should fully acknowledge its technical debt to open standards and free software, and should increase its support of free software projects like Signal and contribute to the hardening of standards at the global regulatory body, the Internet Engineering Task Force. While governments have a difficult dance to dance with their legal hacking programmes, they, too, must press for free software and open standards to ensure a secure future for us all.