Pegasus Row: Amnesty Says List Of 50,000 Numbers Not Directly Related To NSO, Only Shows "Interests" Of NSO Customers

The list of 50,000 names whose mobile phone devices were allegedly targeted by the spyware Pegasus is raking up a storm across the world. On the list were 15,000 numbers in Mexico and 300 in India.

The numbers in the list are linked to 10 prime ministers, three presidents and a king, including France’s Emmanuel Macron and Pakistan’s Imran Khan.

The list also includes election strategist Prashant Kishor, murdered Saudi journalist Jamal Khashoggi’s fiancee Hatice Cengiz, Rwandan dissidents, besides journalists and activists in India and elsewhere. Former staffer of Tedros Adhanom Ghebreyesus, Director-General, World Health Organization, and Pavel Durov, the Russian tech billionaire who founded the Telegram messaging app, are also on the list.

Pegasus is a highly-advanced spyware that can gain access to someone’s mobile phone, just with a missed call. After installing itself stealthily, Pegasus begins to contact control servers which allow it to send commands to gather data from the infected device.

Pegasus, therefore, can allegedly steal passwords, contacts, text messages, calendar info, as well as voice and video calls made through WhatsApp and even track live location.

Pegasus is developed by the Israeli cyberarms firm NSO Group. The firm claims that it only sells the software to government agencies to fight terrorism and other serious crimes.

The list was revealed as part of the "Pegasus Project" under which Amnesty International’s Security Lab provided forensic analyses and technical support, while a media consortium conducted the investigation.

Amnesty International and Forbidden Stories, a Paris-based non-profit organisation, got access to the leaked database and shared it with 17 media publications, including The Wire, The Guardian and The Washington Post.

NSO Group issued a statement on Tuesday evening, saying “at least three names” identified by the media reports — President Macron, King Mohammed VI and the WHO director Tedros — “are not, and never have been, targets or selected as targets of NSO Group customers”.

It further said that it will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.

Now, Amnesty International has reportedly said that it "never presented this list as 'NSO's Pegasus Spyware List'" but only a "list of numbers marked as numbers of interest to NSO customers" (the customers being different regimes around the world).

The organisation further said, "this is a list indicative of the interests of the company's clients, who have expressed interest in monitoring journalists and human rights activists, political rivals, lawyers and so on, not only other than suspected pedophilia, other serious crime and terrorism".

While the list has been circulated around the media as of those whose phones were hacked by NSO software, the Amnesty has now clarified that it only reflects "interests" regarding who will get spied on.

Venu Gopal Narayanan, who writes for Swarajya, says:

The Wire used the phrase "potential targets of surveillance" in the opening sentence of their lead piece on the Pegasus affair. This is how a caveat becomes a noose. The rest of the article, filled with wishy-washy ifs and buts, only weakened their case further. One sampler: "The presence of a phone number in the data does alone not reveal whether a device was infected with Pegasus or subject to an attempted hack."

What does that even mean? If the list will not be released for independent technical scrutiny, if its provenance cannot be verified, if the phones allegedly tapped during 2018-19 aren’t available for professional examination, and if the presence of phone numbers on that list, by The Wire’s own admission, don’t amount to snooping, then what allegation is there to make?

Foreign and strategic affairs editor Aarti Tikoo wrote on Twitter, "So all this ruckus by the completely discredited Western big media over nothing. Too bad, for all the power brokers. But have to give it to the self-aggrandising elitist media and their Indian partners, for creating a story out of thin air. They’ve got talent."

Amnesty had previously released a report of "in-depth forensic analysis" of numerous mobile devices from activists and journalists around the world.

"These mobile devices have physically reached Amnesty Laboratories analysts in Corona and their owners are apparently under surveillance and therefore communication with them is limited, and have found specific evidence and proof identified with Pegasus spyware - which is supposed to leave almost no evidence," it said.

"That is, the very fact that these numbers were identified and the instruments associated with them were tested - this happened against all odds. Amnesty and its research partners also published a detailed methodological report describing exactly how the analysis was done," it added.

However, the number of the devices analysed is 37 (out of the 50,000 names in the list). Amnesty's forensic evidence demonstrates that 37 devices suffered "attempted and successful" hacks. The report anonymised the names of the purported targets for "safety and security reasons".

In his speech to Parliament, Union minister Ashwini Vaishnaw categorically denied the allegations of snooping. He said that India has an established protocol when it comes to surveillance.

"The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act,1885 and section 69 of the Information Technology Act, 2000.

"Each case of interception or monitoring is approved by the competent authority. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, monitoring and Decryption of Information) Rules, 2009.

"There is an established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of state governments, such cases are reviewed by a committee headed by the Chief Secretary concerned. The law also provides an adjudication process for those adversely affected by any incident.

"The procedure therefore ensures that any interception or monitoring of any information is done as per due process of law. The framework and institutions have withstood the test of time."

The minister also said that it was evident that NSO has also clearly rubbished the snooping claims in the report.

NSO had issued a denial on Sunday that called the report by Forbidden Stories "full of wrong assumptions and uncorroborated theories," and threatened a defamation lawsuit. "We firmly deny the false allegations made in their report," NSO said.

Vaishnaw told the house:

"NSO Group believes that claims [of snooping]... are based on misleading interpretation of leaked data from basic information, such as HLR Lookup services, which have no bearing on the list of the customers’ targets of Pegasus or any other NSO products.

"Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies as well as by private companies worldwide. It is also beyond dispute that the data has nothing to do with surveillance or with NSO, so there can be no factual basis to suggest that a use of the data somehow equates to surveillance.

"NSO has also said that the list of countries shown using Pegasus is incorrect and many countries mentioned are not even our clients. It also said that most of its clients are western countries."