×
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT

Threat alert: 'State-sponsored attacks' reignite concerns

Mired in contradictions and confidentiality, the objectivity and accuracy of the investigation into Apple’s recent threat notifications is uncertain.
Last Updated : 11 November 2023, 18:09 IST

Follow Us :

Comments

The first round of threat notifications issued by Apple in November 2021 was delivered to Thai activists and researchers who were known to be critical of Thailand’s government. In December 2021, Apple notified 11 employees of the US Embassy in Uganda about their phones having been targeted by state-sponsored attackers. Since the threat notifications feature was first launched two years ago, Apple has notified individuals in over 150 countries about possible targeting of their phones by state-sponsored attackers.

A sealed-cover report

In March 2023, the  Financial Times reported that the Indian government was looking to acquire spyware from “less exposed competitors” of the NSO Group, the Israeli company responsible for developing and marketing the Pegasus spyware. The NSO Group has been subject to considerable scrutiny in India and abroad, after a series of damning articles were published as part of the Pegasus Project, describing the company’s role in creating and selling spyware. 

In October 2021, the Supreme Court of India ordered a “thorough inquiry” into the Indian government’s alleged use of the Pegasus spyware. The apex court appointed an expert committee tasked with conducting forensic analysis of the phones of the individuals who were suspected to have been targeted with Pegasus. The committee submitted its final report before the SC in August 2022. 

There are many parts of the sealed-cover report which have still not been made public, though it was reported that out of the 29 devices analysed, five were found to have been infected with spyware, though the committee was not able to conclude whether the spyware in question was Pegasus. It is worth noting that both the committee as well as the court had made it a point to observe on record that the Indian government chose not to cooperate with the committee throughout the course of the investigation.

Government response 

Apple has not explicitly stated that it believes the Indian government to be behind the spyware attacks. As a matter of practice, the tech giant chooses not to attribute attacks related to a set of threat notifications as having originated from a particular country. Apple also chooses to not disclose any of the technical information it uses to detect attempted compromises of users’ devices. This position is justified: According to Apple, revealing information about what causes them to issue threat notifications could “help state-sponsored attackers adapt their behaviour to evade detection in the future.” 

However, Apple’s decision to not show all of the cards it holds, was weaponised by IT Minister Ashwini Vaishnaw, who used it to downplay the public outcry surrounding the recent issue. He instead jumped at the opportunity to press Apple with questions. Vaishnaw said that the Apple threat notification “seems vague and non-specific in nature.” 

Ordering an investigation into the matter, Vaishnaw somehow managed to simultaneously profess the seriousness with which this issue was supposedly being taken up by the Indian government, while still downplaying and attacking the veracity of the claims raised by Opposition leaders and journalists, calling it a “distraction”. The minister went as far as to falsely state that Apple itself had “released a clarification [proving] that the allegations by compulsive critics are not true.” Apple never released such a statement. But Vaishnaw issued his statements, all the while reiterating that “the government takes its role of protecting the privacy and security of all citizens very seriously.”

Meanwhile, the Indian government has given the mantle of investigating the spate of suspected spyware infections to CERT-In, a nodal agency under the Ministry of Electronics and Information Technology, which has a mandate for responding to and helping contain computer security incidents in the country. Though Apple — keeping in line with its behaviour in other countries — has not implicated any specific parties, the fact that only those who are known to be critical of the current ruling party have been on the receiving end of Apple’s threat notifications does not instill much confidence in the position taken by the government with regard to protecting the privacy of all citizens.

I will take this opportunity to ask a pressing question: Can CERT-In be trusted to maintain neutrality and operate without bias while investigating an issue where the Indian government may potentially be implicated as a suspect? As the matter stands, the possibility that the Indian government might have used spyware to surveil Opposition party leaders and journalists cannot be ruled out. 

To date, the Indian government has not categorically denied or admitted to having acquired or deployed Pegasus within the country. At the same time, as noted above, the government has previously been characterised by the Supreme Court as not having cooperated with the expert committee tasked with investigating Pegasus.

Individuals who have received Apple’s threat notifications might be better off having their phones forensically examined by independent third parties that have been carefully analysing and publishing evidence documenting commercial spywareFurthermore, it might also be time for the Supreme Court to consider making public the August 2022 report that was submitted in sealed covers to the court by the technical committee investigating Pegasus. This could be a step towards reassuring citizens of data privacy.

Arbitrary deployment of highly invasive surveillance technologies in violation of the constitutionally guaranteed right to privacy should have no place in a democracy. Comprehensive surveillance reforms and judicial oversight are the need of the hour — the targeting of Opposition leaders and journalists in the run-up to next year's general elections should be the final nail in the coffin. 

(Karan Saini is an independent security researcher based in New Delhi, India.)

ADVERTISEMENT
Published 11 November 2023, 18:09 IST

Follow us on :

Follow Us