When technology of espionage outstrips law's ability to protect citizens

Most surveillance firms operate out of the public eye, and given the sensitive nature of the technology they provide, it is extremely difficult to ascertain who their customers are

In 2019, when Facebook-owned WhatsApp sued Israel-based NSO Group Technologies for a global breach that impacted 121 Indians, among others, the focus was squarely on the messaging service. Two years later, fresh revelations have shown that the extent of snooping on people was more extensive than estimated.
 
Recent investigations into phones that might have been compromised by governments using NSO Group’s Pegasus spyware technology suggest present and former heads of states of many countries, including Egypt, Belgium, France, Iraq, Lebanon, Kazakhstan, Pakistan, Uganda, Yemen, South Africa, and Morocco, might have been on the list. In India, the names include political figures, journalists, ministers, and others.

 
The larger issue in these revelations is the use of surveillance technology, and the idea of surveillance itself. There is a legal framework in India which allows surveillance under the Indian Telegraph Act, Indian Telegraph Rules, and the Information Technology Act. However, experts have long argued that the present laws do not adequately cover the newer ways of spying on people, whether for reasons of national security or otherwise.
 

“Tools made by surveillance technology companies are currently being deployed in India without adequate safeguards to protect privacy. The use of such invasive technologies should not precede the implementation of a rights-compliant framework. We need legislative reform to ensure greater transparency and accountability, from the private as well as public sector. In a democracy, surveillance cannot take place without prior judicial authorisation, post-fact audits and reviews, and judicial remedy,” said Namrata Maheshwari, Encryption Policy Fellow, Access Now.

 
With Pegasus putting the focus on surveillance technology again, Business Standard looks at other similar firms that provide surveillance technology.
 
Most of them operate out of the public eye, and given the sensitive nature of the technology they provide, it is extremely difficult to ascertain who their customers are.
 
Cellebrite
 
The Israel-based company describes itself as "partnering public and private organisations to transform how it manages digital intelligence in investigations to protect and save lives, accelerate justice, and ensure data privacy".
 
Last year, MediaNama reported the Delhi Police was using one of its products called UFED or Universal Forensic Extraction Device, which helps "lawfully access locked devices with ease, bypass pattern, password or PIN locks and overcome encryption challenges quickly on popular Android and iOS devices".

 
It said in April it has agreed to go public in the US through a merger with a blank-check firm.
 
Cellebrite, in response to a Business Standard query about its clients, said it has developed a “strong compliance framework, and its sales decisions are guided by internal parameters, which consider a potential customer’s human rights record and anti-corruption policies”.
 
It further said it has developed strict controls, ensuring its technology is used appropriately in legally sanctioned investigations.
 
Cellebrite’s digital intelligence solutions make a powerful platform, and making sure it is used appropriately is of paramount importance, it added.

 
“We sell our technology only to companies, bodies, and agencies that abide by the terms that govern its proper use as outlined in our end-user licensing agreement. Customers that do not comply with these terms no longer receive active product support or have their licences renewed,” it said.
 
Cellebrite does not sell to countries sanctioned by the US, the European Union, the UK or Israeli governments.
 
Paragon Solutions
 
Founded by a former commander of Israel’s National Security Agency equivalent, Unit 8200, Paragon Solutions is a stealth mode start-up, which claims to be able to hack WhatsApp and Signal, Forbes reported last month.

 
Its senior executives are ex-intelligence officers and a former Israeli prime minister is also on the board of the firm. In the same piece, Forbes reported that Paragon’s technology will also give longer lasting access to a device, even if it is rebooted, something that “fixes” devices that may have been targeted using surveillance software.
 
Shoghi Communications
 
Closer home, this Himachal Pradesh-based firm, based in a town of the same name, provides “defence technology and pre-emptive counterintelligence strategies” to its customers. This includes remote device data extraction, target profiling, targeted darkweb intelligence, and electronic warfare, such as signal jammers and anti-drone systems.

 
The firm on its website says it only provides to governments and the Ministry of Defence and not to individuals or for private and commercial use.
 
Cleartrail Technologies
 
This Noida-based firm says on its website it is “envisioning the future of lawful interception, monitoring, and analytics”.
 
In documents published by Privacy International, it was said ClearTrail provides a Trojan software called Astra that can infect a target’s device and gather information from it, as well as capture webcams and microphones.
 
While governments across the world defend the need for surveillance for maintaining national security, the recent revelations around Pegasus have shown that surveillance technology has been used to target political opponents, journalists, and civil society activists and others. 

 
The Indian government and its agencies also procure such technology. But given the secretive nature of the industry, it may never be possible to find the actual extent of the use of these deployments.