The telephone numbers of more than 60 women – homemakers, lawyers and school teachers, journalists, scientists, civil servants and even friends of politicians – figure in the leaked database of probable surveillance targets selected by an Indian agency that uses Pegasus spyware, a count by The Wire has established.
The names of some of these women have already been published in earlier stories; the identities of others have been withheld at their request.
While the Pegasus Project’s reporting on the leaked database of 50,000 numbers worldwide – accessed by the French nonprofit Forbidden Stories and Amnesty International and shared with 16 media organisations around the world – has triggered a political and diplomatic firestorm in India, France and elsewhere, little attention has been paid to the impact of spyware on individual privacy, especially of women.
Besides giving access to messages, photos and emails, and listening in to phone calls, a phone infected with Pegasus can also be used by the agency operating the spyware as a remote camera and microphone, recording the most private and intimate moments of a person’s life.
Forensic tests have established that at least 37 phones associated with the numbers in the database showed signs of the Israeli spyware, Pegasus. Ten of these belong to individuals in India, two of whom are women.
‘I carry my phone everywhere’
A few weeks ago, when The Wire first contacted Minal Gadling to inform her that her number had shown up in the list of persons potentially under surveillance using Pegasus, the anxiety she felt was palpable. The 48-year-old homemaker’s immediate concern was the extent to which her privacy – and that of and her young children – could have been compromised. “My phone is an integral part of me. I carry it everywhere, even to my bedroom,” she said.
Her husband, Surendra Gadling, a well-known criminal lawyer in Nagpur, was arrested in June 2018 in the ongoing Elgar Parishad case. Just a few days before the Pegasus Project was launched, Minal was informed by a US-based digital forensics firm, Arsenal Consulting, that her husband’s ;aptop was compromised too. “It is like carpet bombing from all sides. Attempts were made to take over our data and lives from every quarter,” she said.
The leaked database indicated that Gadling’s associate lawyer, Nihalsing Rathod, was marked as a probable target in early 2018. He had gotten married only a few months before that. His wife, Shalini, said that even before she got acquainted with her partner’s work, she was dragged into this “madness”. “The thought that someone could have constantly followed us everywhere unsettles me,” she said.
According to the leaked database, as many as 11 personal and family phone numbers of the former Supreme Court staffer who had accused then Chief Justice of India Ranjan Gogoi of sexual harassment were also selected as persons of interest by an Indian client of the NSO Group, which sells Pegasus. When The Wire had met her in 2019, she had appeared under tremendous mental stress, and the possibility of having been the subject of intrusive surveillance will have only made her fell more vulnerable.
Tribal rights activist Soni Sori, also on the list of potential victims, had said more than her own life, she fears for the many victims and families of those killed extra-judicially or sexually violated by security forces in the Bastar region. “In a conflict zone, where everyone is looked at with suspicion, such surveillance can have a deadly impact. My work involves meeting a lot of victims on the ground; some even end up living with me for months. I can’t even imagine what such surveillance could do to victims of sexual assault,” Sori said.
The perverse nature of Pegasus, which can hear phone conversations, even on messaging apps like WhatsApp or Telegram, but virtually takes control over the phone, has worried almost everyone on the list. But women, more so. Technology, after all, was never meant to be neutral.
Violation of personal space
Most of the women on the list that The Wire interviewed over the past month felt that the manner in which Pegasus was potentially used against them breached their personal space in unacceptable ways. Of them, at least one was a minor when her number was selected for surveillance.
Vrinda Bhandari, a Delhi-based lawyer whose number is not on the list, said this kind of surveillance goes beyond just data violations. “This is actually a bodily violation,” she told The Wire. Bhandari pointed to the 2017 judgment of the nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy vs Union of India, where the court was unanimously of the view that the right to privacy also includes the personal autonomy of mind and body, and is not restricted to only informational privacy.
Bhandari, in a recent interview to Scroll.in, website had pointed out that the surveillance or hacking, as she defines it, done using the Pegasus malware is very different from what is legally permissible under Section 69 of the Information Technology Act. Any interception under law, she noted in the interview, has to happen for a “public emergency” or a “public safety” purpose in the interest of specifically defined purposes recognised in Section 69, such as national security, public order or to prevent the commission of a cognisable offence.
“What potential public safety or emergency reason could there be to target or hack journalists or a sitting judge or the family of the survivor making a sexual harassment complaint? You are compromising their work and creating a chilling effect downstream (whether it is on journalists or their sources, or anyone who may be critical of the government), which is very severe,” Bhandari had asked in her interview.
Many digital rights scholars have highlighted why a gender lens is necessary while setting the discourse around digital surveillance. Stressing this point, Dr Anja Kovacs, in an introduction on her Gendering Surveillance website, writes, “By gendering surveillance, we can really bring home the harms of surveillance. Indeed, surveillance of women is a long-standing practice in our society as elsewhere – and one that women from all castes, classes and religions are too familiar with, even if it affects them differently.”
In recent years, the Narendra Modi-led BJP government has laid a lot of emphasis on the “Digital India” initiative. In India, where 95% of internet consumption happens through mobile phones, dependence on mobile phones has phenomenally increased in recent years.
And when the same gadget is used as a “weapon” against an individual, Mishi Choudhary, technology lawyer and founder of a donor-supported legal services organisation called SFLC.in, said, “you are stuck between a rock and a hard place”. “From dating apps to a monthly period tracker to online banking, everything has slowly made way into our phones. Now imagine if all of this is accessible to the attacker,” Choudhary observed. Surveillance, Choudhary said, is an affront to ones dignity and agency.
Last week, when the Pegasus Project broke a series of chilling stories on surveillance across the world, one of the first responses from those supporting the users of this spyware was that people who have “nothing to hide” should not be worried. This argument “makes an incorrect moral judgment about the kinds of information people want to hide”, Bhandari and Renuka Sane had argued in an article for LiveMint in 2017.
The authors argue that the “nothing to hide” argument wrongfully equates privacy with secrecy, even though they are distinct concepts. “Privacy is about exercising the choice to withhold information, which others have no need to know. Secrecy, on the other hand, is about withholding information that people may have a right to know,” Bhandari and Sane wrote.