IN SEPTEMBER 2018, John Scott-Railton co-wrote the Citizen Lab’s report on how Pegasus, a spyware developed by the Israeli tech company NSO Group, helped governments spy on WhatsApp users. In June this year, he exposed a large-scale mercenary hacking operation run by BellTroX, a Delhi-based digital security company, which was targeting government officials across continents.
“Our concern is that governments that purchase surveillance technology end up using it to not just target criminals, but also target political enemies, journalists and other members of the civil society,” he told THE WEEK in an exclusive interview. Excerpts:
What kind of targets and trends emerged from your WhatsApp investigation?
We found a trend of abusive targeting with Pegasus that was not limited to India. When we started investigating that case, we found over a hundred cases like that. WhatsApp is currently suing NSO Group. This is a very muscular, unprecedented defence of users in India and around the world.
Has NSO Group contacted the Citizen Lab?
The Citizen Lab has been sending letters to NSO and its owners for years now. The responses have been incomplete or misleading.
Why were the responses misleading?
For years, the Citizen Lab, as well as researchers at Amnesty International and other organisations, have gathered evidence of abuses by Pegasus. Instead of admitting these issues, and taking constructive action, NSO consistently seeks to discredit our work.
Do you feel the Indian government needs to probe the WhatsApp breach case?
I am curious about what steps will be taken. The WhatsApp case in India is extremely troubling. So is the case of BellTroX, and so is the case of phishing that Amnesty International reported last year. So now we have three perplexing, troubling cases that call for serious investigation. We all will be looking at what approach the Indian government takes in these cases.
What are the concerns about the tracking apps launched during the Covid pandemic? The Indian government developed Aarogya Setu.
Researchers have looked into many Covid-19 tracking apps and found that security and privacy are not always a priority. The apps may be intended to help in epidemiological purposes, but they may not be well-designed from a privacy or cybersecurity point of view. In some cases, even the epidemiological justifications are shaky.
How can we counter the threats from new apps and technologies?
Many of the problems in the last decade have occurred because we connected faster than we secured. That has to change for governments and industry. There has to be pressure from stakeholders, investors and consumers. Unfortunately, consumers and businesses largely have imperfect information about security and safety. They may not know what to ask for. Even the governments may have imperfect information. Until there are very serious consequences for those who intentionally engage in unlawful and abusive surveillance, problems will persist.
The Citizen Lab recently exposed a massive hack-for-hire operation. How was BellTroX targeting thousands globally?
We believe that the targeting was commissioned by private individuals and companies. In other words, BellTroX was acting as hackers for hire. What is interesting is that a substantial fraction of targets were journalists and members of civil society.
Who were the targets?
Everyone you can think of, and some you probably wouldn’t guess. We found divorce cases, legal fights, journalists, lots of financial institutions, banks, small businesses, and a few governments. We have seen BellTroX targeting senior officials in multiple governments around the world.
Do you know identities of private individuals who hired BellTroX?
That is one of the biggest challenges of the investigation. There is a federal investigation in the US into BellTroX and those who hired it. One individual, a private investigator accused of hiring BellTroX to target people, is already in jail.
Did the Indian government approach the Citizen Lab after the expose?
Given the scale of the wrongdoing we uncovered, we have been somewhat surprised to have not received any official communication from the Indian government.
The report says the owner of BellTroX, Sumit Gupta, was indicted in the US. Yet he was operating freely in India.
Given that Gupta was indicted in the US for hacking for hire in 2015 and is currently wanted by the US government, it is remarkable that he can openly run a company with a front door that engages in these illegal activities. It’s remarkably brazen.
Are Indian mercenary hackers becoming a global concern?
Even Google recently wrote specifically about the threat posed by Indian hack-for-hire groups, which signals that there is a special problem in India that really needs to be addressed.
Is investigating BellTroX an uphill task for Indian agencies?
The people behind BellTroX are easy to find. A failure to investigate and pursue prosecutions would raise questions in many international legal, diplomatic, law enforcement and cybersecurity quarters. And BellTroX is bad for business, too. Many major international companies are among its targets.
Your report that WeChat was analysing user content is alarming. What is the threat from popular apps from China?
There is an unfortunate history of apps developed for the Chinese market having built-in censorship, and in some cases, surveillance [capabilities]. It is the scale of users that makes it so troubling. This kind of surveillance was normalised and globalised by China. There are serious national security concerns for other countries that use products emerging from the Chinese market.