Making sense of Pegasus-derived data
Pegasus can transmit data. But humans have to process it. Where is this team, who is managing it, how does it operate?
More than a year ago, a senior journalist called me and narrated a strange personal experience. He said, one day, he was summoned to meet one of India’s biggest industrialists, ostensibly to discuss his critical reporting of the industrialist and his businesses. During this meeting, the industrialist apparently rattled out intricate details of some of the journalist’s private financial transactions, and spoke in an intimidatory tone. The journalist told me he was shocked that the industrialist — perceived as close to the ruling establishment in Delhi — had access to this private information. But since he had nothing to hide and had committed no crime, he said he walked out of the meeting nonchalantly.
Thanks to the groundbreaking investigative work of 16 media organisations internationally and The Wire in India, one now knows that the phone numbers of many in India appeared on a list of potential targets of surveillance by the Israeli spyware, Pegasus. This journalist’s name was not just on the list of potential targets of those whose phones may have been hacked. Not only that, his device was also confirmed to have been infected with Pegasus after a forensic test.
So, could the two incidents — the industrialist’s knowledge of the journalist’s private matters and the journalist’s phone having been infiltrated with Pegasus — be related or are they just coincidental? It is likely that the two incidents are linked, which then raises the question — how did the industrialist gain access to this information from this journalist’s phone and who else had and has this access?
In other words, along with the allimportant question of who bought the Pegasus spyware from the Israeli private company, NSO, to spy on Indian citizens, there is a second question. How did information flow from Pegasus on people’s phones to the end recipient of this information?
In the example of the journalist cited here, Pegasus would have transmitted messages, emails, phone calls, pictures, video, camera, location and other such information from the journalist’s phone. But how exactly was this daily data, which was sent from the journalist’s phone, turned into meaningful information of specific financial transactions and conveyed to the industrialist? Pegasus software can only transmit data, it does not and cannot comprehend it.
It is now established that there were at least 300 “verified” people in India whose phone numbers were on the list of potential surveillance targets. These individuals were not picked randomly, but chosen at particular junctures, possibly to serve some specific purpose, as The Wire has documented in detail. It is also reported that, at the very minimum, the Indian buyer of Pegasus would have incurred a total expense of roughly ₹20 lakh to infect each targeted phone with Pegasus.
The buyer spent such a large sum on each person to be able to listen to phone calls, watch movements, read messages, and capture each element of the individual’s life. But this cannot be done by Pegasus or any other machine. It needs a human on the other end to be able to listen, read and watch the person being spied on by Pegasus. Only a human can make sense of all the information that Pegasus sends from the infected phone.
Pegasus transmits information from the infected phone nonstop (24x7x365). To gather all this data, decipher and analyse it, it would take at least a two-three member backend team for each person being snooped on. Given the possibly largescale nature of the hack, it would take a few more thousand people on the backend to turn all of the Pegasustransmitted data into meaningful and useful information for the buyer. Surely, the buyer did not spend all that money on Pegasus just to get a daily dump of data with no one to analyse it?
So, if we accept that the Indian buyer of Pegasus would not have been foolhardy enough to spend all that money without establishing a large backend team, trained in basic intelligence operations to decipher and use the large volumes of daily data transmitted by Pegasus, then several other questions arise.
One, is there such a large team of thousands of skilled people sitting somewhere in India and monitoring Indian citizens? Or is it large-scale foreign backend spy operations to snoop on Indian citizens?
Two, who set up this team and what is its chain of command? Three, is this backend operation managed by a government agency or a private company? And four, who has funded this mega backend intelligence operations?
Buying Pegasus spyware from an Israeli company is just the tip of the iceberg. The spyware is useful only when its data is converted into useful information. This cannot be done automatically by any machine, however sophisticated Artificial Intelligence technologies may have become. It takes a large team of humans trained in covert intelligence operations, operating secretly to parse and analyse all the data to make Pegasus useful and worthy for its buyers.
If it is indeed true that the industrialist got access to the journalist’s personal information through Pegasus, or if someone else got access to private information about an individual whose phone was confirmed to have been infected, then clearly there is a very efficient operations team at work. This team is able to cull out relevant and useful information from each phone and send it through its chain of command.
Where is this team, who is managing it and how does it operate are the next set of smoking gun questions on the Pegasus scandal. The government may dodge questions in Parliament. But if conscious sections of the media, judiciary, legislative and civil society arms of our society collectively embark on this quest, this can be unravelled. More skeletons can tumble out from the cupboard of the mysterious Indian client of Pegasus.