Bela Bhatia, a human rights lawyer in the Indian state of Chhattisgarh, is accustomed to surveillance. She works in a region prone to both guerrilla violence and government reprisals, and authorities do not like many of her clients.
Still, Bhatia said she was shocked to learn her phone had been infected with invasive spyware delivered through missed video calls on WhatsApp, a messaging service that is used by about 400 million people in India, WhatsApp’s biggest market.
“You are carrying the spy in the pocket with you everywhere you go,” she said. “It is much more than one had imagined that the Indian state could do.”
Bhatia is one of more than a hundred Indians who learned in recent months that every keystroke, call and GPS location on their phones had probably been recorded by the surveillance software, which is sold by the NSO Group, an Israeli firm.
NSO says its technology is licensed only to governments for combating terrorism and fighting crime. It also promises it won’t sell to governments with records of human rights abuses.
But the revelations from India over the past two weeks show that even countries with decent scores on global human rights indexes will use NSO technology to track journalists, critics and dissidents, digital rights activists said.
“This attack is a window into what happens when you give governments extralegal access to people’s communications,” said John Scott-Railton, a security researcher at the Citizen Lab, which worked closely with WhatsApp to uncover the attacks and notify the targets. “These tools will be used for all kinds of unaccountable espionage. The temptation for abuse is just too great.”
WhatsApp and its parent company, Facebook, filed a federal lawsuit against NSO last week seeking to block the Israeli firm from using their services. The suit says NSO abused WhatsApp by piggybacking on it to hack into the phones of 1,400 of its users around the world. More than 100 of the targets were human rights activists, journalists, religious leaders and dissidents.
The case is the latest in an avalanche of claims of abuse to emerge in recent years from the multibillion-dollar commercial spyware market, where governments — instead of protecting the privacy of consumers — are the paying clients.
At the center of these claims is NSO, which had pledged to move past its record of abetting human rights abuses and be in full compliance with the United Nations Guiding Principles on Business and Human Rights by October. That month, WhatsApp informed the 1,400 victims, which also included diplomats and senior government officials, that NSO had used its service to attack their phones.
The recent revelations offer a counternarrative to NSO’s stated support for transparency and human rights. The WhatsApp lawsuit contends that NSO’s spyware was used against dissidents and journalists in the United Arab Emirates and Mexico, two governments previously caught abusing NSO spyware. It also cites NSO’s use in Bahrain, a country where the human rights situation was deemed “dire” by Human Rights Watch.
In India, 121 WhatsApp users were targeted with NSO spyware, the messaging service said in a recent letter to the government. Of those, at least 22 were human rights activists, journalists and civil rights lawyers, according to a tally by the news site Scroll.in. A spokesman for the Indian National Congress, a leading opposition party, told reporters last weekend that WhatsApp had informed one of its top leaders, Priyanka Gandhi Vadra, that she was among the targets.
It’s not clear which government agencies in India purchased NSO’s spyware. The central government, led by Prime Minister Narendra Modi, has repeatedly criticized WhatsApp — not NSO or its clients — for the breach, but has declined to support calls by opposition parties for a full investigation into who bought and used the spyware.
Two clusters of Indians stood out on the target list. One group is active in working for human rights in Chhattisgarh, where the government has battled a Maoist insurgency for decades. The other has connections to left-leaning activists whom the government has accused of plotting to kill the prime minister and of inciting violence in Bhima Koregaon, near Mumbai, in 2017.
Ankit Grewal, a lawyer for Sudha Bharadwaj, who was arrested in the Bhima Koregaon case, said he started missing calls on WhatsApp last fall. In October, he learned that calls had infected his phone with NSO’s spyware even though he never picked them up.
“Now I see a pattern,” he said. “Other lawyers who were defending activists related to Bhima Koregaon and Chhattisgarh were being targeted. Who else but the government would do it, as we were targeted after the arrests of the activists?”
Santosh Bhartiya, a former member of Parliament and the editor-in-chief of the Hindi-language news site Chauthi Duniya, was more mystified as to why he was targeted. Although his news site is critical of the government, Bhartiya said, he is also well known to top government officials. “I am a journalist, but I am not that kind of journalist that people will do surveillance on,” he said.
Another target, Shu Choudhary, a former BBC journalist who has been active in Chhattisgarh peace talks, said he had become resigned to government surveillance. What disturbed him most was just how invasive and “vicious” NSO’s spyware proved to be.
“This is an illegal attack on our fundamental rights, but it’s nothing new,” Choudhary said. “It’s just that the scope of surveillance is much higher than anything we’ve experienced before.”
When asked about the targets in India, NSO repeated the statement it made when the WhatsApp lawsuit was announced: Its technology is used to fight crime and terrorism and is not licensed for spying on human rights activists and journalists.
Last June, the United Nations Special Rapporteur David Kaye called for an immediate moratorium on the sale of surveillance technology until rigorous human rights safeguards could be put in place.
But since the U.N. has no power to enforce a moratorium, spyware sales continued unabated. In September, NSO published new human rights and whistleblower policies that included a renewed commitment to due diligence and to contractually obligating its customers to restrict the use of NSO’s products to the investigation of crime and terrorism.
In response to NSO’s new policies, Kaye wrote a letter in October questioning how exactly the company planned to hold its clients to account when its spyware had been so readily misused and when it had no direct way of monitoring how governments deploy its products.
“The industry is incredibly opaque and the users are opaque,” Kaye said. “On both sides, the opacity makes it impossible to understand what’s going on in this space.”
Kaye and others said the WhatsApp lawsuit filed last week could be the beginning of checks in an industry that has had none. The lawsuit is the first case of a technology company holding another to account for exploiting its products for surveillance.
Although the Computer Fraud and Abuse Act, which was cited in the suit, does not apply to “lawfully authorized investigative, protective, or intelligence activity” by the government, there is no exception for private actors, like NSO.
“I imagine NSO Group is pretty worried about that,” Kaye said.
In a demonstration of how seriously it takes the case, Facebook started blocking NSO employees from their personal Facebook, WhatsApp and Instagram accounts last week, according to NSO employees’ posts in public web forums.
The people targeted with NSO’s technology said they do not expect the lawsuits to change their reality of being under near-constant government surveillance.
“In an ideal world, everything would be done legally, but we live in dangerous times,” said Choudhary. “We need to try to protect ourselves as much as we can.”