Developments around the Pegasus scandal these past few days must make it impossible for the Israeli company NSO Group to obfuscate the centralised nature of the storehouse of client data that leaked last month.

The fact that France’s cybersecurity authorities have independently authe­nticated the presence of Pegasus in the phones of two French journalists present in the  database, demolishes the Israeli company’s claim that the list of leaked numbers was intended to be used by its clients for “other purposes” and not for deploying the deadly spyware against unsuspecting citizens and foreign nationals.

President Emmanuel Macron of France has announced an investigation into Pegasus after his own number and that of several French ministers appeared in the leaked list.

The Narendra Modi government was trying to discredit the testing method of the Amnesty Tech Lab, even though its methodology was validated by Citizen Lab of Toronto University. Now, with the French government independently authenticating the Pegasus Project’s findings, there will be ever

more pressure on the Indian authorities to announce an investigation. This should also persuade the judicial system to consider an independent probe.

The Indian government will have to first come clean to the court on whether it engaged the NSO Group and spent public money on buying a Pegasus licence

NSO Group, in its initial communication, tried to confuse matters by saying the leaked database was linked to its customers merely seeking “HLR lookup services”. This relates to identification and authentication of active phone connections in a database before delivering any service. NSO was trying to suggest that such identification and authentication of persons on the database was for other legitimate purposes and not for delivering spyware.

In reality, the use of “HLR lookup services” or Home Location Register services, is just the first step of authenticating a customer before delivering any service, commercial or spyware. It is a generic service, in a manner of speaking. Even before delivering spyware, such authentication is required, according to experts.

So NSO’s claim that the database Forbidden Stories accessed comprises random persons from different countries merely for some commercial HLR lookout services doesn’t hold water. No one, including the Israeli government, is convinced about this alibi offered by NSO. Otherwise why would the Israeli authorities raid NSO’s premises? Or why would NSO be forced to suspend its spyware services to some countries — as some media reports have it claiming — when it insists the database was merely offering commercial HLR lookup services.

If the database consisted of merely some benign HLR services offered by NSO, why would the US government seriously raise the issue of NSO’s Pegasus sale with Israeli officials? Indeed, all these developments flow from the leaked database and the database is the fountainhead of the Pegasus exposé.

As far as the government of France and the US are concerned, the nature of the leaked database is clearly established via sample testing of phones by both the Amnesty Lab and France’s cybersecurity authorities, which found that Pegasus had indeed been deployed against at least 37 smartphones, including 10 in India.

The writing on the wall is very clear and the Indian authorities would also do well not to fudge anymore. The Modi government’s constant questioning of the mechanism of phone testing and the authenticity of the leaked database makes it appear to be in bed with the Israeli company. That is terrible optics and the sooner the PMO realises it, the better.

India’s judicial system is also likely to see through such unedifying contortions. Of course, before going into larger questions over the use of Pegasus, the Indian government will have to first come clean to the court on whether India has bought the spyware and spent public money on it. There is no escaping this question. This truth will bob up to the surface sooner rather than later.

By arrangement with The Wire

Published in Dawn, EOS, August 8th, 2021