It's one hell of a Monday. If you haven't had time to read the #Pegasus hacking revelations in detail, here are a few observations from day 1 & 2.
A thread I'll keep building.

1. Today we learnt from #PegasusProject & @thewire_in that potential targets for political spying, ahead of the 2019 election, include Congress president Rahul Gandhi and – equally shocking – Ashok Lavasa, the most independent of India's three election commissioners.

... @PrashantKishor is on the list, and offered his phone for forensic analysis, which proves that he was being spied on from before the election until as recently as July 14, 2021. Right through his crucial role helping the TMC through the West Bengal elections.

... That makes the implications of the #Pegasus list, and what we may yet discover, truly terrifying. They may have violated not just our regime of individual rights, but even national elections. It's hard to even type this without apprehensions, but there it is.

2. True scope: #PegasusProject & @thewire_in have identified over 300 Indian phone numbers on the list: politicians, activists, a Supreme Court judge, and 40 journalists.
But it's not just their privacy that has been violated. It's privacy of *anyone they communicated with*

... Just think of the active contacts of a leading journalist, a judge, or a top political consultant.
To visualise the extent of this violation, we have to see these verified targets as just the centre of a network encompassing the major part of Indian public sphere.

... (Yes, it's not lost on me that I've sent literally thousands of messages to people on the #Pegasus list, whose phones have been analysed and found to be hacked. So even without the distinction of being on the list, I believe my privacy has been criminally violated).

3. The list reveals a stunning scheme of political espionage in India – but this is still only a partial picture.
It relies on a single leak, from a single firm (#Pegasus; as opposed to, say, RAT Trojans used to target the BK16).

... It's also limited by timeframe, mid-2017 to mid-2019, so we have to imagine the numbers of citizens who may have been infiltrated since then – in the past two years, which saw the two largest popular protest movements, the anti-NRC and the farmers' union protests.

4. Editor's points: People are calling this an exposé of 'state surveillance', but I find both words misleading. 'State' implies national security objectives, whereas the #Pegasus India hacks, especially of reporters, mostly seem to serve the narrowest ruling party interests...

... One of the journalists on the list, whose phone analysis confirmed #PegasusSpyware, is @SushantSin:
* Retired after two decades of serving in the Indian Army @adgpi
* A two-time winner of the Ramnath Goenka Prize,
* A senior fellow at @CPR_India and guest lecturer at @Yale.

... It's hard to imagine a stronger professional or patriotic profile for a journalist.
But here's what he was covering when the spying began: #Rafale scam allegations; the CBI directorship fiasco; the highly contentious Balakot airstrike. All hot issues before the 2019 election.

5. 'Surveillance' also connotes techniques arguably within the ambit of the law; eg. mass surveillance or interceptions "approved by the competent authority".
Use of #PegasusSpyware should be called political spying or espionage. It's as illegal as breaking and entering a home.

... Almost as dispiriting as seeing an Election Commissioner *!* on the #PegasusSnoopgate list: This.

#Pegasus revelations, day 3.
The spread of the apparent targeting is so wide. From high political office – potentially subverting elected state governments – to grassroots reporters & MeToo accusers.
This randomness is an artifact of an incomplete picture.

7. Govt response: Ministers & former ministers have been pounding self-goals into the net. They furiously deny the culpability of government or party – even though none of the #PegasusProject reports make any claims about who is behind the spying on Indian citizens.

... What the reports say is simple:
* Prominent Indians, like @PrashantKishor or @paranjoygt, were conclusively found to have been hacked by high-level spyware
* These hacks were found by investigating a few cases off a much larger list
* This happened in other countries too.

... A government functioning professionally would take this info, even with skepticism, and examine it. If false, debunk it.
What do you call it when ministers revile a report, allege a conspiracy, deny culpability – without investigating at all? "Nobody Killed Jessica".

8. Many media-people are also brushing off the #Pegasus list with snark and lame humour – a function of their privilege and political positioning.
Recall that a related spyware hack just led to a citizen suffering for months, without trial, until he died in prison: Stan Swamy.

... The parallels between the two hacks are chilling. #PegasusProject and the @ArsenalArmed report found different spyware attacking the *same* members of the #BhimaKoregaon 16. Both kinds of spyware allow surveillance, but also creation of false evidence.

... Both the #PegasusProject & #Arsenal discoveries, though vetted by experts & the best international newspapers, met only angry denial from the government. Which will apparently do nothing to stop this from continuing – in new, more malicious forms.
So don't laugh too soon.

"Do we want to live in a society where we live totally naked in front of government, and they are totally opaque to us?” - Edward Snowden

... One of the doubts you're hearing:
If there are 50K numbers, why have forensics proven only 37 #Pegasus hacks?
In fact this is a huge number. Eg., from 2011 to '21, only 38 spyware attacks on journalists were proven.
This single project uncovered 37 cases. Ten of them in India

... It's meant to be impossible to detect a #Pegasus infection. That's a key part of the #NSOGroup value proposition.
AI Security Lab uncovered their tracks by scrutinizing device logs, one phone at a time – extremely demanding work over dozens of devices.

... It took *years* of research for experts at the AI Security Lab to bust #Pegasus' spying.
The Lab has not only published its detailed methodology online, for anyone to vet. It's also shared tools to help anyone check for traces on their own phones.
techcrunch.com/2021/07/19/too…

The Wire has so far revealed 93 Indians on the leaked list of prospective #Pegasus targets.
Here they are.
thewire.in/rights/project…

... New names revealed this evening are jaw-dropping. On the list:
- Former CBI top brass Alok Verma, Rakesh Asthana and A K Sharma,
- Anil Ambani; his key deputy Tony Jesudasan, and Jesudasan's wife,
- #Dassault Aviation rep in India, Venkata Rao Posina
m.thewire.in/article/rights…

... Take a few minutes to think about what social contract looks like from now on, post-#PegasusProject.
How does anything touching public life or government - from elections to appointments, civil rights, disputes - command our trust again, without a sincere official reckoning?

... Pegasus can secretly turn on a phone mic, so it's not just your phone but your *world* that's being bugged.

If anyone's world could be hacked, we will start assuming that everyone's is. All the rules of fair play are dissolving in front of our eyes. That's what is at stake.

... No matter how skeptical you are of the #PegasusProject, you need to recognise that this Doubt is out there, and its shadow will darken the entire landscape of our public affairs.
We need to all be together in seeking the most credible, robust way to dispel it.

... That's what putting country first means right now.

... It had to happen. Only our hollow, crony noisemedia tried to convince you that it wouldn't.
France's state cybersecurity agency @ANSSI_FR has confirmed Pegasus infections on two phones belonging to journalists, validating the Amnesty Security Lab discoveries.