NEW DELHI — When the Indian authorities began arresting lawyers and human rights activists in 2018, Sudha Bharadwaj did what she had done for more than three decades wherever she saw injustice. She organized. She spoke out. She asked courts to uphold the law.
Later that year, the police arrested her, too.
Unknown to Bharadwaj, a lawyer and trade unionist, her phone number was already on a list that included some selected for surveillance by clients of NSO Group, an Israeli firm. So was the phone of a lawyer representing her. So was the phone of a close friend and human rights lawyer, and later the phone of another lawyer Bharadwaj worked with in a civil liberties group.
Bharadwaj is one of more than a dozen Indian activists who have been imprisoned without trial and accused of plotting to overthrow the government in what is known as the Bhima Koregaon case. The prosecution has become a crucial test for the rule of law in India under Prime Minister Narendra Modi, where government critics have faced intimidation and arrest.
The case is also a parable with far broader consequences for the digital age, raising disturbing questions about untrammeled surveillance and the reliability of electronic evidence.
In all, the telephone numbers of eight defendants jailed in the case appeared on a list of more than 1,000 numbers in India reviewed by The Washington Post as part of a collaborative investigation by 17 media partners.
It is not known how many of the numbers on the list were selected for surveillance or how many were successfully targeted with spyware. Forensic analyses performed on 22 smartphones in India whose numbers appeared on the list showed that 10 were targeted with Pegasus, NSO spyware licensed exclusively to governments. Seven of the phones were infected. Eight of the 12 inconclusive results were from Android phones, which do not log the information needed for the method used to uncover infection.
None of the imprisoned activists’ phones were available for analysis because the devices were seized by authorities when they were arrested. But one of the infected phones in India belonged to S.A.R. Geelani, who headed an organization where two of the jailed activists on the list — Rona Wilson and Hany Babu — also worked. Geelani died in 2019, and his son provided access to his phone.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International had access to the list of phone numbers, which they have shared with The Post and other news organizations worldwide.
Forbidden Stories oversaw the investigation, called the Pegasus Project. Amnesty International’s Security Lab provided forensic analyses and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked.
The consortium verified the identities of the people associated with more than 300 of the Indian numbers, including not just activists but journalists, politicians, senior officials, business executives and others.
Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, has found evidence that 10 countries represented on the list, including India, have been clients of NSO, according to Bill Marczak, a senior research fellow.
India has neither confirmed nor denied that it obtained Pegasus spyware. In response to detailed questions, a statement from India’s Ministry of Electronics and Information Technology said the allegation of government surveillance of specific people “has no concrete basis or truth associated with it whatsoever.”
Target: Someone sends what’s known as a trap link to a smartphone that persuades the victim to tap and activate — or activates itself without any input, as in the most sophisticated “zero-click” hacks.
Infect: The spyware captures and copies the phone’s most basic functions, NSO marketing materials show, recording from the cameras and microphone and collecting location data, call logs and contacts.
Track: The implant secretly reports that information to an operative who can use it to map out sensitive details of the victim’s life.
The government did not respond to questions about whether it is an NSO client. The statement said that “any interception, monitoring or decryption of any information through any computer resource is done as per due process of law.”
The National Investigation Agency, the anti-terrorism agency overseeing the case against the activists, did not respond to requests for comment about the list. It has said previously that the case is before the courts and it preferred not to comment in response to questions about reports that evidence had been planted.
In lengthy responses, NSO called the Pegasus Project’s findings exaggerated and baseless. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities. It added that its technologies have helped prevent terrorist attacks and bombings and broken up rings that trafficked in drugs, sex and children.
“NSO Group will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations,” the company said.
Thomas Clare, a libel attorney hired by NSO, said the company has “good reason to believe that this list of ‘thousands of phone numbers’ is based on leaked data from publicly accessible, overt sources.”
For the Bhima Koregaon activists, the apparent selection of phone numbers for surveillance was a piece of a larger puzzle. Several of the defendants were also victims of an unidentified hacker who compromised at least two of their computers and planted incriminating documents on the devices before the activists’ arrests, according to analyses by Arsenal Consulting, a Massachusetts-based digital forensics firm.
The disclosure that a group of vocal government critics was facing potential targeting with a form of sophisticated spyware as well as a malicious hacking operation could intensify calls for their release. Several of the activists have spent more than three years in jail under a stringent anti-terrorism law as they await the start of their trial. All have denied the charges against them.
One of the activists was Stan Swamy, an 84-year-old Jesuit priest who suffered from Parkinson’s disease and worked for decades for the rights of India’s tribal peoples. He was jailed in October. Swamy, whose number was not on the list, died July 5 after judges allowed him to seek treatment for ill health at a hospital.
The prosecution of the activists is “a process of punishment by trial,” said Ajai Sahni, executive director of the Institute for Conflict Management and an expert on militant groups in South Asia. “We now have a case of execution by trial,” he said, referring to Swamy’s incarceration and death.
Only a small percentage of defendants have been convicted under the anti-terrorism law used in the Bhima Koregaon case, but the statute allows those accused to be held without bail almost indefinitely in India’s slow-moving legal system.
The allegations against Bharadwaj, the lawyer and trade unionist, emerged in July 2018, when a pro-government TV channel reported the existence of a letter she allegedly wrote to a member of a banned Maoist militant group.
Bharadwaj fought back, warning the channel to take down what she called defamatory content. She was arrested, and in a hearing related to her case, a justice on India’s Supreme Court expressed doubt about the authenticity of the letter, noting that it contained spellings and grammar unique to an Indian language that Bharadwaj does not speak.
The phone numbers used by Bharadwaj and seven others in the case were added to the list that included surveillance targets before their arrests. Three of their numbers were added in 2017, well before the event that police said precipitated the investigation: a commemoration of a 200-year-old battle held on Jan. 1, 2018, where one person died in clashes near a village known as Bhima Koregaon.
The numbers on the list included not just those of the imprisoned activists but of their family members, friends and colleagues. One of them was Bharadwaj’s friend Shalini Gera, a human rights lawyer and a founding member of a legal collective that did pro bono work on cases of illegal detention and alleged torture by security forces.
Gera has never been questioned or accused of any wrongdoing in the case. In a separate disclosure, Gera was one of a group of Indians notified in 2019 by WhatsApp, the Facebook-owned messaging application, and Citizen Lab that they had been hacked with Pegasus. Two phone numbers belonging to Gera also appeared in the lists reviewed by The Post, including one number that she was not using for WhatsApp.
“I feel vulnerable and violated,” Gera said in a recent interview. “They are seeing emails to my husband, my professional mails with clients, financials, things that are only for my own ears.”
Gera was also one of dozens of activists and their associates to receive emails containing malicious software, according to a person with direct knowledge of the ongoing forensic analysis of computers in the case, who spoke on the condition of anonymity to discuss the matter.
For the family members and colleagues of the defendants, the knowledge that their phone numbers had been added to the list adds to the sense of fear and of being under siege.
Minal Gadling, a homemaker in the central Indian city of Nagpur, was added to the list after her husband, Surendra Gadling, was arrested. Surendra is a lawyer, a father of two and a member of the Dalit community, formerly known as untouchables. He often defended people accused under the same anti-terrorism statute now being used in his case.
Since her husband was jailed in 2018, Minal has devoted herself full time to pursuing his case, attending court hearings and visiting him in prison. “The past three years have been very difficult,” she said. “In all this, to know that my phone was also under scrutiny just makes me very angry.”
On July 6, a new digital forensics report on the case was released. It contained yet another bombshell: Evidence was also planted on a computer belonging to Surendra. The hacker — whose identity remains unknown — deployed malware on the computer in 2016 and later that year began depositing files in a hidden folder on the device, the report found.
Among the planted documents was a letter — the one allegedly written by Bharadwaj to a comrade in the Maoist militant group.
Bharadwaj’s long incarceration is a political decision that has “nothing to do with the law,” said Gera. “I don’t know if I am stupid and foolish, but I am optimistic. Something’s got to give.”
Sukanya Shantha of the Wire contributed to this report.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read more about this project.