What the Pegasus Scandal Revealed About Media Security

The Pegasus Project — a global investigative journalism consortium involving 17 media organisations and Amnesty International's Security Lab, published in July 2021 — documented that NSO Group's Pegasus spyware was used to target hundreds of journalists, activists, politicians, and others across multiple countries. 

India's component of the Pegasus Project was among the most significant: The Wire and its partners documented that Indian journalists had numbers on Pegasus target lists. 

The Supreme Court of India constituted a technical committee to examine whether government agencies used Pegasus against Indian citizens — a step that itself acknowledged the seriousness of the allegations.

Representational Image: What the Pegasus Scandal Revealed About Media Security

Pegasus — developed by Israeli firm NSO Group and available only to state-level clients — is characterised as a "zero-click" spyware that can infect a target's smartphone without the target clicking any link or taking any action; it can access messages, emails, photos, microphones, and cameras without the user's knowledge. 

The Government of India neither confirmed nor denied using Pegasus; it cited national security confidentiality; it questioned the technical methodology of the Pegasus Project's analysis; it noted that the NSO target list does not prove actual infection. 

The Supreme Court-constituted technical committee found inconclusive evidence from the phones examined — several targets were unable or unwilling to submit their phones. The investigation remained unresolved as of 2025.

What You Need to Know

• Pegasus Project (July 2021): global investigation by 17 media organisations and Amnesty International's Security Lab; identified 50,000+ phone numbers on Pegasus target lists across multiple countries; India component identified numbers of journalists, activists, opposition politicians, election commissioners, judges, and business figures.
• Indian journalists on target list: included Siddharth Varadarajan (The Wire), M.K. Venu (The Wire), Paranjoy Guha Thakurta (investigative journalist), Ravi Nair (SAHRDC), and others; Amnesty's Security Lab found forensic evidence of Pegasus infection on some Indian devices; government denied authorising such surveillance.
• Supreme Court response: constituted a technical expert committee (October 2021) headed by retired Justice R.V. Raveendran; committee submitted sealed report in 2022; Supreme Court found the government "did not cooperate" with the committee; full committee findings not made public; Supreme Court criticised the government's lack of cooperation.
• NSO Group context: Israeli firm NSO Group licenses Pegasus only to verified government clients; it requires licensing fees in the tens of millions of dollars; the scale of the technology's deployment implies significant state resources and deliberate targeting decisions.
• Digital security implications: the Pegasus revelation that smartphones can be compromised without user action fundamentally changes journalist security practice; end-to-end encrypted messaging (Signal) is insufficient against Pegasus because the compromise occurs at the device level before encryption; complete operational security requires specialised practices (airgapped devices, in-person meetings) that most journalists cannot maintain.

How It Works in Practice

1. What Pegasus access enables: Once installed on a target's smartphone, Pegasus can: read all messages across all apps; access email; capture photos; record phone calls; activate the microphone for ambient recording; activate the camera for visual surveillance; and transmit all of this to NSO Group infrastructure (and by extension to the requesting government). For a journalist, this means: complete source exposure; interception of all communications with sources; access to documents and evidence; and real-time location tracking.

2. The threat to source protection: Journalism's fundamental ethical and operational requirement is source protection — the guarantee that a source who provides information in confidence will not be identified to the subject of the story. If a journalist's phone is compromised by Pegasus, this guarantee is void: every source communication, every confidential document, every meeting location is available to the government. Pegasus represents an existential threat to investigative journalism that depends on confidential sources.

3. The government's non-response: The Indian government's response to Pegasus allegations followed a consistent pattern: questioning the Project's methodology; not acknowledging operational details on national security grounds; not cooperating with the Supreme Court's technical committee; and not briefing Parliament. This response — while legally defensible under national security doctrine — provided no assurance to affected journalists that they had not been targeted or that they would not be targeted in future.

4. Source protection practices in post-Pegasus Indian journalism: Following the Pegasus revelations, Indian journalists who cover sensitive political topics have had to revise their security practices. Signal adoption for secure communications; compartmentalisation of sensitive source information away from internet-connected devices; in-person meetings for the most sensitive communications; and forensic phone analysis through Amnesty's Security Lab (available to targeted journalists) have all become more standard in the independent journalism community.

5. International dimension: Several Indian journalists with Pegasus-targeted numbers were also covering topics with international dimensions — India-Pakistan relations, Kashmir human rights, and democratic backsliding — suggesting possible intelligence interest in their international source networks as well as their domestic reporting.

What People Often Misunderstand

• The Pegasus target list does not prove infection: Having a phone number on the Pegasus target list indicates that a government client expressed interest in targeting that number; it does not necessarily mean the phone was successfully infected; forensic analysis of specific devices is required to confirm infection; some confirmed infections were documented in India.
• The Supreme Court investigation did not definitively clear or indict the government: The Supreme Court's criticism of government non-cooperation and the sealed technical report's findings have not been fully disclosed; the investigation produced neither a formal clearing nor a formal indictment; this ambiguity itself is a finding about the government's willingness to be transparent.
• Pegasus is not the only surveillance tool: The Pegasus Project revealed one specific spyware; India's surveillance infrastructure includes many other tools — internet monitoring, call data record requests, social media monitoring, NATGRID (National Intelligence Grid), and state police intelligence units — that are less technically sophisticated than Pegasus but cumulatively represent a significant journalist surveillance environment.
• Digital security is now a journalism competency requirement: The post-Pegasus environment requires journalists covering sensitive topics to maintain operational security practices; this is not optional for journalists who promise source confidentiality; journalism education needs to incorporate digital security as a core competency.
• The government's national security justification has limits: Even if governments have legitimate national security interests in monitoring communications, the targeting of journalists for their journalistic work — rather than genuine security threats — is outside the scope of legitimate security surveillance; the Pegasus targets included journalists, activists, and opposition politicians whose "security threat" characterisation would require extraordinary evidence.

What Changes Over Time

The NSO Group has been placed on the US Commerce Department's Entity List (2021) for providing tools that enabled foreign governments to "conduct transnational repression"; this US action has complicated NSO's commercial operations but has not eliminated Pegasus's use by existing clients. Amnesty International's Security Lab continues providing forensic phone analysis services to targeted journalists globally, including in India. 

The Supreme Court's post-Pegasus jurisprudence on surveillance and privacy — building on the Puttaswamy right to privacy judgment (2017) — continues developing the constitutional framework for surveillance legality.

Sources and Further Reading

• RSF — India country profile: https://rsf.org/en/country/india
• GIJN — India investigative journalism: https://gijn.org/stories/india-independent-news-investigating-key-election-year/
• Amnesty International — Security Lab: https://securitylab.amnesty.org

(This series is part of a long-term editorial project to explain the structures, institutions, contradictions, and operating logic of governance in India for a global audience. Designed as a 25-article briefing cluster on the Indian Media Ecosystem & Journalism, this vertical examines how information is produced, distributed, consumed, regulated, and contested in contemporary India — from television news, newspapers, digital media, and public broadcasting to media ownership, press freedom, journalism ethics, advertising economics, misinformation, platform power, and the changing relationship between the media, the state, and the public. Written in accessible format for diplomats, investors, researchers, NGOs, civil society actors, students, academics, policymakers, and international observers, the series seeks to explain both how India’s media architecture is structured on paper and how journalism, influence, narrative formation, and public discourse actually function on the ground. This is Vertical 7 of a larger 20-vertical knowledge architecture being developed by IndianRepublic.in under the editorial direction of Saket Suman. All articles are protected under applicable copyright laws. All Rights Reserved.)