Devesh Kumar

Facebook Inaction: Whistleblower Documents Name BJP MP Vinod Sonkar in ‘Fake Account’ Controversy

The second pro-BJP network, on which Facebook allegedly took no action, had 54 inauthentic accounts and is one which whistleblower Sophie Zhang believes was associated with the personal account of Sonkar.

New Delhi: Internal company documents provided by Facebook whistleblower Sophie Zhang to India’s parliamentary committee on information technology have specifically named BJP MP Vinod Kumar Sonkar as having benefited from a network of fake and inauthentic accounts that were not taken down by the social media giant despite being red-flagged.

Zhang has been waiting for nearly six months for Lok Sabha speaker Om Birla to grant permission for her to depose before the parliamentary panel.

In 2019, the former Facebook (now Meta) data scientist found four networks of inauthentic accounts, two helping the Congress and two others benefiting the ruling Bharatiya Janata Party. The two pro-Congress networks had 51 accounts and 526 accounts. The network with 526 accounts had around 100 active accounts per day and was helping amplify the party’s agenda in Punjab elections.

The first pro-BJP network had 65 accounts, and it, along with the two pro-Congress networks, was taken down by the Facebook team a few weeks later on December 19, 2019.

The second pro-BJP network which Zhang identified had 54 inauthentic accounts and is one in which she believes was associated with the personal account of Vinod Kumar Sonkar, a BJP MP from Kaushambi (UP) and current chairperson of the parliamentary committee on Ethics.

This one, Zhang alleges, was never taken down by Facebook and was allowed to operate even after five repeated requests from her.

An inauthentic account (often referred to as a fake account) is an account run by someone who isn’t whom the account purports to represent. These accounts can either belong to a person that doesn’t exist or are being managed and manipulated by a network of volunteers often called an IT Cell. Locating a network of inauthentic accounts is a technical task that requires specialised internal tools.

However, many accounts in such a network show some basic signs like sharing a device or an IP address to perform similar actions, unusual activity patterns during the standard working hours and unavailability of any real information like profile picture, birthday, location etc.

Inability to act countered by contradictory claims from Facebook

In the months following the discovery of a network of inauthentic accounts associated with BJP MP Sonkar, documents show that Zhang raised the issue several times with her colleagues at Facebook, including two other Threat investigators and Facebook India public policy manager.

After documenting (conversation screenshots attached below) her findings on Facebook’s internal collaboration tool – Workplace, she triple-verified her findings given the individual’s stature and suggested ways to act.

On January 28, 2020, she recommended the Facebook India Public Policy Manager to “take some actor-level action against MP Sonkar given the clear evidence between his own account and inauthentic activity benefiting himself – e.g. a warning, a temporary feed limiting as a punitive discouraging measure”.

Appendix 1 – Conversation W… by The Wire

After thanking Zhang for flagging this network, the Facebook team didn’t act on Sonkar’s network of inauthentic accounts. On the contrary, Facebook was quick to take action against the two Congress networks, one of which was removed within eight hours.

Zhang, however, didn’t give up, repeatedly demanding action against the BJP MP’s network. In one of the messages she wrote to Facebook India Public Policy Manager, she says, “To avoid bias through selective responses, I strongly recommend also acting at the same time against the separate inauthentic amplification network identified in Kaushambi.”

Appendix 3 – Conversation W… by The Wire

Nine months later, on August 7, 2020, she reminded her Facebook team of the task by commenting, “The remaining followup here in the task regarded an apparent inauthentic cluster of inauthentic accounts focused on MP Vinod Sonkar (BJP-Kaushambi), which were run out of a network associated with the account of MP Vinod Sonkar and family members. Given the close ties to a sitting member of the Lok Sabha, we sought policy approval for a takedown, which we did not receive; and the situation was not deemed to be a focus of prioritisation.”

Appendix 4 – Post-election … by The Wire

A month later, Zhang was fired from Facebook on the grounds of poor performance after allegedly being asked by her manager to stop conducting her civic work, including in India, on the rationale that it is not valuable to Facebook.

India Fake Account (2019-20… by The Wire

Facebook response

During this process, Facebook tried to save its face to providing contradictory statements to different media organisations.

In an initial claim, Facebook said to The Guardian that Vinod Sonkar IT cell was taken down without delays. They partially retracted this claim upon being confronted with Zhang’s documents attached above.

The Wire contacted the public policy team of Facebook on their final stand on the matter, however, they are yet to respond to our email. We will update this story when we receive the response.

The delaying tactic to suffocate democracy

On November 5, 2021, Sophie Zhang submitted these documents to the Parliamentary Standing Committee on Communication and Information & Technology.

While members of the panel voted for Zhang to come and depose, parliamentary rules require that foreign nationals first get permission from the Lok Sabha speaker before doing so. However, after more than six months, Zhang is still waiting for a response from Lok Sabha speaker Om Birla who has refused to respond to the request.

These new revelations add to earlier allegations that Facebook’s content moderation policies in India have been influenced in part by its fear of angering the ruling BJP party. In August 2020, The Wall Street Journal reported how the platform hesitated in applying the company’s hate speech rules to BJP MLA T. Raja Singh from Hyderabad.

Earlier in January this year, Sophie wrote an Op-Ed for The Wire, strongly suggesting that democracy cannot function if a swarm of fictitious voices drowns out the voices of the people. Unfortunately, the inaction by Facebook, followed by the delay at Lok Sabha to testify her findings, creates a situation where millions of online Indian citizens are blinded by propaganda fueled by hate machinery run by IT Cells of various political parties.

Devesh Kumar is an independent data analyst and Senior Data Visualizer with The Wire.

A Look at How Pegasus Brings the Best of Technology to Achieve the Worst

While the tech is complex, the tool was sold to its customers as a simple solution that begins with just entering a target’s mobile phone number.

The NSO Group’s Pegasus spyware adds new layers and unique capabilities to a highly sophisticated and booming surveillance software industry to overcome modern challenges posed by encryption, masking and frequent SIM card replacement.

In this regard, the Pegasus marketing brochure, made public as part of WhatsApp’s filings in a US court case against the Israeli company, provides an insight into the spyware’s tech stack, architecture, and features.

Though this marketing brochure is likely outdated, and thus does not represent the leaps that have likely been taken over the last few years, it still provides an important glimpse into the different layers of data collection, transmission, presentation and analysis built into the spyware.

Dissecting Pegasus: Understanding different layers of the spyware

Common public awareness about Pegasus is limited to it being a zero-click data collection tool that harvests user data from the device like SMS, contacts, calendar, location, WhatsApp chats, browsing history, photos and videos while also triggering actions in the background like recording calls, activating camera and microphone.

However, different layers of Pegasus add unique abilities to the spyware, making it a comprehensive surveillance tool that requires minimal intervention and technical expertise on the part of the actual customer that operates the software.

The ‘installation layer’ handles remote installation of invisible spyware on the target devices (referred to as agents in the marketing brochure), its maintenance and uninstallation using a self-destruct mechanism in scenarios where operators may be exposed.

Pegasus: Agent installation flow

Pegasus: Agent installation flow

In this layer, as the above diagram shows, NSO is simplifying a complex installation process by abstracting several technical details from the operators, requiring them only to insert a target’s phone number. As the NSO claims in its brochure that “the rest is done automatically by the system, resulting in most cases with an agent installed on the target device”.

After a phone number is inserted, in the background, the Pegasus system checks whether the number is active or not using some HLR lookup service(s) and analyses the phone type and OS version (operating system like Android or iOS) to check the device compatibility.

HLR (Home Location Register) lookup services act as a building block for advanced spyware tools like Pegasus. HLR refers to a database that contains information regarding authorised subscribers of a mobile network, including their phone numbers, current location and International Mobile Subscriber Identity (IMSI), which is a unique identifier of each SIM. HLR lookup services like this help query this database to check if a phone number is active or not.

Also read: Amazon Shuts Down Some Infra and Accounts Linked to NSO Group

The Pegasus system also checks for available installation methods (over-the-air using a push notification covertly sent to the mobile vs SMS/Email push) before delivering the exploit to the target device. NSO handles spyware’s delivery infrastructure and mechanism, providing customers with limited knowledge and control over the process.

NSO, in its statement, claims that “it does not have access to the data of its customers’ targets”, and all of the data resides on servers deployed on the customer side.

Anonymizers and Data Analysis

What makes it hard to identify a Pegasus operator is the fact that the system deploys a network of anonymizers at the data transmission layer. Anonymizer servers are spread across the globe, allowing agent connections to be redirected through different paths before reaching the Pegasus customers.

In addition, all the connections are encrypted, securing the identity of the customers and government officials using the spyware.

Once the data reaches customer servers, it is arranged, filtered, reviewed and analysed by the operators using the dashboard. The dashboard shows the entire collected data from a specific target or only a specific type of information from all targets. The charts on the dashboard show key activities and patterns of a target, while maps show the target’s real-time activity and historical location.

Pegasus: Call Log and Call Interception

Pegasus: Location Tracking

On the dashboard, operators can also create custom rules that trigger system alerts automatically based on device activity, like alerts when a defined word is used in a conversation or when the target calls a specific number. The operators can also export all the extracted data, including names and phones of contacts and chat participants, conversation content, audio recordings, files and folders. They also use the latitude and longitude data of the device to create geofences that trigger a notification in real-time based on an individual’s movement.

This high level of customisability and control without requiring any particular technical skills makes Pegasus a benchmark software for tech enthusiasts in the surveillance industry. However, the way authoritarian regimes are using Pegasus across the world to target journalists, activists and women raises an important conundrum – has NSO created a beast too powerful enough to control in the name of security and defence?

Devesh Kumar is an independent data analyst and senior data visualizer with The Wire.

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.

Note: The article has been edited to reflect that the featured illustrations, previously credited to Devesh Kumar, are by illustrator Diana Valeanu, from absurd.design.

Timeline: How Did India Get to More Than Half a Million COVID-19 Cases?

A look at some of the crucial moments of the outbreak and how they impacted our fight against the virus.

In less than five months, the COVID-19 outbreak in India has spread to all states and union territories, infecting more than five lakh people. The curve is not flattening as the number of active cases has climbed to around two lakh cases and is still increasing, and more than 15,000 people have died because of the virus.

How did we end up here?

India ignored the warning signs when the first few cases surfaced in Kerala and didn’t screen all the international passengers up until March 6. The Indian Council for Medical Research didn’t test people with COVID-19 symptoms without a recent travel history and a known contact that might have transmitted the virus to them, up until March 20. The government’s official line for the public as late as March 13 was that the coronavirus was not a health emergency.

Social distancing as a method of keeping the virus at bay was first officially flagged by Prime Minister Narendra Modi when he spoke to the nation on March 19, in order to call for a one-day ‘Janata Curfew’ for March 22. The first national containment measure in the form of a nationwide lockdown was only introduced on March 25, three months after the first COVID-19 case was reported and two months after the WHO declared the outbreak a public health emergency of international concern. This announcement was not preceded by any official planning, leading to the large-scale movement of the urban poor as they headed for their homes in rural areas.

In sum, the official strategy was an example of ‘too little, too late’ as hidden infections were already spreading in all parts of the country, followed then by ‘too much, too soon’ and not enough planning.

In this story, we look at some of the crucial moments of the outbreak and how they impacted our fight against the virus.

Click on the image below👇 to view this story.

Devesh Kumar is a data scientist and researcher at Reuters. He designed the COVID-19 Growth and Response Tracker for The Wire.

COVID-19: Is India Really Doing ‘Better’ than Other Countries?

When a country does well, a host of figures show that and not just the convenient ones.

New Delhi: There is “evidence” for everything. This seems to be the motto of the present government in India. By intentionally cherry-picking the data, the Ministry of Health and Family Welfare has been trying for the past few months to deny the growth of COVID-19 cases in India and hail the lockdown as a success.

In the latest attempt to suppress evidence and ignore inconvenient data, Lav Agarwal, joint secretary at the ministry, said that “India’s is among the lowest COVID-19 fatality rates in the world”. He also claimed in a press briefing on Tuesday that “India has a low number of cases per one lakh people (lower than Spain, Belgium, the US and Mexico)” and “this is significant if one considers the availability of resources and population density in India”.

This is a classic case of cherry-picking data to mislead citizens into thinking that there is nothing to worry about because few (conveniently picked) countries are doing worse. To examine the credibility of these claims, we must take into the account all available information, including doubling rates, numbers of tests conducted and fatality rates of as many countries as we can. That’s why we created a comprehensive database of 171 countries of the world to see how they are fighting COVID-19.

Total and active cases

If you sort this table by total numbers of cases, you will find that India is positioned at seventh, ahead of Germany, Turkey, France, Iran, Peru and Canada. With 8,392 cases in the last 24 hours (biggest jump so far), the growth rate of COVID-19 in India is increasing even after two months of lockdown.

A better understanding of the state of COVID-19 in countries can be gathered by looking at the total number of active cases. Active cases show the current caseload on the system. A higher active case load means that more people are seeking treatment, and more people are susceptible to the virus. India is at number 5, just below the US, UK, Russia and Brazil, if you sort the table by the number of active cases.

An important element in the data here is the doubling time. Doubling time shows the number of days it takes for total confirmed cases to double and is a good indicator to see the growth of COVID-19.

India’s doubling rate is way higher (cases double every 14 days) than any other country sitting above it in the table – United states (35), Russia (20), UK (35), Spain (56), Italy (55), and Germany (54). The only exception to this is Brazil with a doubling time of just 13 days. Similarly, countries immediately below it in the list of total cases, also have a longer doubling time than India.

Also read: India’s Lockdown Has Failed. Here’s What We Can Learn From it.

Fatality rate

With a fatality rate (percentage of deaths per cases detected) of 3%, India definitely has a lower case fatality rate than Spain, Belgium, the US and Mexico, as the health ministry made it a point to say. What the ministry did not say, however, is that more than 100 countries in total and eight countries in the top 20 (including Russia, Turkey, Saudi Arabia and Pakistan) have a lower case fatality rate than India.

The fatality rate is also not a good indicator to show the success of the lockdown, as governments can easily fudge it by not adding the comorbidity deaths.

Per million people

Many claims have been made by MoHFW, India, where they take into account the large population of India to show a low number of cases per million people or per lakh people. To fully understand this data, we also need to take into account the testing rates of countries. If a country is testing less, it’s much obvious that the number of cases per million people will appear less.

This is where the following table comes into play:

Indeed, India has low cases per million people (117 cases per million people), compared to the US (5197 cases per million people) or Italy (3825 cases per million people). However, India is also testing way less than any of these countries. The US is testing 19 times, and Italy is testing 25 times more than India.

India is positioned way below at 71 (of 84 countries who are providing testing data) in the number of tests per million people. It is testing just 2763 samples per million people (almost equal to Pakistan).

This can also well be a reason for why we have a low rate or cases per million.

The hard fact is that the number of cases in India has been increasing even after two months of lockdown and many states of India are running out of hospital beds and staff. The epidemic curve of COVID-19 cases in India doesn’t seem to be flattening while other countries like Russia, the UK, Spain, Italy, Germany, Turkey, Canada, Belgium have almost bent the curve. MoHFW press conferences should also focus on highlighting the steps they are taking to change the curve, other than presenting anecdotal evidence.

Also read: Fighting COVID-19 on a Wing, a Prayer and an Acronym

Look at South Korea, for example. South Korea has completely bent the curve, by reducing the number of active cases to just 735, increasing the doubling time to 85 days and reducing the fatality rate to 2. This they have achieved by higher testing – 16,823 tests per million people – almost seven times more than India.

When a country does well, all of these figures show that and not just the convenient ones.

Here are a few countries who are bending the curve:

The text of this article was updated on June 1 with the latest Indian data on cases and tests. The attached data tables auto update, based on new data coming in.

Note: We are tracking the COVID-19 cases in India here.

Devesh Kumar is a data scientist and researcher at Reuters. He designed the COVID-19 Growth and Response Tracker for The Wire.