As Apple alert to Opposition leaders is investigated, clarity remains out of reach Premium

Apple sent alerts to Opposition leaders that a “state-sponsored attacker” may be targeting their digital devices; Apple spokespeople in India circulated a statement saying that they did not blame “any specific” government attacker

As Opposition leaders intensified allegations of government snooping after receiving alerts from the tech firm Apple that a “state-sponsored attacker” may be targeting their digital devices, government officials and ruling party politicians moved to advance a series of misleading and vague statements on the nature of the warning. The government says that it will investigate Apple’s message, which was delivered on Monday night to top leaders in the Congress and other Opposition outfits, as well as some journalists and civil society members.

Minister of Electronics and Information Technology Ashwini Vaishnaw, for instance, posted on the social media platform X that “information by Apple on this issue seems vague and non-specific in nature,” even as the company warned users in detail how the attacks they may have detected could infiltrate targets’ phones and remotely access their devices’ contents, and get a real-time feed from devices’ cameras and microphones.

The Minister, as well as other officials, seized on a so-called ‘background’ note that Apple had included in its messages to journalists, which said that the alerts had been sent in 150 countries. Background notes are usually sent by public relations workers to provide additional background information that they do not want to be directly quoted on. The firm as well as the Minister left out some key context: that this number was for all alerts sent since 2021, not the batch that Opposition leaders and others in India had received this week. No user in any other country has publicly reported receiving such an alert since the warnings were first delivered this week. 

Apple spokespeople in India circulated a statement saying that they did not blame “any specific” government attacker, distancing itself from the interpretation that the alerts were accusing the Indian government of spying. IT Minister of State Rajeev Chandrasekhar claimed on live television that Commerce and Industry Minister Piyush Goyal also received an alert, but later walked back that statement, saying it was a ‘friend’ of Mr. Goyal instead. 

Meanwhile, Sanjeev Sanyal, an academic serving on the Prime Minister’s Economic Advisory Council, took a “just asking questions” approach on Twitter to poke holes in the credibility of Apple’s standardised warnings, wondering aloud on X why the firm was referring users to Access Now, a non-profit that works on privacy and digital rights, instead of providing counsel itself, and pointed to, without elaborating, funding the body received from the billionaire George Soros’s Open Societies Foundations. 

Firms such as Apple and Google do not publish technical details of many of the security vulnerabilities they patch, to avoid giving firms that stockpile intelligence on these weaknesses any useful insights on their defensive cybersecurity capabilities. So-called zero day exploits — weaknesses discovered by attackers but not by tech firms themselves — are routinely patched in software updates, and external cybersecurity researchers may sometimes publish findings on these after working with the company concerned to fix the issue beforehand. Since zero-days have a “short shelf-life,” according to Apple, they are usually only deployed to a small group of targets, to maximise their utility before their modus operandi is discovered.

It is also not uncommon for tech firms to encourage additional security safeguards to high-profile targets, even if they market security features that are ironclad for most users. Access Now has worked to support and push back on Apple on different occasions: on the issue of requiring ‘backdoor’ access to personal devices that law enforcement can access, the nonprofit backed the tech giant’s resistance in 2016. On Apple’s proposal to scan users’ personal photos to spot and report illegal child sex abuse material, the nonprofit pushed back, saying the technology could be subverted by authoritarian regimes for other purposes.