Desh-Videsh Conversation Series – Speaking Across the Divide

Inaugural Episode: January 21, 2023, India Community Center, Milpitas, CA

Digital Evidence Planting: New Age Threat to Rights Defenders

Presented by Safa Ahmed of the Indian American Muslim Council on behalf of a broad coalition working to secure the release of all the Bhima Koregaon prisoners

Why are most of the Bhima Koregaon defendants still in jail despite forensic findings that incriminating evidence had been planted on some of their computers?

Good evening. Digital forensics is a dry, technical field, but the consequences of digital attacks play out like a vivid, terrifying, and painful movie. With the help of technical experts, journalists, and activists, I have prepared for you this narrative of what was revealed in the forensic analysis of the hard drives of three of the BK-16—Rona Wilson, Surendra Gadling, and Father Stan Swamy.

 Picture this: 83-year-old Jesuit priest, Father Stan Swamy, who has dedicated his life to fighting for the rights of India’s indigenous Adivasi people, is sitting in his spare room near the city of Ranchi in the state of Jharkhand, and working on his computer. It is nearing 9 p.m. on June 11, 2019, so Father Stan, who turns in early, switches off his computer and goes to bed. Remember the date and time, because these details will be crucial later on.

He is rudely awakened early the next morning, on June 12, before sunrise. The police have come to raid his residence. They take his computer away.

After the courts fail to grant Father Stan anticipatory bail, this gentle old man is arrested by the police on October 8, 2019.

The police claim that “incriminating documents” have been found on Father Stan’s hard drive, much like they were found on the hard drives of Rona Wilson and Surendra Gadling before him. These documents allegedly link Father Stan to the Maoist insurgency in central India. It is on the basis of these electronic documents that Father Stan is arrested under the Unlawful Activities (Prevention) Act, a law that makes securing bail next-to-impossible.

Father Stan and the other arrestees repeatedly deny all knowledge of these documents, both privately to friends and family, and to the police. Their conviction is so strong that their defense team finds it necessary to get hold of copies of these hard drives, and send them to a reputable digital forensics firm in Boston, USA, for analysis. The firm selected for this process is Arsenal Consulting, famous for working on the Boston Marathon bombing case. Chain of custody is carefully maintained to get verified copies to Arsenal Consulting.

The reason bail is denied is to allow investigators to continue interviewing arrestees, but not a single investigator finds it important to interview Father Stan in the slow months after his arrest. But prison authorities do their utmost to make his life hell. They deny him even a sipper and a straw to drink water from, which he needs because of his Parkinson’s diagnosis. They refuse to give him adequate medical care. In prison, Father Stan’s already frail health further deteriorates.

Then, sometime in the summer of 2021, with investigators still not having spoken to Father Stan once, he contracts COVID. Efforts to move Father Stan to a hospital are delayed in the courts, whose intervention comes too late. On July 5, 2021, short hours before his next medical bail hearing, Father Stan Swamy passes away while still in custody of the Indian state.

So what were these “incriminating files” that had such devastating consequences, leading to the arrest of 16 of India’s most prominent human rights defenders, across thousands of days? How did these files come into their computers?

By analyzing the disc images of these computers, Arsenal Consulting made a series of startling findings.

As early as 2014, multiple emails containing malware were sent to the email IDs of the BK-16. Take the example of Rona Wilson. Rona Wilson got an email from the personal email account of the poet Varavara Rao, asking him to open an attachment. Thinking nothing of it, Rona tried to open it, but it didn’t open. More emails came from VV Rao’s email account, urging him to try a second attachment, and then a third. Finally, when Rona Wilson opened the third attachment, his computer was infected.

It became clear from the forensic analysis that prior to Rona Wilson, Varavara Rao’s email was hacked. Hackers were using this hacked email address to target the friends of Varavara Rao, those who trusted him and opened an attachment from him. A similar method was used to target Surendra Gadling, and Father Stan Swamy was infected with this malware, a “remote access trojan” called Netwire, on October 2014.

From 2014 till their arrest, every single thing these three activists did was surveilled. Every single letter they typed, from documents, to emails, to even passwords, was logged and sent to the hackers. As many as 24,000 files and folders on Father Stan’s computer were surveilled. Not just the computers, but every device attached to the computers, like flash drives and external hard drives, were also surveilled.

Of course, the Pegasus scandal shows that few of us are safe from the threat of digital surveillance. But what happened to the BK-16 was far worse. In 2017, the hackers went one step further. They began to plant incriminating letters and documents on the hard drives of Rona Wilson, Surendra Gadling, and Stan Swamy. The first documents entered Father Stan’s hard drive in July 2017. Note that this was a full five months before the riots broke out in Bhima-Koregaon—the case that supposedly prompted an investigation of the BK-16 in the first place.

By June 2018, both Rona Wilson and Surendra Gadling were arrested. When the names of other prominent activists turned up in these “incriminating letters,” they, too, were arrested. But the hacker was not done. The hacker was still surveilling Father Stan. And as late as June 5, 2019, he was still planting incriminating documents on Father Stan’s computer.

We have returned to where our story began. The evening of June 11, 2019. The clock is nearing 9 p.m. Father Stan is working on his computer. But little does he know that the hacker is also working at the same time, furiously trying to erase his tracks. Arsenal Consulting have found detailed logs showing the hackers attempts: the hacker inputting commands trying to delete files. The hacker making mistakes when writing code, then correcting them. All of this is visible to us in the forensic report.

There is one last command the hacker wants to execute to finish their clean-up job.

But before they can execute it—Father Stan Swamy, the 83-year-old Jesuit priest, who likes to turn in early, switches off his computer. This allows Arsenal Consulting to find even more proof of the hacking.

A few short hours later, Father Stan’s computer is seized.

How did hackers know to cover their tracks a few short hours before the seizure of the device? How did they know the police were coming the next day? That’s a question that we cannot directly answer, but cybersecurity experts have provided some clues.

Cybersecurity firm SentinelOne is the other major international firm to both verify these findings, and use them for their own investigations. Their areas of specialization is identifying “threat actors,” or networks of hackers, and tracking their activities across the world.

After months of study, SentinelOne determined that this threat actor shares infrastructure with other known threat actors linked to the Indian state. Later, collaborating with WIRED magazine, SentinelOne showed that hackers retained control of devices and used them to target other activists after the Pune police had seized the devices. The report in WIRED alleges direct coordination between the Pune police and the hackers.

Each of these reports has been vetted by the Washington Post and independently verified by several leading digital forensics experts, including Amnesty Tech and the University of Toronto’s Citizen’s Lab.

By now, there is no doubt in anybody’s mind that the evidentiary basis for the entire Bhima-Koregaon case, based on these planted digital files, lies in tatters. But because of the stringent provisions of the UAPA, and because trial has not begun yet, this evidence cannot be brought to bear to exonerate the BK-16. And so the cases roll on, including a case filed by the Jesuits in India to posthumously exonerate Father Stan.

Father Stan’s work and legacy continue long after his passing. He was awarded the Nobel Prize for Human Rights Defenders, the Martin Ennals Prize, in 2022. We now hope that this latest shocking revelation about the planting of evidence on Father Stan’s hard drive finally awakens the courts. The BK-16 deserve not just immediate bail, but also full exoneration at the earliest possible date.