Surveillance Laws in India


    In News

    In a recent response to the incident of individuals being targeted by Pegasus, the Government of India has claimed that all interception took place lawfully.


    • Over 300 mobile phone numbers in India were targeted by Pegasus spyware.
    • The Indian list of “verified” numbers includes those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others.
      • However, the presence of a phone number in the database was not a confirmation of whether the corresponding device was infected with Pegasus or was subject to an attempted hack.
    • Pegasus was developed by the NSO Group of Israel, which describes its customers as 60 intelligence, military and law-enforcement agencies in 40 countries.
      • It has refrained from confirming the identities of any of them, citing client confidentiality obligations.

    Government’s Stand

    • The government holds that the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever.
      • In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian state. Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
      • However, WhatsApp confirmed use of Pegasus to target journalists and human right activists in India in a lawsuit it had filed in a US court in San Francisco.
    • It highlighted that the latest news also appears to be a similar fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.
    • Although Indian Government has not clearly admitted to or denied buying or using Pegasus to conduct surveillance, the NSO Group has clarified that Pegasus is used by sovereign governments in foreign countries.
    • Government held that all interception took place lawfully.
      • Communication surveillance in India takes place primarily under two laws, the Telegraph Act, 1885, which deals with interception of calls and the Information Technology (IT) Act, 2000, which deals with surveillance of all electronic communication.
      • However, a comprehensive data protection law to address the gaps in existing frameworks for surveillance is yet to be enacted.

    Telegraph Act, 1885

    • Section 5(2) of the Telegraph Act empowers the Central/State government(s) to stop transmitting, intercept or detain or disclose calls and messages by a person or a group of people.
    • Under this law, the government can intercept calls only in certain situations, namely the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order, or for preventing incitement to the commission of an offence.
      • These are the same restrictions imposed on free speech under Article 19(2) of the Constitution.
    • Significantly, even these restrictions can be imposed only when there is a condition precedent, the occurrence of any public emergency or in the interest of public safety.
    • A provision in Section 5(2) states that even this lawful interception cannot take place against journalists.
      • It reads that “Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this subsection.”
    • Genesis
      • In Public Union for Civil Liberties versus Union of India (1996), the SC pointed out lack of procedural safeguards in the provisions of the Telegraph Act and laid down certain guidelines for interceptions.
        • A public interest litigation (PIL) was filed in the wake of the report on “Tapping of politicians phones” by the Central Bureau of Investigation (CBI).
      • The SC held that tapping is a serious invasion of an individual’s privacy
        • Every Government, howsoever democratic, exercises some degree of subrosa operation as a part of its intelligence outfit but at the same time citizen’s right to privacy has to be protected from being abused by she authorities of the day,
        • It also noted that authorities engaging in interception were not even maintaining adequate records and logs on interception.
      • The Supreme Court’s guidelines formed the basis of introducing Rule 419A in the Telegraph Rules in 2007 and later in the rules prescribed under the IT Act in 2009.
        • Among the guidelines issued by the court were setting up a review committee that can look into authorisations made under Section 5(2) of the Telegraph Act.
        • Rule 419A states that a Secretary to the Government of India in the Ministry of Home Affairs can pass orders of interception in the case of Centre, and a secretary-level officer who is in-charge of the Home Department can issue such directives in the case of a state government. 
        • In unavoidable circumstances, Rule 419A adds, such orders may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or the state Home Secretary.

    Information Technology Act, 2000

    • Section 69 of the IT Act and the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 were enacted to further the legal framework for electronic surveillance.
      • Section 69 empowers the Central/State government(s) to intercept, monitor or decrypt any information generated, transmitted, received or stored in any computer resource in the interest of the sovereignty or integrity of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.
    • Apart from the restrictions provided in Section 5(2) of the Telegraph Act and Article 19(2) of the Constitution, Section 69 the IT Act adds another aspect for the investigation of an offence” that makes it broader.
    • Significantly, it dispenses with the condition precedent set under the Telegraph Act that requires “the occurrence of public emergency of the interest of public safety” which widens the ambit of powers under the law.
    • Under the IT Act, all electronic transmission of data can be intercepted.
      • For a Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act.
    • The Central government has authorised 10 agencies to intercept communications. 
      • These are Intelligence Bureau (IB), Narcotics Control Bureau (NCB), Enforcement Directorate (ED), Central Board of Direct Taxes (CBDT), Directorate of Revenue Intelligence (DRI), Central Bureau of Investigation (CBI), National Investigation Agency (NIA), Cabinet Secretariat (RAW), Directorate of Signal Intelligence (For service areas of Jammu and Kashmir, North East and Assam only) and Commissioner of Police, Delhi.

    Way Forward

    • In 2012, the Planning Commission and the Group of Experts on Privacy Issues were tasked with identifying the gaps in laws affecting privacy.
      • On surveillance, the committee pointed out divergence in laws on permitted grounds, “type of interception”, “granularity of information that can be intercepted”, the degree of assistance from service providers and the “destruction and retention” of intercepted material.
    • Although the grounds of selecting a person for surveillance and extent of information gathering has to be recorded in writing, the wide reach of these laws has not been tested in court against the cornerstone of Fundamental Rights.
    • There is a need for more debates on the issue in order to secure individuals’ right to privacy and to keep a check on the authoritative traits of governments trying to silence the people who raise their voices.

    • Pegasus is spyware that can be installed on devices running some versions of iOS (Apple’s mobile operating system) and on devices running on Android. 
    • It was developed by the Israeli cyberarms firm NSO Group.
      • NSO is a highly-regulated enterprise that provides government agencies an essential tool to monitor terrorists and criminals.
    • Functioning
      • It mainly uses Exploit Links for its working. Clicking on such links automatically installs Pegasus on the user’s phone. The method of Social Engineering is used.
        • In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. 
        • This differs from social engineering within the social sciences, which does not concern the divulging of confidential information.
      • Once the spyware is installed, Pegasus can potentially harvest most of the data on the device including SMS, emails, WhatsApp chats, call logs, GPS data, contact lists and transmit it back to the attacker.
      • It can also activate functionalities such as camera, microphone, call recording, etc. to provide surveillance capabilities to the client.
    • An online database about the use of the spyware Pegasus was launched.
      • It was launched by Forensic Architecture, Amnesty International and the Citizen Lab to document attacks against human rights defenders.
      • It showed the connections between ‘digital violence’ of Pegasus and the threats faced by the lawyers, activists and other civil society figures.
    • Israel has established a commission to review allegations that the NSO Group’s Pegasus phone surveillance software was misused to assess whether the nation needs to make corrections.

    Source: IE