Pegasus Spyware Revelations

In Context 

A year has passed since the disclosures about the Pegasus Project revealed the threat to India’s democracy.

What is Pegasus?

• It was developed by the Israeli firm NSO Group that was set up in 2010.
• It can not only mop up information stored on phones such as photos and contacts, but can also activate a phone’s camera and microphone and turn it into a spying device without the owner’s knowledge.
• The earliest avatars of Pegasus used spear phishing to enter phones, utilising a message designed to entice the target to click on a malicious link. 
  • However, it evolved into using “zero-click” attacks wherein the phones were infected without any action from the target individual.
• It can also be delivered through a nearby wireless transmitter, or manually inserted if the target phone is physically available. 
• It had been used in some of the “most insidious digital attacks” on human rights activists in the world.

Pegasus revelations in India

• The report appeared in July 2021 from the Pegasus Project said that in India, at least 40 journalists, Cabinet Ministers, and holders of constitutional positions were possibly subjected to surveillance using Pegasus.
  • According to The Guardian, Amnesty International’s Security Lab tested 67 of the phones linked to the Indian numbers in the database and found that “23 were successfully infected and 14 showed signs of attempted penetration”.
• A report by The New York Times in January, 2022 stated that ‘India has bought Pegasus in 2017 as part of a $2-billion’ defence package. 
  • India has been aware of the existence of Pegasus since October 30, 2019 when WhatsApp confirmed that the spyware has been used to exploit a vulnerability in its platform to target activists, academics, journalists and lawyers in India.
    • Since then, NSO has been able to advance its technology, and Pegasus can now infect devices without any action on the user’s part. 

Response of Government 

•  In the wake of the Pegasus Project revelations, several petitions were filed with the Supreme Court alleging that the government had indulged in mass surveillance in an attempt to muzzle free speech and democratic dissent. 
• The Indian government has so far neither confirmed nor denied that it has deployed Pegasus for any operation.

Judicial response

• The Supreme Court will be hearing the case pertaining to the alleged use of the Pegasus spyware software later this month. 

• The matter first reached the apex court in October 2021 and it constituted a committee, overseen by former Supreme Court judge Justice R.V Raveendran, to look into the charges and accordingly submit a report “expeditiously”.

What do Indian laws outline?

•  Indian Telegraph Act, 1885
  • Section 5(2) of The Indian Telegraph Act, 1885, states that the government can intercept a “message or class of messages” when it is “in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence”.
  • Rule 419A: The operational process for it appears in Rule 419A of the Indian Telegraph Rules, 1951. 
    • Rule 419A was added to the Telegraph Rules after the verdict in the People’s Union for Civil Liberties (PUCL) vs Union of India case, in which the Supreme Court said telephonic conversations are covered by the right to privacy, which can be breached only if there are established procedures.

• The second legislation enabling surveillance is Section 69 of the Information Technology Act, 2000. 
  • It facilitates government “interception or monitoring or decryption of any information through any computer resource” if it is in the interest of the “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign States or public order” or for preventing or investigating any cognisable offence. 
  • The procedure for it is detailed in the Information Technology Rules, 2009.
    • These rules are very broad and allow even the redirection of traffic to false websites or the planting of any device to acquire information. 

• The use of Pegasus is illegal as it constitutes unauthorised access under Section 66 of the Information Technology Act. 

• Section 66 prescribes punishment to anyone who gains unauthorised access and “downloads, copies or extracts any data”, or “introduces or causes to be introduced any computer contaminant or computer virus,” as laid down in Section 43.

Concerns /Challenges

• Under India’s constitutional scheme, the legislature is responsible for holding the executive accountable. However, practice has failed to match principles. 
• The Information Technology Act, 2000 and the Indian Telegraph Act 1885 which empower the Government to concentrate surveillance powers in the hands of the executive, and do not contain any independent oversight provisions, judicial or parliamentary.
  •  These legislations are from an era before spyware such as Pegasus were developed, and, thus, do not respond to the modern-day surveillance industry.
• Unfortunately, legislative proposals by the Union Government for surveillance reform do not exist. 
• The proposed data protection law does not address these concerns despite proposals from members of the Joint Parliamentary Committee
  • Instead, the proposed law provides wide exemptions to the Government relating to select agencies from the application of the law; one which might be used to exempt intelligence and other law enforcement agencies. 
    • This gap in the surveillance framework has led to severe harm being caused to India’s democratic ideals.
• The Freedom House ‘Freedom in the World’ report — it tracks global trends in political rights and civil liberties — changed India’s status from ‘free’ to ‘partly free’ in 2021. 
  • It has cited the alleged use of Pegasus on Indian citizens as one of the reasons for the downgrade.

Conclusion and Way Forward 

• In the K.S. Puttaswamy vs Union of India verdict of 2017, the Supreme Court further reiterated the need for oversight of surveillance, stating that it should be legally valid and serve a legitimate aim of the government.
• The executive must refrain from taking steps that have arbitrary use of power.

• Government must adhere to transparency and openness, which are celebrated values under our Constitution

• An overhaul of surveillance laws is necessary to prevent the indiscriminate monitoring of people and entities by the state and private actors. 
• It is critical to maintain secure communications including calls and messages that are not vulnerable to Pegasus and other malware. 
  • Secure calls and messages will ensure secure communication even when spyware infiltrates phones and one is “under mobile surveillance.”