Pegasus Spyware: Indian government seems to hold no one accountable for the illegal act.
Image: The Quint
No one deployed Pegasus. Just like no one is responsible for the attack on JNU students in 2020, or the deaths of thousands in 2021 from lack of medical help.
While there has been no categorical denial from the Union government that over 300 Indian mobile telephone numbers were targeted by the Pegasus spyware, the responses on 18 and 19 July as well as in 2019 seem to hold no one accountable for the illegal act.
According to a report on Sunday, 18 July by The Wire, Pegasus – a spyware made by the Israeli cyber weapons company the NSO Group - had purportedly been used to spy on at least 300 Indian phone numbers, including those of over 40 senior journalists, opposition leaders, government officials, Constitutional appointees, and rights activists.
According to news agency ANI, the government, in an unsigned letter, has responded to Sunday’s newsbreak stating “the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever”.
The response appears insufficient and vague, especially in light of repeated assertions made by the NSO Group that it sells exclusively to vetted government clients and law enforcement agencies.
“There is no dispute the alleged use of Pegasus to message 1400 foreign WhatsApp users in April and May 2019 was done by sovereign governments in foreign countries,” the NSO Group had submitted before a US Court in May 2020.
Therefore, this piece aims to breakdown the ongoing Pegasus ‘snoopgate’ step-by-step into its core issues and seek answers that a democratically elected and accountable administration ought to provide regarding developments as serious and concerning as this.
Hacking into an electronic device is a crime in India. There are no exceptions even if the hacking has been government-directed. The Pegasus spyware cannot be deployed without remotely hacking into the targeted individual’s phone.
In India, hacking a device is a criminal offence under Section 43 of the Information Technology Act. The Internet Freedom Foundation, in a blog on 19 July, points out the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices.
“What NSO and Pegasus does is definitely an example of illegal hacking. That provision has no exception for government,” explained Raman Singh Chima, policy director at digital rights organisation Access Now, in an extensive interview with The Quint in 2019.
Therefore, the government’s response that “no unauthorised interception by government agencies,” does not hold up.
Will the government initiate a criminal investigation into this illegal act?
The government, in its lengthy response to the questionnaire sent by the global collaborative investigation called the ‘Pegasus Project’ has not categorically denied that the phones of over 300 individuals in India was targeted by the spyware.
The reply only seeks to dispute questions around the government’s role in the attack. The response also states that the news report is “based on conjectures and allegations to malign Indian democracy and its institutions.”
Despite not refuting that the mobile devices of Indians could’ve been subjected to illegal hacking and spying, there is no mention of any steps taken to find the culprits and bring them to justice for a serious criminal offence. Despite the news of the Pegasus attack on over 120 human rights activists breaking in October 2019, there has been no headway in over two years.
Will the government be able to provide concrete answers in Parliament as to who deployed Pegasus? And who dealt with the NSO Group in procuring the cyber weapon?
The government’s responses in 2019 as well as on 18 July, 2021, refer to legislative actions taken by it to safeguard the data privacy of citizens. Sunday’s response once again refers to the Personal Data Protection Bill that was drafted in 2018 and introduced in Parliament in December 2019.
It is vital to note that the Personal Data Protection Bill does not include any surveillance reforms. There is a lack of legislative or institutional oversight within the provisions of the Bill when it comes to surveillance carried out by the State.
Instead, Clause 14 of the Bill provides wide exceptions for processing of publicly available personal data without consent for “reasonable purposes” – a move that has been criticised for its power to profile individuals and their sentiment on specific issues.
Similarly, the recent IT Rules, 2020, have also been cited in the response shared on Sunday. These rules have been challenged by almost a dozen petitioners in various High Courts across the country. The requirement of messaging apps to identify the first originator of a message has specifically been challenged by WhatsApp on grounds that it breaks encryption, undermines privacy and can lead to invasive surveillance.
Will the government stop using false assurances of the PDP Bill and IT Rules, 2020 to respond to issues of state surveillance?
Pegasus, as a cyber weapon used as a blunt instrument of spying on people by extracting information from hacked phones, is deeply abusive given Indians enjoy the fundamental right to privacy. However, the use of Pegasus is one aspect of an increasing net of surveillance technology in India. In a shocking revelation by the Washington Post in February 2021, Key evidence against a group of Bhima Koregaon accused was planted on a laptop seized by police. According to the news report, a thorough forensic investigation by an independent US-based company revealed, “An attacker used malware to infiltrate a laptop belonging to one of the activists, Rona Wilson, before his arrest and deposited at least 10 incriminating letters on the computer…”.
Human rights activists, including those accused of Bhima Koregaon violence and plots to overthrow the government, have especially been targeted. While Pegasus can extract information from a phone, evidence suggests false incriminating documents have also been planted in the devices of those critical of the government.
Will the government clarify the steps it has taken to find out whether the police or other law enforcement agencies have been involved in such blatant abuses of privacy of citizens?
The Centre’s surveillance projects such as CMS, NETRA and NATGRID have been challenged by the Software Freedom Law Centre India at Delhi High Court. In its statement SFLC India states that these projects violate the right to privacy under the Indian Constitution and “Under the said surveillance projects, the internet traffic of every citizen would be subjected to interception and surveillance by the government.”
Moreover, on 20 December 2018, the Union Home Ministry, in an order authorised 10 agencies wide surveillance powers “for the purposes of interception, monitoring and decryption of any information generated, transmitted, received or stored in any computer resource…”.
Will the government clearly state whether it plans to undertake steps to limit lawful surveillance in order to protect Indian citizens’ fundamental right to privacy under Article 21 of the Constitution?
(Sushovan Sircar is an independent journalist who reports on technology and cyber policy developments. His reports explore stories at the intersection of internet and society, covering issues of privacy, surveillance, cybersecurity, India’s data regime, social media and emerging technologies. He tweets @Maha_Shoonya. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)