If Modi Government Isn't Snooping on Us, Who Else Unleashed Pegasus?

“I’m surprised,” wrote one of the many dozen friends who reached out after news broke of the “Pegasus Project.” “I’m surprised,” she added, “that people are surprised.”

Hers was a widespread reaction—too many Indians are inured to the idea that they are being eavesdropped upon, and that every government agency is keeping tabs of their conversations, transactions and relationships.

Still, the fact that Pegasus spyware for tracking terrorists and criminals, that is only sold by the Israeli firm NSO Group to “vetted governments”, was used in attempted and successful hacks of smartphones belonging to journalists, human rights activists, business executives and politicians (and at least one “constitutional authority”), ought to concern us, whether or not we are surprised.

The implication that the government has been snooping on its own citizens, including many going about their lawful business, is, however, very serious. We are a democracy where the rule of law prevails; while no one would object to the government intercepting communications to track terrorists or prevent crimes, private citizens—including opposition politicians—enjoy a fundamental right to privacy, as affirmed by the Supreme Court in the Puttaswamy judgement.

For the ruling party to use Pegasus to obtain information on its political opponents—as the targeting of Rahul Gandhi or Prashant Kishor suggests—would not just be unethical but a misuse of taxpayers’ money for partisan political purposes. It would also, as I explain below, be illegal.

An investigation by The Washington Post and 16 media partners, including India’s The Wire, established that at least 37 smartphones (that were actually forensically examined) appeared on a list of more than 50,000 numbers that seemed to constitute a database of actual or potential surveillance targets.

Forbidden Stories, a Paris-based journalism non-profit organisation, and the global human rights group Amnesty International, whose Security Lab conducted the forensic analyses on the smartphones, shared the list with the news organisations, which did additional research and analysis. Since a large number of countries are affected, the controversy has spread worldwide.

In India, the government has declared that there is no substance to the story, “only sensationalism”. Information Technology Minister Ashwini Vasihnaw—ironically, himself a one-time target of Pegasus—has stated that any form of illegal surveillance isn't possible in India, given the checks and balances in our laws and procedures. Under our robust institutions, there is a well-established procedure through which lawful interception of electronic communications is carried out for the purposes of national security.

The Indian government has the power to surveil, monitor and decrypt communications, but hacking is a crime in India. Section 5(2) of the Indian Telegraph Act, 1885 and Section 69 of the Information Technology Act, 2000 (IT Act) allow for the interception of telephone communications and electronic data in the interests of the sovereignty and integrity of India, the security of the state, friendly relation with foreign states or public order or for preventing incitement to the commission of an offence.

However, the exercise of this power was restricted after the Supreme Court issued guidelines in 1996 in PUCL v Union of India, to make up for the lack of procedural safeguards in the Act. The Court decreed that interception can only be ordered by the Home Secretary or home secretaries of State Governments, that these must be sent to a Review Committee within one week, with the details on number of persons intercepted, and that the period of interception may be permitted for two months, and can be renewed, but not beyond 6 months.

The role of the Review Committee was codified under Rule 419A of the Indian Telegraph Rules, 1951. In relation to the Central Government, the Review Committee consists of: The Cabinet Secretary, the Law Secretary, and the Information Technology Secretary.

There is an important catch here: hacking is against the law in India, except if the government invokes a national security exception, which, to my knowledge, they have not done. Hacking is a criminal offence under the Information Technology Act. As per Section 43 read with Section 66, unauthorized access to a computer device, computer resource, computer network can attract imprisonment up to 3 years or a fine which may extend to 5 lakh rupees, or both.

Taking control of devices or hacking them through spyware or malware is clearly a gross violation of the right to privacy recognised by the Supreme Court. Surveillance using a spyware tool like Pegasus would be illegal unless those who have done it can demonstrate otherwise.

This is why I have called for an independent investigation of the entire Pegasus affair.

But NSO has also admitted that it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence-gathering activities using Pegasus. If the Government of India did not deploy Pegasus against Indian citizens, and NSO only sells it to governments, then it can only mean that some other government(s) are snooping on us. Surely that alone warrants a serious, thorough and impartial investigation.

National security, and national self-respect, demands no less.

(Dr Shashi Tharoor is a third-term MP for Thiruvananthapuram and award-winning author of 22 books, most recently ‘The Battle of Belonging’(Aleph). He tweets @ShashiTharoor. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)