The Pegasus Project reports have unveiled systemic targeting of Indians, including 40 journalists, which is a direct attack on the people's Right to Free Speech as well as their fundamental Right to Privacy.
The Internet Freedom Foundation (IFF) verifies each and every statement the IT Minister Ashwini Vaishnaw made before the Parliament on Monday, 19 July, on the Pegasus Project revelations.
Denial of Indian Govt Using Pegasus for Surveillance
Claim: "Those reports had no factual basis and were categorically denied by all parties, including in the Supreme Court. The Press reports of 18th July, 2021 also appear to be an attempt to malign the Indian democracy and its well established institutions."
IFF Verifies: While the minister has not specified which Supreme Court matter he is referring to, the use of Pegasus on WhatsApp was brought up recently before the SC in Binoy Viswam v RBI and others, where the counsel for WhatsApp denied such claims. No government official or agency denied the claims before the SC. Further, the reports don't name the Indian government or any government official. The report only points out that "NSO Group, the Israeli company which sells Pegasus worldwide, says its clients are confined to ’vetted governments’, believed to be number 36. Though it refuses to identify its customers, this claim rules out the possibility that any private entity in India or abroad is responsible for the infections which The Wire and its partners have confirmed."
On the Number of Individuals Who Were Spied Upon
Claim: "The allegation is that individuals linked to these phone numbers were being spied upon."
IFF Verifies: The report states that over 300 verified Indian mobile telephone numbers are included in the leaked database. Out of these, in only 10 phones were clear signs of targeting by Pegasus spyware revealed.
On Whether Snooping Took Place
Claim: “The report itself clarifies that the presence of a number in the list does not amount to snooping."
IFF Verifies:This statement is true but it fails to mention that the same report contains the results of the technical analysis conducted by Amnesty International's Security Lab which has found evidence that Pegasus was used to target 10 phones .
On Unverified Statements Attributed to NSO
Claim: “Now let us examine what NSO, the company which owns the technology, has said. I quote: "NSO Group believes that claims that you have been provided with are based on misleading interpretation of leaked data from basic information, such as HLR Lookup services , which have no bearing on the list of the customers targets of Pegasus or any other NSO products . Such services are openly available to anyone, anywhere, and anytime, and are commonly used by governmental agencies as well as by private companies worldwide. It is beyond dispute that the data has nothing to do with surveillance or with NSO. So, there can be no factual basis to suggest that use of the data somehow equals to surveillance" .
IFF Verifies: The last two sentences of the statement above cannot be verified through media reports.
On Whether There Are Checks And Balances
Claim: “Any form of illegal surveillance is not possible with the checks and balances in our laws and our robust institutions. In India, there is a well-established procedure through which lawful interception of electronic communication is carried out for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and states."
IFF Verifies: Surveillance by its very nature is illegal. Surveillance measures undertaken by the government , whether authorised by law or not, violate the fundamental rights of citizens including their right to free speech and right to free association under Article 19, and right to privacy under Article 21. All decisions relating to surveillance are taken within the Executive branch of government, and there are no parliamentary or judicial checks and balances. Surveillance of computer resources under the IT Act is not limited to national security, occurrence of public emergency or in the interest of public safety. In fact, no reasons are required to be provided for ordering surveillance under the IT Act .
On The Authority Responsible for Deciding Who May be Surveilled & Why
Claim: “Each case of interception or monitoring is approved by the competent authority."
IFF Verifies: The "competent authority" is an officer of the Executive branch of the government. The existence of a "competent authority" by itself does not provide Indians any protection against illegal surveillance.
On The Oversight Mechanism
Claim: "There is a very well-established oversight mechanism in the form of a review committee headed by the Union Cabinet Secretary. In case of a state government, such cases are reviewed by a committee headed by the Chief Secretary concerned. The law also provides an adjudication process for those people who are adversely affected by any such incident."
IFF Verifies: The review committee consists of officers of the Executive branch of the government. The oversight committee, to enable a working separation of powers , must consist of other branches of government , ie the legislative and the judiciary. Further, neither the IT Act , nor the 2009 Interception Rules provide a grievance redressal mechanism for surveilled persons . Further, due to the strict confidentiality provisions , surveilled persons will find it impossible to ascertain and prove whether they were being surveilled .
On The Longevity of Legal Provisions
Claim: "The framework and institutions have withstood the test of time."
IFF Verifies: Several writ petitions are pending before the Supreme Court challenging the constitutional validity of Section 69 of the IT Act and the 2009 Interception Rules. The Supreme Court in PUCL v Union of India laid down guidelines for wiretapping under the Telegraph Act, 1885. There have also been several sustained calls for surveillance reform from civil society organisations.
Concluding Remarks About Individuals Surveilled Using Pegasus
Claim: "In conclusion, I humbly submit that: 1. The publisher of the report states that it cannot say if the numbers in the published list were under surveillance."
IFF Verifies: The publisher of the report has, in detail, shown how a small number of numbers from the published list have shown evidence of being targeted via the Pegasus software with the help of a technical analysis conducted by Amnesty International's Security Lab which was confirmed by CitizenLab in a peer review.
Concluding Remarks About Protecting Fundamental Rights
Claim: " In conclusion, I humbly submit that : ... 3. And the time-tested procedures of our country are well established to ensure that unauthorised surveillance cannot occur.
IFF Verifies: Indian law does not provide a grievance redressal mechanism to the victim of unauthorised surveillance, nor does it provide sufficiently clear and detailed punitive measures for the perpetrators of unauthorised surveillance. The IT Act and rules made thereunder are ill-equipped to prevent and punish unauthorised surveillance.
(Internet Freedom Foundation is an Indian non-governmental organisation that conducts advocacy on digital rights and liberties. IFF files petitions and undertakes advocacy campaigns to defend online freedom, privacy, net neutrality, and innovation.This piece has been reproduced after taking permission from the author/ organisation. The Quint neither endorses nor is responsible for the views expressed.)