Pegasus Attack: Did Govt’s Alleged ‘Spying’ Comply With IT Act?
The question is: why would govt ask WhatsApp for details if it ‘directed’ surveillance in compliance with law?
The reported surveillance of targeted individuals through Pegasus, a sophisticated spyware made by Israeli company NSO, raises several questions in so far as it relates to the Indian targets.
While one can only speculate whether the Pegasus surveillance was at the behest of the Indian government, the question is not whether the Indian government could conduct surveillance but rather whether the use by the Indian State of NSO, a foreign entity, to conduct surveillance of Indian citizens within India, using malware, would comply with the IT Act and its relevant rules.
State surveillance is accordingly subject to approval by senior designated bureaucrats, no less the rank of joint secretary or in emergency cases no less than an inspector general of police.
IT Act & What State Surveillance Is Subject To
As a general rule, online surveillance by the state is allowed subject to compliance with a defined process which mandates prior authorisation by an order issued by a competent authority, and compliance with the safeguards which are set out under rules notified under Section 69 of the Information Technology Act, 2000, known as the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
One key concern is the extent and length of the NSO surveillance activity, given that the IT Act and the relevant rules require a Review Committee to review its interception directions at least once in two months.
Warrantless surveillance is also allowed under Indian law subject to the safeguards prescribed under these rules. The IT Act Rules are largely similar to Rule 419A of the Indian Telegraph Rules, 1951 which was inserted in 2007, further to an earlier 1996 Supreme Court case PUCL v Union of India in which the Supreme Court set out certain guidelines governing state surveillance activities. State surveillance is accordingly subject to approval by senior designated bureaucrats, no less the rank of joint secretary or in emergency cases no less than an inspector general of police. State surveillance can only be put in place with prior approval or in emergent cases with subsequent approval within three days from the commencement of surveillance, and under the IT Act can continue for 60 days, extendable up to a period not exceeding 180 days.
Israeli ‘NSO’ Is Not Subject to Indian Laws
Clearly, NSO as an Israeli company is not subject to Indian law or the safeguards and penalties prescribed under Indian law for violation of safeguards (prescribed under Indian law). NSO, is in fact charged by WhatsApp as having gained unauthorised access to the WhatsApp network to access the mobile devices of individuals with the objective of interception and accessing information. The court papers filed by WhatsApp against NSO, in the California District Court, reveal that all material accessed by NSO by installing the Pegasus ‘remote access trojan’ program on individual devices — using WhatsApp’s resources — was received by NSO on servers, set up and maintained by NSO, and subsequently provided to NSO's clients. According to the Israeli spyware maker, it only works with governments. That is, their only clients are governments, as per NSO’s statement.
The rules under the IT Act do empower the Indian government to issue directions to “intermediaries” or “decryption key holders” in India, to enable surveillance.
The rules under the IT Act do empower the Indian government to issue directions to “intermediaries” or “decryption key holders” in India, to enable surveillance. In this case, WhatsApp would have been the “intermediary” or the decryption “key holder”. Clearly, NSO does not fall within the definition of the entities which could have been ‘directed’ by the government to conduct surveillance. It would not be an overstretch to argue that the IT Act and Rules do not empower the Indian government to direct private entities to gain illegal access to information systems to conduct surveillance.
Concerns Raised Amid Pegasus Surveillance Scare
Further, it is of concern that NSO itself apparently had access to intercepted communications, and is arguably not subject to the specific safeguards prescribed under the IT Act, 2000, which requires intermediaries to put in place adequate and effective internal checks to ensure that unauthorised interception of messages does not take place.
The second concern is the extent and length of the NSO surveillance activity, given that the IT Act and the relevant rules require a Review Committee to review its interception directions at least once in two months. The rules also require the destruction of intercepted messages within two months of discontinuation of interception by the service provider.
While each day brings more revelations of NSO’s activities, the onus will be on the Indian government to clarify that any surveillance of Indian citizens, if conducted at the behest of the government, has complied with the requirements of Section 69 of the IT Act and its Rules. The Indian government’s notice to WhatsApp to provide details further raises questions: why would the government need to ask for details if it had ‘directed’ surveillance activities in compliance with its existing legal powers?
(Ameet Datta is a Partner with law firm Saikrishna & Associates. Ameet is a litigator with specialization in the technology, media & entertainment sectors and also advises on allied areas such as format rights, defamation and right of publicity, privacy and data protection issues. He tweets @DattaAmeet. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.