What the WhatsApp-Pegasus Row Says About India’s Surveillance Laws
The targeted nature of attacks will have a chilling effect on rest of the population, and stifle free speech.
Over the last two days, we have seen news reports of the WhatsApp accounts of human rights defenders, Dalit journalists, academics, and even politicians being targeted and subjected to “surveillance” through the use of Israeli software, Pegasus.
I use the term surveillance in air quotes, because the attack seems to have been in the nature of illegal hacking, rather than legally sanctioned surveillance.
The Indian Information Technology Act, 2000 distinguishes between acts of surveillance and hacking. Surveillance comprises of acts of interception, monitoring, or decryption and is permitted, and regulated, under Section 69 of the Act.
On the fulfilment of certain pre-conditions, the government (and only the government) can place certain individuals under targeted surveillance. Both under the Telegraph Act, 1882 and the IT Act, 2000, private actors are prohibited from conducting surveillance operations.
It is worthwhile to remember that the constitutionality of the present legal regime authorising surveillance has been challenged, and is pending before the Supreme Court.
Conversely, hacking is completely prohibited under the IT Act. Under Section 43 read with Section 66, the unauthorised intrusion into a person’s computer system/resource/network, whether by the government or private entity, is a criminal offence.
There is then, no national security (“security of the State”) justification for hacking.
What has happened in the Pegasus case seems to be exactly this – through a missed video call, Pegasus was installed without the target’s knowledge, and all the target’s private data was sent back. Even the phone camera and microphone could be switched on remotely.
The NSO Group has reportedly stated that it only sells the Pegasus spyware to government agencies, although the Indian government has denied any responsibility for the security breach. Instead, it has asked WhatsApp to respond and explain the breach by 4 November.
It is unlikely that we will ever know the entire picture. Regardless of that, however, the WhatsApp-Pegasus story raises a lot of important questions.
First and foremost, if it is true that the government has (mis)used this spy software to track the activities of its biggest critics, it is a blatant violation of the IT Act, amounting to illegal surveillance and/or hacking, and a complete disregard for the Puttaswamy nine judge bench’s ringing endorsement for the right to privacy.
The targeted nature of attacks will have a chilling effect on the rest of the population, and further stifle free speech.
Shortcomings of Data Protection in India
Second, it highlights the need for a data protection law, with a separate chapter on surveillance. The current Data Protection Draft Bill that was released by the Justice Srikrishna Committee, unfortunately, fails to engage with the contested issue of surveillance reform.
Under the current surveillance regime, mere executive authorisation with executive oversight is sufficient to engage in targeted surveillance, if it is, among other things “in the interest of …security of the State”.
The manner in which the victims of this attack have been targeted raises concerns about empowering the state to use its legal and financial resources to place dissidents/critics/activists/human rights defenders under surveillance, without any independent oversight and accountability.
Surveillance, by its very nature, is a covert and secretive operation. Added to this mix is the fact that our intelligence agencies have absolutely minimal to non-existent accountability.
India’s premier agencies such as the IB, R&AW, CBI have not been formed pursuant to any law, and are not subject to any parliamentary oversight. The activities of their agents thus remain in the realm of shadows.
In fact, had the victims of the Pegasus attack not been informed about the vulnerabilities in their phone by WhatsApp, in all likelihood, they would have remained unaware about the same. This secretive nature of surveillance thus places real limits on the kind of relief most targets of surveillance can seek; and makes the requirement for judicial oversight even more compelling.
Puttaswamy gave judicial recognition to the right to privacy, but left its contours and the contentious issue of balancing privacy and security concerns undecided.
The right to privacy has to be fleshed out through a data protection law such that the obligations of data controllers such as WhatsApp and Facebook, and their consequent legal liability, are made clear.
Just Another Case of Trampling of Rights?
Finally, the WhatsApp-Pegasus saga also relates to the ongoing debate about traceability and the government view that WhatsApp and other intermediaries should not be permitted to run end to end encryption, without providing the government with a de-encryption key whenever required.
The draft IT Intermediaries Guidelines (Amendment) Rules, 2018 requires the “Intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.”
These guidelines raise serious concerns about potential privacy violations, the sceptre of misuse, and the fact that once a backdoor is created in these hitherto secure technologies, it can be exploited by bad actors. These issues will now be examined by the Supreme Court in January 2020.
The Supreme Court is already hearing the constitutionality of the surveillance regime, and a challenge to the Intermediary Guidelines, when they are notified is almost certain.
However, given the past record of the court on these issues; the fact that these cases take years to get litigated; and that the law, in general, permits the admissibility of illegally obtained evidence; means that remedy may be more political, than legal.
Either way though, unless swift action is not taken, this will be just another chapter in the continuing trampling of fundamental rights of citizens by successive governments.
(Vrinda Bhandari is an Advocate in Delhi. She is also a volunteer with SaveOurPrivacy.in and helped in drafting the model India Privacy Code, 2018. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)
(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.