Written by Anubhav Seth
Human rights groups have been stressing for years about the proliferation and misuse of commercial spyware, as well as the necessity for stringent controls on the sale of such technologies to deliver compliance with international human rights law.
A group of international news organisations published investigation findings on July 18 and 19 alleging that Israeli business NSO Group’s Pegasus spyware was being used to monitor the phones of a wide range of public figures around the world. According to reports from the Pegasus Project, which comprises The Wire in India, The Guardian in the United Kingdom, and The Washington Post in the United States, at least 40 journalists, Cabinet Ministers, and constitutional officials in India may have been subjected to espionage.
More than 50,000 phone numbers might have been tracked by governments using Pegasus. According to Human Rights Groups, the use of NSO Group’s malware, as reported by Citizen Lab, has been linked to government efforts to suppress journalists, activists, and independent thinkers in a number of countries.
These findings sparked outrage in India, where the Modi Government was accused of planning surveillance strategies targeted at political figures, constitutional bodies, journalists, and activists. Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE) are just a few of the countries that have been recognized as possible NSO clients.
WHAT IS PEGASUS?
NSO Group, based in Israel, is the private developer and seller of Pegasus. Pegasus is inadvertently installed on people’s phones. It gains access to an infected device’s camera, microphone, and text messages, enabling surveillance of the individual targeted and their contacts.
This surveillance has a detrimental impact on advocates and journalists who may self-censor out of anxiety of being watched, as well as sources, including abuse victims, who are afraid of being watched and losing their anonymity if they share information with journalists and human rights organisations. Information obtained through arbitrary surveillance can be used to prosecute or detain human rights defenders or dissidents, and to monitor and harass those who might dare to stand in the way of government officials or powerful figures.
WHAT DOES THE INTERNATIONAL HUMAN RIGHTS LAW OUTLINE?
International human rights law establishes a right to privacy and bars arbitrary or unlawful infringements on the right. Restrictions on privacy are only permissible if they are necessary and proportionate to achieve a legitimate purpose, and provided for in law.
Pegasus spyware has been used to legally or unjustly spy activists and journalists, encroaching upon their privacy rights, undermining their freedom of expression and association, and jeopardizing their safety and life.
WHAT DO INDIAN LAWS OUTLINE?
The Indian Telegraph Act, 1885, states that the government has the power to intercept a “message or class of messages” when it is “in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states, or public order, or for preventing incitement to the commission of an offence.”
Rule 419A of the Indian Telegraph Rules, 1951, details the operating process and processes. In the People’s Union for Civil Liberties (PUCL) vs Union of India case in 1996, the Supreme Court observed that telephonic conversations are protected by the right to privacy, which can only be violated if specified procedures are followed, following which Rule 419A was added to the Telegraph Rules in 2007.
According to Rule 419A, Surveillance requires the approval of the Home Secretary at the central and state levels, but under “unavoidable circumstances,” the same can be approved if Joint Secretary or officers higher obtain the Home Secretary’s permission.
The Supreme Court underlined the need for overseeing the surveillance in the 2017 K.S. Puttaswamy versus Union of India judgment, emphasizing that it must be legally valid and serve a legitimate goal of the government. The court also stated that the methods used should be commensurate to the need for surveillance and that mechanisms should be in place to prevent any surveillance misuse.
Section 69 of the Information Technology Act of 2000, which deals with electronic surveillance, is another provision that allows for surveillance. It allows the government to “intercept, monitor, or decrypt any information through any computer resource” if it is in the interest of “India’s sovereignty or integrity, defence, security, friendly relations with foreign states, or public order,” or to prevent or investigate any cognizable offence.
Further, The Information Technology (Procedure and Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, outline the procedure for electronic surveillance authorized by Section 69. The use of Pegasus, being unauthorized access under Section 66 is illegal under Information Technology Act, and anyone who gains unauthorized access to computers and “downloads, copies, or extracts any data,” or “introduces or causes to be introduced any computer contaminant or computer virus,” as specified in Section 43, would be punished under Section 66.
WHAT IS THE CURRENT STATUS?
A petition has been filed at the Supreme Court asking for an impartial investigation into reports of spying by a sitting or retired judge. The matter has been posted for hearing on August 16 by CJI NV Ramana. Over 300 verified Indian mobile phone numbers have been reportedly targeted, including those of two ministers, nearly 40 journalists, three opposition leaders, numerous business people, and activists in India. However, it has not yet been confirmed that all of the phones were hacked. Furthermore, President Ram Nath Kovind has also been requested to intervene in the matter.
So far, the Union Government has refuted espionage allegations, claiming that any undercover surveillance is carried out in compliance with stringent regulations and supervision.
Presently there is no law prohibiting the Centre from obtaining spyware like Pegasus. Under section 69 of the IT Act, the government can monitor only under restricted instances, the government, however, cannot employ spyware in even those situations. Spyware is the same as hacking into communication equipment. It copies data and sends it to an external device without the consent or knowledge of the person who is being monitored. These are typical offences under Sections 66 and 43 of the IT Act. Spyware cannot be brought within the scope of legal interception under Section 69.
Sadly, it has become apparent that certain aspects of the rule of law and the separation of powers have been completely hijacked. Since privacy is a cornerstone of the fundamental Right to Life, the allegations must be examined. It can only be taken away through a legal procedure authorized by law. Presently, the government can only intercept under Section 69 of the Information Technology Act and for only certain limited grounds. Considering that the use of spyware is unauthorized under law, using malware like Pegasus is viewed as a form of cybercrime.
India has been vulnerable to tremendous cyberattacks against its civilians, citizens who incarnate democracy and the rule of law. No parliamentary or judicial supervision exists in the world’s greatest democracy when it comes to surveillance or data collection on its inhabitants. Nobody should underestimate the gravity of the threat to democracy and its implications. The government is responsible for safeguarding us against outsiders spying on us, whether wholesale or retail and must submit its own domestic digital monitoring to the rule of law. This is illegal in every sense of the word, and the government has failed miserably.
India urgently requires surveillance reform and control of its intelligence and police forces. Countries such as the United Kingdom, from which we inherited these laws, have amended their surveillance laws and implemented a multi-layer monitoring system. Internal systems, as well as judicial and parliamentary oversight, are in place. The Prime Minister of the United Kingdom appoints members of Parliament’s Intelligence and Security Committee from all political parties.
An Act of Parliament now defines and charters all intelligence agencies with surveillance powers. As a modern and constitutional country, it is high time for India to do the same. India needs a data protection law with sufficient checks and balances on the government’s access to data. Parliament must enact a privacy law as quickly as possible in accordance with the Supreme Court’s right to privacy ruling.
Governments should put an immediate halt to the sale, export, transfer, and use of surveillance technologies until appropriate human rights safeguards are in place. They should also reveal any existing deals or such technology usage if taking place. The sale, export, and transfer of surveillance technology should be permitted to restart only after states have put in place enforceable legislative frameworks that necessitate human rights due diligence and prohibit surveillance technology from reaching governments that lack human rights protections.
The use of any surveillance technology must be controlled by domestic laws that allow it to be used only in line with international human rights norms of legality, necessity, proportionality, and legitimacy of objectives.
Governments should amend current laws that impede effective remedies for victims of unlawful surveillance and ensure that victims have access to both judicial and non-judicial options for seeking redress for the harms that surveillance technologies may have caused. Governments that have demonstrated a propensity to abuse technology and a disdain for human rights should be placed on a “no sale” list.
The procurement of surveillance technology by law enforcement in any country should require the same to be carried out in a transparent way so that it can be subject to public debate. To promote accountability, competent experts affiliated with the UN and regional human rights bodies should monitor and examine government use of spyware and the sales of such spyware by companies, and report to member states about abuse committed using such spyware.
 (1997) 1 SCC 301
 (2017) 10 SCC 1
About the Author
Student at Vivekananda School of Law and Legal Studies, VIPS.
He traces his academic roots from majoring in CBSE Class XII Commerce from Lancers Convent Senior Secondary School, Delhi. His areas of interest and research work are Constitutional Law, Criminal Law, Corporate Law, Intellectual Property Rights, and International Laws.
Read the Previous Article