A global collaborative investigative project has discovered Israeli spyware Pegasus was used to target thousands of people across the world.
In India, at least 300 people are believed to have been targeted, including two serving Ministers in the government, three Opposition leaders, several journalists, social activists and business persons.
What is Pegasus?
- All spyware do what the name suggests — they spy on people through their phones.
- Pegasus works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
- A presumably newer version of the malware does not even require a target user to click a link.
- Once Pegasus is installed, the attacker has complete access to the target user’s phone.
- A worrying aspect that has been revealed is the ability of the spyware to infect a device by a ‘zero-click’ attack, which does not require any action from the phone’s user.
A ‘Black Hole’ with no escape
- What makes Pegasus really dangerous is that it spares no aspect of a person’s identity.
- It makes older techniques of spying seem relatively harmless.
- It can intercept every call and SMS, read every email and monitor each messaging app.
- Pegasus can also control the phone’s camera and microphone and has access to the device’s location data.
- The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.
Dysfunctions created by Pegasus
Privacy breach: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy under Article 21 and the exercise of free speech under Article 19.
Curbing Dissent: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
Individual safety: In the absence of privacy, the safety of journalists, especially those whose work criticizes the government, and the personal safety of their sources is jeopardised.
Self-Censorship: Consistent fear over espionage may grapple individuals. This may impact their ability to express, receive and discuss such ideas.
State-sponsored mass surveillance: The spyware coupled with AI can manipulate digital content in users’ smartphones. This in turn can polarize their opinion by distant controller.
National security: The potential misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands.
Snooping in India: Legality check
For Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act. Communication surveillance in India takes place primarily under two laws:
- Telegraph Act, 1885: It deals with interception of calls.
- Information Technology Act, 2000: It was enacted to deal with surveillance of all electronic communication, following the Supreme Court’s intervention in 1996.
Cyber security safeguards in India
- National Cyber Security Policy: The policy was developed in 2013 to build secure and resilient cyberspace for India’s citizens and businesses.
- Indian Computer Emergency Response Team (CERT-In): The CERT-In is responsible for incident responses including analysis, forecasts and alerts on cybersecurity issues and breaches.
- Indian Cyber Crime Coordination Centre (I4C): The Central Government has rolled out a scheme for the establishment of the I4C to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.
- Budapest Convention: There also exists Budapest Convention on Cybercrime. However India is not a signatory to this convention.
The bigger question: Government Involvement
It is worth asking why the government would need to hack phones and install spyware when existing laws already offer impunity for surveillance. The wide array of victims clearly brings the central government and its role to question.
In the absence of parliamentary or judicial oversight, electronic surveillance gives the executive the power to influence both the subject of surveillance and all classes of individuals, resulting in a chilling effect on free speech.
Is Right to Privacy a myth?
- Only in such exceptional circumstances, however, can an individual’s right to privacy be superseded to protect the national interest.
- In today’s times, when fake news and illegal activities such as cyber terrorism on the dark web are on the rise, the importance of reserving such powers to conduct surveillance cannot be undermined.
What should be the basis for surveillance?
The existing provisions are insufficient to protect against the spread of authoritarianism since they allow the executive to exercise a disproportionate amount of power.
- There should be some reasonable basis or some tangible evidence to initiate or seek approval for interception by State authorities.
- Any action without such evidence or basis would be struck down by courts as arbitrary, or invasive of one’s right to privacy.
- Any digression from the ethical and legal parameters set by law would be tantamount to a deliberate invasion of citizens’ privacy and make India a surveillance state.
Solution lies in Judicial Oversight
Surveillance reform is the need of the hour in India.
- The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking in particular is very essential.
- Only the judiciary can be competent to decide whether specific instances of surveillance are proportionate, whether less onerous alternatives are available, and to balance the necessity of the government’s objectives with the rights of the impacted individuals.
- Not only are existing protections weak but the proposed legislation related to the personal data protection fails to consider surveillance while also providing wide exemptions to government.
Way forward
- The security of a device becomes one of the fundamental bedrocks of maintaining user trust as society becomes more and more digitized.
- There is an urgent need to take up this issue seriously by constituting an independent high-level inquiry with credible members and experts that can restore confidence and conduct its proceedings transparently.
Conclusion
- We must recognize that national security starts with securing the smartphones of every single Indian by embracing technologies such as encryption rather than deploying spyware.
- This is a core part of our fundamental right to privacy.
- This intrusion by spyware is not merely an infringement of the rights of the citizens of the country but also a worrying development for India’s national security apparatus.