By Apar Gupta and Vrinda Bhandari
That spyware was installed in mobile phones of some Indian citizens – those targeted included journalists, politicians, activists, ministers and even a Supreme Court judge – is not really disputable.
Reports on such surveillance are credible for multiple reasons. First, they are a part of an international collaborative investigation by Paris-based media non-profit Forbidden Stories and Amnesty International. Second, these findings have been vetted by 16 media entities from across the world. Finally, the technical analysis on smartphones that confirms the presence of the spyware and its methodology was undertaken by the reputed Citizen Lab, housed at the University of Toronto.
Of course, these disturbing revelations are not wholly novel. They are the second tranche of information on the Pegasus spyware manufactured by Israeli company NSO Group. And even a quick glance at facts available raises many questions.
According to NSO, this spyware is sold only to governments to investigate and prevent terrorist and national security incidents. Even applicable regulations cited by them require approval by the Israeli defence ministry, since Pegasus is considered a cyber weapon and requires an arms export licence.
However, the list of targets in India seems to be far removed from any such potential national security investigation. These people are mostly legislators, journalists and activists. This is a repeat of the first Pegasus-caused privacy breach reported in October, 2019. Several activists, many connected to the Bhima Koregaon investigation, were targeted with Pegasus, which infected their smartphones via a missed call on WhatsApp.
GoI’s response now, as it was in 2019, doesn’t give any direct answers. The then IT minister Ravi Shankar Prasad had, on October 31, 2019, put out a public statement on Twitter. This statement was not even carried as an official press release. It focussed on a request for information from WhatsApp, which actually had alerted victims of surveillance. It didn’t say anything about investigating the NSO Group.
Further, there was a non-committal response to the question whether GoI had purchased Pegasus and used it. There was also a boilerplate reference to existing surveillance powers under the Telegraph Act and the Information Technology Act. This same response was repeated on the floor of Parliament on November 28, 2019 by Prasad: He said “no unauthorised interception” had taken place.
Similar non-responses were rolled out after the latest report on Pegasus-aided surveillance. The statement by Ashwini Vaishnav, the present minister for IT, also avoids a clear denial or an admission on the use of Pegasus. It also repeats NSO Group’s claims and makes references to surveillance regulations.
What must be done is what GoI has failed to do so far: Institute an independent public inquiry to credibly investigate these allegations, and therefore repair public trust.
Also, beyond the need for clarity on factual aspects of Pegasus, we must note GoI’s repeated reliance on “authorisation”. This authorisation business simply demonstrates that there are no checks in surveillance powers under the Telegraph Act and the Information Technology Act.
Our current surveillance regime under these laws – which, incidentally, are under constitutional challenge before the SC – suffers from twin problems of lack of oversight and a lack of transparency.
First, a secretary of the home ministry has the authority to order the interception, monitoring, or decryption of a person’s phone if they are satisfied that it is “necessary” or “expedient” to do so under certain circumstances. The only legal safeguard against misuse is a review by a three-member review committee comprising the Cabinet secretary and two other top-level bureaucrats.
Hence, the authority issuing the interception order and the one which exercises oversight share the same incentives. The surveillance target or the intermediary (such as WhatsApp) has no right to be heard by this committee, and there is no independent accountability mechanism, whether in the form of parliamentary or judicial oversight.
But after the SC’s judgments on privacy (KS Puttaswamy, 2017) and Aadhaar (KS Puttaswamy, 2019), it is clear that the lack of independent oversight is untenable and unconstitutional, apart from being contrary to democratic norms followed globally.
Second, the problem is exacerbated by a complete lack of transparency. The government defends the constitutionality of surveillance provisions on the grounds of checks and safeguards brought in by the review committee.
However, we know from data in 2013, that the central government issued 7,500-9,000 orders per month for interception of telephones. It is not humanly possible for any individual to apply their mind to determine the legality of such interception orders and ensure that the rule of law is respected.
And it is worse now. Recent RTIs have met with government refusals to provide even such aggregate data.
Is the belated data protection bill a remedy? As per the publicly available draft being considered by a Joint Parliamentary Committee, the bill not only doesn’t consider the wider project of surveillance reform, it also creates large exemptions for state surveillance.
Given all this, we must have an independent inquiry into the Pegasus controversy to establish facts. That’s the first step in a long corrective process.
Apar Gupta is Executive Director, Internet Freedom Foundation. Vrinda Bhandari is a lawyer. Both are parties to a legal challenge to India’s surveillance framework