EDITORIAL ANALYSIS: In Pegasus battle, the fight for surveillance reform

 Source: The Hindu

• Prelims: Pegasus, linkage of organised crimes with terrorism, Right to privacy etc
• Mains GS Paper II: Right to privacy, implications of Pegasus on security etc

ARTICLE HIGHLIGHTS

• A year has passed since the disclosures about the Pegasus Project revealed the threat to India’s democracy.
• A leading digital news platform reported that the cellphones of at least 300 Indians had been hacked with Pegasus, the spyware from the Israel-based NSO Group; 10 of the cases were confirmed by Amnesty International’s Security Lab using forensic analysis.
• The victims, important members of India’s constitutional order, included cabinet Ministers, Opposition leaders, journalists, judges and human rights defenders.

INSIGHTS ON THE ISSUE

Context

Pegasus:

• It is a type of malicious software or malware classified as a spyware.
• It is designed to gain access to devices, without the knowledge of users, and gather personal information and relay it back to whoever it is that is using the software to spy.
• Pegasus has been developed by the Israeli firm NSO Group that was set up in 2010.
• The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
• Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.
• These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.

How was Pegasus used in India?

• Surveillance using Pegasus: Reports that appeared in July 2021 from the Pegasus Project, which includes The Wire in India, The Guardian in the U.K., and The Washington Post in the U.S., said that in India, at least 40 journalists, Cabinet Ministers, and holders of constitutional positions were possibly subjected to surveillance using Pegasus.
  • The reports were based on a database of about 50,000 phone numbers accessed by the Paris-based non-profit Forbidden Stories and Amnesty International.
• Signs of attempted penetration: According to The Guardian, Amnesty International’s Security Lab tested 67 of the phones linked to the Indian numbers in the database and found that “23 were successfully infected and 14 showed signs of attempted penetration”.
• Governments as clients: Since Pegasus is graded as a cyberweapon and can only be sold to authorized government entities as per Israeli law, most reports have suggested that the governments in these countries are the clients.

Opaqueness around the issue:

• The Minister of Electronics and Information Technology, referring to “press reports of 18th July 2021”, refused to directly address the claims made by the Pegasus Project, he stated that the existing legal framework prevents unauthorized surveillance.
• On November 28, 2019, the former Minister of Electronics and Information Technology, had responded similarly to allegations over the use of Pegasus.
• A report by The New York Times of January 31, 2022 contradicted both their statements and stated that ‘India has bought Pegasus in 2017 as part of a $2-billion’ defence package.
• In response to disclosures by the Pegasus Project, CERT-IN, the nodal agency, the Indian Computer Emergency Response Team, that deals with cybersecurity threats, has remained silent.
• Separately, in every parliamentary session since the revelations, the Opposition has sought a discussion and a probe. Both demands have been ignored.

Judicial response:

The Supreme Court will be hearing the case pertaining to the alleged use of the Pegasus spyware software later this month.

• The court had constituted a committee, overseen by former Supreme Court judge Justice R.V Raveendran, to look into the charges and accordingly submit a report “expeditiously”.
• Objectives of the committee:
  • Inquire, investigate and determine, among other things, if Pegasus was used to eavesdrop on phones and other devices of Indian citizens.
  • Details were sought on whether the government had taken any action after reports emerged in 2019 about WhatsApp accounts being hacked by the same spyware and if the government had indeed acquired such a suite.

What do Indian laws outline?

• Section 5(2) of The Indian Telegraph Act, 1885: It states that the government can intercept a “message or class of messages” when it is “in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offense”.
  • The operational process for it appears in Rule 419A of the Indian Telegraph Rules, 1951
  • Under Rule 419A, surveillance needs the sanction of the Home Secretary at the Central or State level, but in “unavoidable circumstance” can be cleared by a Joint Secretary or officers above, if they have the Home Secretary’s authorisation.
• Section 69 of the Information Technology Act, 2000: It facilitates government “interception or monitoring or decryption of any information through any computer resource” if it is in the interest of the “sovereignty or integrity of India, defense of India, security of the state, friendly relations with foreign States or public order” or for preventing or investigating any cognisable offense.

Judgements related to Surveillance:

• People’s Union for Civil Liberties (PUCL) vs Union of India case: Supreme Court said telephonic conversations are covered by the right to privacy, which can be breached only if there are established procedures.
• S. Puttaswamy vs Union of India verdict of 2017: the Supreme Court reiterated the need for oversight of surveillance, stating that it should be legally valid and serve a legitimate aim of the government.

Steps taken by India:

Response by other countries to Pegasus:

• Israel set up a senior inter-ministerial team: Team for investigation while the Foreign Minister said that the government would work to ensure that Pegasus did not fall into the wrong hands.
• France ordered a series of investigations: Within a day of the revelations; on September 25, 2021, its cybersecurity agency confirmed that the spyware had been used to target French citizens.
• The United States: It added NSO to its ‘Entity List for Malicious Cyber Activities’, which restricted the ability of U.S. companies to export goods or services to NSO.
• United Kingdom: The spyware company implemented a change to ensure that Pegasus could no longer target U.K. numbers after revelations, in 2021, that Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum, had used the spyware to hack the phones of his wife.

Way Forward

• Protecting privacy: Considering the severity of the threat posed by these disclosures, and the credibility of the evidence which backs them, it is important to examine how each branch of the Indian state has responded, or failed to respond, in protecting the privacy of citizens.
• Prevent indiscriminate monitoring: An overhaul of surveillance laws is necessary to prevent the indiscriminate monitoring of people and entities by the state and private actors.
• Independent oversight provisions: The Information Technology Act, 2000 and the Indian Telegraph Act 1885 which empower the Government to surveil, concentrate surveillance powers in the hands of the executive, and do not contain any independent oversight provisions, judicial or parliamentary.
  • These legislations are from an era before spyware such as Pegasus were developed, and, thus, do not respond to the modern-day surveillance industry.
• Lacunae in proposed Data protection law:The proposed data protection law does not address these concerns despite proposals from members of the Joint Parliamentary Committee. Instead, the proposed law provides wide exemptions to the Government relating to select agencies from the application of the law
• The Freedom House ‘Freedom in the World’ report : The past year has showcased why the need for comprehensive surveillance reform is so urgent. The Freedom House ‘Freedom in the World’ report — it tracks global trends in political rights and civil liberties — changed India’s status from ‘free’ to ‘partly free’ in 2021.
  • It has cited the alleged use of Pegasus on Indian citizens as one of the reasons for the downgrade.
• Surveillance reforms: In the absence of immediate and far-reaching surveillance reform, and urgent redress to those who approach authorities against unlawful surveillance, the right to privacy may soon become obsolete.

QUESTION FOR PRACTICE

1. Discuss different types of Cybercrimes and measures required to be taken to fight the menace.(UPSC 2020)

(200 WORDS, 10 MARKS)

1. What is the CyberDome Project? Explain how it can be useful in controlling internet crimes in India.(UPSC 2019)

(200 WORDS, 10 MARKS)

1. What has been the aftermath of the Pegasus spyware operations? Who does it target and why is the government under scrutiny?

(200 WORDS, 10 MARKS)