The story so far: The Supreme Court will be hearing the case pertaining to the alleged use of the Pegasus spyware software later this month. Last year, a consortium of 17 journalistic organisations globally put forth a list alleging the use of the spyware by the Union government to snoop on several prominent individuals. The matter first reached the apex court on October 27 last year. Back then, the court constituted a committee, overseen by former Supreme Court judge Justice R.V Raveendran, to look into the charges and accordingly submit a report “expeditiously”.
The committee overseen by Justice R.V Raveendran was mandated to inquire, investigate and determine, among other things, if Pegasus was used to eavesdrop on phones and other devices of Indian citizens. Details were sought on whether the government had taken any action after reports emerged in 2019 about WhatsApp accounts being hacked by the same spyware and if the government had indeed acquired such a suite. The article had alleged that Pegasus was part of a $2 billion “package of sophisticated weapons and intelligence gear” between India and Israel after Narendra Modi became the first Indian Prime Minister to visit Israel. It added that it was after this deal that India changed its historically pro-Palestine stance.
The Pegasus spyware can not only mop up information stored on phones such as photos and contacts, but can also activate a phone’s camera and microphone and turn it into a spying device without the owner’s knowledge.
The earliest avatars of Pegasus used spear phishing to enter phones, utilising a message designed to entice the target to click on a malicious link. However, it evolved into using “zero-click” attacks wherein the phones were infected without any action from the target individual. In 2019, WhatsApp released a statement saying that Pegasus could enter phones via calls made on the platform, even if they were not attended. Pegasus used several such “exploits” to enter Android and Apple phones. Many of these exploits were reportedly “zero day”, which meant that even the device manufacturers were unaware of these weaknesses. Pegasus can also be delivered through a nearby wireless transmitter, or manually inserted if the target phone is physically available. Once inside the phone, Pegasus can start transmitting any data stored on the phone to its command-and-control centres.
Reports that appeared in July 2021 from the Pegasus Project, which includes The Wire in India, The Guardian in the U.K., and The Washington Post in the U.S., said that in India, at least 40 journalists, Cabinet Ministers, and holders of constitutional positions were possibly subjected to surveillance using Pegasus. The reports were based on a database of about 50,000 phone numbers accessed by the Paris-based non-profit Forbidden Stories and Amnesty International. These numbers were reportedly of interest to clients of the NSO Group (developer of the Pegasus software). According to The Guardian, Amnesty International’s Security Lab tested 67 of the phones linked to the Indian numbers in the database and found that “23 were successfully infected and 14 showed signs of attempted penetration”.
Since Pegasus is graded as a cyberweapon and can only be sold to authorised government entities as per Israeli law, most reports have suggested that the governments in these countries are the clients.
The Indian government has so far neither confirmed nor denied that it has deployed Pegasus for any operation. In the wake of the Pegasus Project revelations, several petitions were filed with the Supreme Court alleging that the government had indulged in mass surveillance in an attempt to muzzle free speech and democratic dissent. In response to the petitions, the Supreme Court asked the Centre to file a detailed affidavit regarding the use of Pegasus. However, the Centre refused to comply, arguing that such a public affidavit would compromise national security. Following this, the Supreme Court had appointed the expert panel led by Justice R.V. Raveendran. The Government has so far not responded to the NYT report, except for Minister of State Gen (Retd) V.K. Singh calling The New York Times a “supari” (hit-job) newspaper.
Section 5(2) of The Indian Telegraph Act, 1885, states that the government can intercept a “message or class of messages” when it is “in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence”. The operational process for it appears in Rule 419A of the Indian Telegraph Rules, 1951. Rule 419A was added to the Telegraph Rules after the verdict in the People’s Union for Civil Liberties (PUCL) vs Union of India case, in which the Supreme Court said telephonic conversations are covered by the right to privacy, which can be breached only if there are established procedures. Under Rule 419A, surveillance needs the sanction of the Home Secretary at the Central or State level, but in “unavoidable circumstance” can be cleared by a Joint Secretary or officers above, if they have the Home Secretary’s authorisation. In the K.S. Puttaswamy vs Union of India verdict of 2017, the Supreme Court further reiterated the need for oversight of surveillance, stating that it should be legally valid and serve a legitimate aim of the government.
The second legislation enabling surveillance is Section 69 of the Information Technology Act, 2000. It facilitates government “interception or monitoring or decryption of any information through any computer resource” if it is in the interest of the “sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign States or public order” or for preventing or investigating any cognisable offence. The procedure for it is detailed in the Information Technology Rules, 2009.
These rules, according to Apar Gupta, lawyer and executive director of the Internet Freedom Foundation, are very broad and allow even the redirection of traffic to false websites or the planting of any device to acquire information. Mr. Gupta is of the opinion that the use of Pegasus is illegal as it constitutes unauthorised access under Section 66 of the Information Technology Act. Section 66 prescribes punishment to anyone who gains unauthorised access and “downloads, copies or extracts any data”, or “introduces or causes to be introduced any computer contaminant or computer virus,” as laid down in Section 43.