Why Pegasus calls for a robust privacy law in India

THE INDIAN government’s response to the Pegasus Project, a global investigative effort led by the Paris-based non-profit Forbidden Stories into instances of alleged surveillance abuses by governments, has been strikingly dismissive.

The government says that, contrary to what the Pegasus report alleges, existing laws in India make it impossible for authorities to put politicians, journalists and activists under illegal surveillance. Union Home Minister Amit Shah even termed the project as a conspiracy to destabilise the country. “This is a report by disrupters for obstructers,” he said, referring to opposition protests over the issue in Parliament. “Disrupters are global organisations which do not like India to progress.”

It is unsurprising that governments would deny—like they have done for decades—the use of illegal surveillance tools like Pegasus, a spyware developed by Israel’s NSO Group that allows security agencies to covertly infect smartphones and access content. The Indian government had earlier done so in 2019, when WhatsApp first confirmed that Pegasus was used to target some of its users in India and abroad. But then, it is a fact that many ministers and top officials now scrupulously avoid using smartphones. Also, government warnings of possible cyberattacks and confirmed incidents of spyware infections have been on the rise in the past two years.

The Pegasus Project reports that around 50,000 cell phones across the world were targeted by the Israeli spyware. Among the 300 victims from India are 40 journalists, two ministers and three opposition leaders. The shadow of suspicion is on the government, since NSO maintains that Pegasus is an anti-terror software sold “solely to law enforcement and intelligence agencies of vetted governments”. “Due to contractual and national security considerations, NSO cannot confirm the identity of our government customers,” said an NSO spokesperson.

The Indian government has denied unauthorised interception by security agencies. “In India, there is a well-established procedure through which lawful interception of electronic communication is carried out for the purpose of national security,” said a government statement. But then, there is a regulatory grey area since spywares are not part of the ambit of this lawful interception process.

Currently, there are 10 agencies in India that are authorised to carry out surveillance. The list includes the Intelligence Bureau, the Research and Analysis Wing, the Narcotics Control Bureau, the Directorate of Revenue Intelligence and the Directorate of Military Intelligence. According to the home ministry, all agencies have been following the old-school way of lawful phone tapping after obtaining mandatory permissions from state and Central authorities. There is also an oversight mechanism, whereby a committee headed by the Union cabinet secretary reviews all surveillance cases from time to time.

The Pegasus issue, however, has shed light on a grey area. The question is, how believable are claims that intelligence and law enforcement agencies shun advanced surveillance technologies developed by companies like NSO?

“Every government uses surveillance technology,” said a senior intelligence officer. “It is the job of a spy to spy in the best manner possible. For national security purposes, the government can withhold information related to [how spying is done]. We do not disclose field formations and weapons of armed forces; how can we disclose our cyber weapons and tactics?”

But apparently, there is no free rein to spy. “Surveillance technologies like Pegasus are extremely expensive and cannot be used for an unlimited period,” said an officer. “The targets have to be fixed, and the timeframe has to be short and precise, as high-end software can cost crores of rupees. One of them costs around 060 crore for a single use.”

According to Mumbai-based cyber law expert Prashant Mali, the government needs to urgently bring in a data protection law to regulate the purchase and use of surveillance technologies by security agencies. “There is a difference between buying and using [such technologies],” said Mali. “Intelligence agencies may not have bought Pegasus, but could have accessed it through a third party. This is where the role of a data protection regulator comes into play.”

Former national cybersecurity coordinator Gulshan Rai said targeted journalists must approach the Computer Emergency Response Team, the nodal agency that deals with cybersecurity threats in India, to conduct an independent forensic analysis of possible spyware infections. He also raised doubts about the authenticity of the forensic analysis done by Amnesty International in the Pegasus Project.

“Allegations were made by Amnesty; the forensic analysis was done by Amnesty; and the conclusion was drawn by Amnesty. Does it not raise doubts about the veracity of the case?” he asked. “The entire forensic report needs to be made public. An independent forensic analysis should be done to find out how the spyware’s signature was matched with that of Pegasus.”

Ultimately, though, the need of the hour may be a comprehensive bill to protect both data and privacy of citizens. The Personal Data Protection Bill, tabled in Parliament a year after the Supreme Court’s landmark judgment in 2018 making privacy a fundamental right, is still stuck in Parliament.

“A right to privacy bill must be passed so that neither the government nor social media platforms can access and compromise an individual’s data without his knowledge,” said Rai. “I am against snooping by any government anywhere in the world. We live in a democratic country, where we are free to practice any profession, and express our opinions without fearing for our privacy.”