THE COVID-19 PANDEMIC has marked the beginning of an era where surveillance is the new normal. China is using camera-fitted smart helmets and drones, and facial recognition technology, to identify potential patients. Hong Kong is tracking people using electronic wristbands; Singapore has launched a contact-tracing app; and Israel is carrying out phone surveillance.
In April, India launched Aarogya Setu, a smartphone app that alerts people when they come into contact with Covid patients. When privacy concerns emerged, the government declared Aarogya Setu an open-source application that allows developers and cybersecurity experts to inspect the app and its vulnerabilities. “Aarogya Setu is a powerful companion that protects people. It has a robust data security architecture,” said Union Minister Ravi Shankar Prasad.
Given the record of governments targeting dissidents, surveillance tools do not enjoy public confidence. In 2019, the Toronto-based Citizen Lab exposed how Pegasus, a spyware designed by the Israeli firm NSO Group, had been snooping on 1,400 people in 45 countries, including India. Pegasus had hacked into cell phones that had WhatsApp, the multimedia platform owned by Facebook.
WhatsApp has 400 million users in India. The security breach raised fears of state surveillance, after NSO Group said it sold Pegasus to government agencies only. Congress leader Priyanka Gandhi Vadra, along with more than 100 activists, lawyers and journalists who were targeted by the spyware, accused the government of snooping on citizens. Last November, the activists wrote to Union Home Minister Amit Shah demanding an inquiry into the breach.
In June this year, a joint investigation by the Citizen Lab and Amnesty International revealed that some of the activists targeted by Pegasus were also victims of phishing attempts. “I have been the target of a coordinated spyware campaign,” Shalini Gera, a human rights lawyer in Chhattisgarh, told THE WEEK. “My WhatsApp and email were being monitored to keep tab on my movements and communications. It was a complete breach of my privacy. Since we have reasons to believe that a Central or state agency was behind this illegal surveillance, we did not register any first information report, as that can lead to more harassment.”
The Union home ministry has not responded to the letter sent by the activists. On November 20, the parliamentary standing committee on information and technology, chaired by Shashi Tharoor, MP, of the Congress, decided to take up the matter. “The committee held one meeting with some of us, but we have not heard from them again,” said Gera. “It has been almost a year and we don’t know which agency was behind it.”
Ankit Grewal, a Chandigarh-based lawyer who represented activist Sudha Bharadwaj in the Bhima Koregaon case, was a Pegasus target who deposed before the parliamentary committee. He said he had not heard from the committee after that. “It is the prerogative of the government to investigate the matter,” he said.
Delhi-based rights activist Vidhya, who helps survivors of sexual violence, said she was targeted because she was part of a larger group of activists who fight for democratic rights. “I am not scared of scrutiny,” she said. “But the reason why surveillance is disturbing is that it is not just my personal space getting compromised, but also the identities and privacy of hundreds of survivors who are in touch with me. Their cases get compromised in the process.”
Officials in Delhi said there had been no unauthorised surveillance. WhatsApp, however, is suing NSO Group, which told a US court that it sold Pegasus to law enforcement agencies only. John Scott-Railton, senior researcher at the Citizen Lab, termed the Pegasus case in India as “extremely troubling”. “The Indian government has not contacted us,” he told THE WEEK. “If they would like to [investigate], they certainly have the resources to do so.”
In 2018, the Union government issued an order authorising 10 Central agencies, including the Intelligence Bureau and the Research and Analysis Wing, to monitor and intercept internet traffic and calls under the Information Technology Act. The order said state law enforcement agencies could exercise similar powers only after the state home secretary approves it.
The Pegasus case has raised questions about the safeguards against government misuse of surveillance technologies. “The advent of a public health emergency in the form of Covid-19 should not serve as an excuse for countries to engage in surveillance,” said Pavan Duggal, founder and chairman of the International Commission on Cyber Security Law. “Countries and citizens have to be careful of this trend, as it is likely to be further strengthened.”
According to him, laws concerning surveillance need to be strictly interpreted and implemented. “Governments need to ensure that checks and balances under existing laws continue to be respected. Courts need to ensure that governments do not use surveillance as a wonder tool to respond to all kinds of exigencies,” said Duggal.
For now, the wonder tool is helping fight Covid-19. In July, camera-mounted smart helmets were introduced in Mumbai for thermal scanning. Brihanmumbai Municipal Corporation commissioner Iqbal Singh Chahal said the helmets scanned 200 people per minute. “No data or images are stored in them. It is very useful in segregating suspected Covid patients in containment zones and slums,” he said.
Safeguards and assurances aside, vulnerabilities continue to be exposed. On June 6, a Citizen Lab report uncovered a massive “hack-for-hire” operation codenamed Dark Basin, run by a Delhi-based technology firm called BellTroX InfoTech Services. The report said BellTroX had targeted government officials in Europe, gambling tycoons in the Bahamas, and well-known investors in the US, including private equity giant KKR & Co and investment firm Muddy Waters. Dark Basin targeted thousands of individuals and organisations in six continents, including politicians, journalists, CEOs and rights organisations.
The Citizen Lab said BellTroX’s co-owner, Sumit Gupta, had been indicted in a 2015 hacking case in the US, in which two private investigators admitted to paying him to hack the accounts of marketing executives. Gupta was declared a fugitive in 2017.
BellTroX, which was incorporated on May 1, 2013, is owned by Gupta and his wife, Veenu. According to the Citizen Lab, BellTroX and its employees used euphemisms—like psychology transcription, vulnerability assessment, malware analysis and penetration testing—to advertise their illegal services. BellTroX’s small office in a crowded area in Delhi was shut when THE WEEK visited it.
Scott-Railton said India’s hack-for-hire industry is making the world insecure. “I am concerned that it tarnishes the reputation of India’s talented and vibrant cybersecurity sector,” he said. Advocate Prashant Mali, who specialises in cybersecurity and privacy, said Indians remain most vulnerable to digital security breaches because India does not have proactive privacy laws. The data privacy bill, introduced in Parliament last year, is still pending.
According to Mali, there are no examples of Indian laws punishing a cybersecurity violator. “There is a need to make the state accountable for surveillance and snooping,” he said. “But I am not hopeful that the final draft of the bill would make the government accountable.”