Explained | Pegasus and the laws on surveillance in India
In light of the Pegasus spyware scandal, what are the checks and balances to prevent abuse of procedures?
The story so far: An international group of news publications are reporting that a spyware known as Pegasus has been used to spy on politicians, journalists, and activists, primarily in 10 countries. Reports from the grouping called the Pegasus Project, which includes The Wire in India, The Guardian in the U.K., and The Washington Post in the U.S., suggest that in India, at least 40 journalists, Cabinet Ministers, and holders of constitutional positions were possibly subjected to surveillance. The reports are based on a database of about 50,000 phone numbers accessed by the Paris-based non-profit Forbidden Stories and Amnesty International, which they say are numbers of interest to clients of NSO, the Israel-based company that created Pegasus. According to The Guardian, Amnesty International’s Security Lab has tested 67 of the phones linked to these numbers and found that “23 were successfully infected and 14 showed signs of attempted penetration”.
What do we know about Pegasus?
Pegasus can take multiple routes to reach a target’s phone. Its earliest avatars used spear phishing, a hit-or-miss method in which a malicious link is embedded in a message customised to entice the target to click. However, it has now evolved to include “zero-click” attacks, where the target need not take any action for the phone to be infected. In 2019, WhatsApp released a statement saying that Pegasus could enter phones via calls made on the platform, even if they were not attended. Pegasus uses several such “exploits”, or weaknesses, in Android and Apple phones to enter phones; and many of these exploits are reportedly “zero day”, which means it is not a weakness that the device manufacturers are aware of. Forbidden Stories reports that frequently used exploits are bugs in iPhone’s iMessage communication app. Pegasus can also be delivered over the air from a nearby wireless transmitter, or manually inserted if the target phone is physically available.
Once inside the phone, Pegasus seeks “root privileges”, Claudio Guarnieri, who runs Amnesty International’s Security Lab, told The Guardian. Root privileges is a level of control over the phone that is beyond what a regular user has. It enables Pegasus to set up shop within the phone and establish communications with its controllers through an anonymised network of internet addresses and servers. It can then start transmitting any data stored on the phone to its command-and-control centres. This level of control also means Pegasus can turn on the phone’s cameras and microphones to turn it into a spying device without the owner’s knowledge.
Who are its clients?
The NSO Group which developed Pegasus officially claims it has 60 clients in 40 countries, though the company has not revealed their identities. Going by the Pegasus Project’s analysis of the phone numbers that the spyware possibly targeted, its clients have interests primarily in 10 countries: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and the United Arab Emirates.
Reading this together with NSO’s statement that Pegasus is graded as a cyberweapon and can be sold only to authorised government entities as per Israeli law, most reports have suggested that the governments in these countries are the clients.
Forbidden Stories is also reporting that the Israeli Ministry of Defence has a significant role in deciding whom NSO sells the software to, and apparently got it sold to Saudi Arabia despite the company’s reservations. This is significant as reports have indicated that Pegasus was used to spy on Jamal Khashoggi before the Saudi journalist and dissident was lured to the kingdom’s embassy in Turkey and assassinated. In India, the government has neither confirmed nor denied that it has purchased the NSO software at any point of time.
Who has been targeted?
The NSO has stated that Pegasus is not a tool for mass surveillance, but the 10,000 numbers that are in the Moroccan cluster of the database suggest otherwise, says Forbidden Stories. While the stated aim of Pegasus is to fight crime and terrorism, the database also has the numbers of over 200 journalists worldwide, including 40 from Indian media houses such as The Wire, The Hindu, and Hindustan Times.
The database also contains the numbers of about 13 heads of state, such as French President Emmanuel Macron, who has probably been spied on from Morocco; South African President Cyril Ramaphosa, probably spied on from Rwanda; and Pakistan’s Prime Minister Imran Khan, probably spied on from India.
A cluster of 2,000 Indian and Pakistani phone numbers, identified as being of possible interest to the Indian client, has the contacts for Opposition politicians, civil rights activists, and judges.
What do Indian laws outline?
Section 5(2) of The Indian Telegraph Act, 1885, states that the government can intercept a “message or class of messages” when it is “in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence”.
The operational process and procedures for it appear in Rule 419A of the Indian Telegraph Rules, 1951. Rule 419A was added to the Telegraph Rules in 2007 after the verdict in the People’s Union for Civil Liberties (PUCL) vs Union of India case in 1996, in which the Supreme Court said telephonic conversations are covered by the right to privacy, which can be breached only if there are established procedures. Under Rule 419A, surveillance needs the sanction of the Home Secretary at the Central or State level, but in “unavoidable circumstance” can be cleared by a Joint Secretary or officers above, if they have the Home Secretary’s authorisation.
In the K.S. Puttaswamy vs Union of India verdict of 2017, the Supreme Court further reiterated the need for oversight of surveillance, stating that it should be legally valid and serve a legitimate aim of the government. The court also said the means adopted should be proportional to the need for surveillance, and there should be procedures to check any abuse of surveillance.
The second legislation enabling surveillance is Section 69 of the Information Technology Act, 2000, which deals with electronic surveillance. It facilitates government “interception or monitoring or decryption of any information through any computer resource” if it is in the interest of the “sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order” or for preventing or investigating any cognizable offence.
The procedure for electronic surveillance as authorised by Section 69 is detailed in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. These rules, according to Apar Gupta, lawyer and executive director of the Internet Freedom Foundation, are very broad and allow even the redirection of traffic to false websites or the planting of any device to acquire any information.
Mr. Gupta is of the opinion that the use of Pegasus is illegal as it constitutes unauthorised access under Section 66 of the Information Technology Act.
Section 66 prescribes punishment to anyone who gains unauthorised access to computers and “downloads, copies or extracts any data”, or “introduces or causes to be introduced any computer contaminant or computer virus,” as laid down in Section 43.
“평생 사상가. 웹 광신자. 좀비 중독자. 커뮤니케이터. 창조자. 프리랜서 여행 애호가.”