Author(s): Sudipto Halder, 4th year student at School of Law, Bhubaneswar & Rachna Gautam, 2nd year student at MMH College, Ghaziabad.
A sensational international news report in July 2021 revealed that more than 300 Indians are being monitored by an Israeli spy program called Pegasus, which can hack into mobile phones and access files, files, voice calls, and videos of the intruder. The history of India is not unfamiliar to espionage, cutting-edge technology has been used for national defense and national security previously. The Pegasus scandal reopened the floodgates for privacy and the extent to which the state abused data protection rights. This Paper examines, To What extent the data of Citizens in India is protected? Is surveillance by the state not an infringement of Right to privacy? Is the State not bound to provide the information about the functioning of surveillance? Is it not the responsibility of the state to maintain transparency when it comes to the private data of citizens? What measures are taken by the government to assure that the data will not be misused? Until When citizens have to compromise with their rights at the cost of national interest and security? Can the citizens progress and develop fully beneath the feeling of being in surveillance all the time? Can a development of the Country be envisaged without strengthening the trust between citizens and state? Will all this not lead to the death of democracy?
The spying and surveillance software industry has been operating secretly for years, occasionally exposed as a result of mistakes directed at human rights activists, journalists, and researchers. The surveillance industry says it is working to help the government fight crime and terrorism, but the products developed by these companies are often used by government agencies and security agencies to deter dissent and harass journalists and human rights defenders. Regarding the opportunity to solve this problem, we need to work together and limit the sales of surveillance tools and technologies. Unfortunately, the same problem reappeared in India, and the Indian government neither answered nor solved the same problem. NSO Group has confirmed and officially stated that the surveillance software or spyware it sells is only sold to law enforcement or intelligence agencies, and not to individuals. In this case, the central government must clarify its relationship with the National Bureau of Statistics through the Ministry of Interior and/or the Ministry of Electronics and Information Technology and issue a statement stating whether it uses Pegasus against Indian citizens. Pegasus is a spyware developed by the Israeli company NSO Group, which helps spyware invade mobile phones. When WhatsApp filed a lawsuit against the company in the United States in 2019, this issue became widely known. In July 2021, Amnesty International and 13 media companies around the world released a report on how spyware was used to monitor hundreds of people, including Indians. Although NSO claims that its spyware is only sold to the government, no country agrees with these claims. The controversy of Pegasus software dates back to 2019, in the month of november a New York technology reporter filmed a wiretap device exhibited at the Milipol National Security Exhibition in Paris. The exhibitor NSO Group placed the equipment on the back of the truck, probably assuming it was portable. And stated that it does not apply to US phone numbers, possibly due to restrictions imposed by the company itself. This may be the first time a portable base station (BTS) manufactured by NSO was shown on Pegasus, developed by an Israeli technology company called NSO Group, since the Israeli internet giant was founded in 2010. Hackers can access your phone’s camera, microphone, files, photos, and even encrypted messages and emails. Basically the entire phone. This applies to Android and iOS devices. Another option is to use the target’s own mobile operator for access. In this case, the attacker does not need any type of rogue cell tower, but instead relies on the infrastructure of the n network to carry out the attack. Pegasus spyware is rarely used to monitor private or politically inactive people, however a report says it has been used to monitor activists and politicians in India creating a security breach of private data of many people. The tool created for espionage is being used for personal benefits of a person having access to this.
The Mechanism of Pegasus
As soon as the spyware is introduced on the cell phone, it will start to speak with the administrator’s “control server”. Then, at that point, you can adhere to the guidelines to send the individual information accessible on your cell phone, including instant messages, plans, contacts, passwords, voice brings in informing applications, area information, and so forth Spyware can likewise incorporate cameras and amplifiers for calls and manual activities. One of the remarkable highlights of Pegasus is its “zero-click assault”. Zero Click malware implies that an individual can be assaulted by malware without opening a connection. It will be introduced on the cell phone after a missed call or establishment is finished. As indicated by Forbidden Stories, Pegasus can utilize some detour techniques to peruse encoded messages in scrambled informing applications like Signal, WhatsApp, and Telegram. NSO at first flaunted one of a kind items. Around then, malevolent connections sent by means of email connections were broadly spread all throughout the planet. Pegasus then, at that point, has an interesting “zero-click assault” highlight, which contains connections to vindictive projects explicitly created or adjusted for the objective. At the point when the objective individual snaps on the given interface, the telephone will naturally be infected. Spyware isn’t possibly scary, however it is additionally hard to discern whether it is on a cell phone. Though it is not disclosed how a spyware works due to security reasons and guidelines of the parent company, this is a brief idea which investigators have found on how this Pegasus works.
What makes Pegasus different from other spyware?
Pegasus, also known as Q Suite, is recognized by NSO Group (also known as Q Cyber Technologies) as the world’s leading cyber intelligence solution, enabling law enforcement and intelligence agencies to extract data remotely was developed by a veteran of the Israeli intelligence service. Avast’s mobile threat analyst Jakub Vavra took a closer look at Pegasus and said that Pegasus is a remote access tool (RAT) with spyware capabilities. Its Android variant can retrieve data from popular communication tools such as WhatsApp, Facebook, and Viber, as well as email clients and browsers. Microphones and Camera, as well as screenshots and recording user input. Since 2016, we have tracked and blocked multiple attempts by Pegasus spyware to jailbreak Android phones, most of which were in 2019. Until the beginning of 2018, NSO Group customers mainly relied on SMS and WhatsApp messages to trick targets into opening malicious links that could infect their mobile devices. This is discussed in the Pegasus manual as Advanced Social Engineering Information (ESEM). The malicious link packaged when ESEM is clicked takes the phone to the server, which checks the operating system and provides appropriate remote exploits. Pegasus provides click-free installation in a variety of ways. One can quietly send a push message to force the target device to download spyware, but the target device does not notice the installation, and it still has no control over it.
How does this spyware leak data?
The person who wants to spy on important information only needs to pass the target number to the Pegasus system for network injection. The system is well programmed to do the rest on its own and spyware is installed in most cases. However, in some cases, network embedding may not work. For example, if the target device does not comply with the NSO standard or the operating system adds new protection, the remote installation will fail. Once infected, the mobile phone becomes a digital spy that the attacker completely controls. After it is installed, Pegasus communicates with the attacker’s command and control server to receive and execute instructions and send the target’s personal information, including passwords, contact lists, calendar events, text messages, and real-time voice calls (including through terminal connect). The attacker can control the camera and microphone of the phone and use the GPS function to track the target. To avoid excessive bandwidth consumption that may warn the target, Pegasus only sends scheduled updates to the server. The purpose of spyware development is to bypass forensic analysis, be detected by antivirus software, and be deactivated and deleted by attackers when necessary.
An Overview of Indian Surveillance Law
Communications surveillance in India is conducted under two main laws i.e. the Telegraph Act and the Information Technology Act. Although the telegraph law involves wiretapping, the IT Act was passed after the Supreme Court intervened in 1996 to combat surveillance of all electronic devices. A comprehensive data protection law has not yet been passed to fill the loopholes in the existing surveillance system. Section 5(2) of the Telegraph Act states that in the case of an emergency or in the interest of public safety, the central government or the state government believes this is necessary for India’s sovereignty and integrity, national security, friendly relations with foreign countries or public order, or to prevent incitement and such other crimes. For this reason these things must be recorded in writing, follow the instructions sent to or sequential transmission or transmission or reception by a person or group of people or messages or message categories related to a particular subject, or received can be intercepted . But in the case of Public Union for Civil Liberties v Union of India the Supreme Court of India laid down certain guidelines regarding this section of the Telegraph Act as it was violating Article 21 of the Constitution. The Supreme Court said in its review that “intercepting communication or wiretapping is a serious violation of someone’s privacy. With the development of high-tech communication technology, the right to sell phones in the privacy of our home or office is becoming more and more likely to be abused. Although the government is democratic, in a sense, it is part of its intelligence organization, but at the same time, citizens’ right to privacy must currently be protected to avoid abuse by the authorities.” Since the right is guaranteed by the Constitution of India, it is incumbent upon the government to take both direct and indirect measures to protect the personal and data privacy of its citizens.
Apart from the restrictions provided in Section 5(2) of the Telegraph Act and Article 19(2) of the Constitution, Section 69 the IT Act adds another aspect that makes it broader interception, monitoring and decryption of digital information for the investigation of any crime. The Pegasus spyware is violative of these laws pre existing in India. Since spyware is illegal in India, tapping using spyware is also considered illegal. Section 69 of the Information Technology Act provides for the right to intercept. Research on the Information Technology Act clearly shows that spyware interception is not allowed. As a result, this has led to a large number of illegal activities highlighted in the current Pegasus dispute. The Information Technology Act was never written to allow the government to monitor by using spyware as part of its legal arsenal and ammunition against humans. Ex Union Minister of India and renowned lawyer Kapil Sibal said on this controversy of Pegasus that if the fact is true that this spyware was put on the ministers phone and intercepted it, then this is already violating the Official Secrets Act and this is violation of the Information Technology Act, and if this spyware is used to spy on a female person, then it is violating Section 354D of the Indian Penal Code therefore this is also an infringement of privacy. As the number of countries using this tool increases, the main problem that arises is how to take appropriate controls and countermeasures to prevent the abuse of these spywares. The government always uses these tools for concealed and public activities, but in a country like India, people have a basic right to privacy, and the use of such tools itself violates the basic right of privacy.
Is the Indian Legal System providing Safeguard to the Pegasus Spyware surveillance?
How secure and unsecured are our rights? We rarely get this answer from the government who has assured the protection of all the legal and fundamental rights. Although there are certain organizations and individuals with the commitment to protect and assure transparency around the protection of rights, it helps us know a lot about the status. One such example is an international collaborative investigation titled “Pegasus Project” , which has revealed about the surveillance of the government agencies over the citizens through a foreign spying organisation. The Investigating team asserted there are around 50,000 phone information from which the information is leaked to the government and analysis confirmed that more than 1,000 were done by the clients of NSO from India. The list of people under serveillance includes journalists, opposition officials, activists and cabinet ministers. Most of the names are anti-establishment attacks, and their investigations revealed various oversights by the government. The first volume of annual Transparency and Responsibility report released by NSO affirm the fact that all the products, designed and sold by them are solely used by agencies and organisations that are thoroughly vetted and approved by government.
In response to which India’s minister of electronics and IT has said that there is no unauthorised inception by the governmental agencies and India has a well established protocol for Inception which allows inception only in case of National Interest and high ranking officials from both centre and state have a on it, sanction it. Denying the allegations made in regard of spying of certain people and asserted that there is a proper process under which any inception of any electronic communication is carried out in case of any pubic emergency and public safety by centre and states government agencies and such inceptions are made under section 5(2) of Telegraph Act, 1885 and section 69 of the Informational Technology (Amendment) Act, 2000. Each Case of monitoring, decryption and inspection is done under the Union Home Secretary and provisions of IT( Procedure and safeguard for inception, monitoring and decryption) Act, 2009 grant similar powers to the state government as well. And there are review committees also in this regard responsible towards Union Cabinet Ministers and by State Cabinet Secretaries.
It can be inferred from the response of the government that government does not expressly deny that any surveillance is made by the government agencies using pegasus Spyware which clearly depicts that such surveillance are made by the government using pegasus spyware and section 69 of the information Technology act, 200 authorises and assure legality of such act. These Provisions of draconian kind probably permits the government to incept, monitor and decrypt the information of people without having any judicial oversight over it but these permissions does not extend upto hacking someones phone or installing spyware.
In KS Puttaswamy V. Union The Supreme Court held Right to Privacy as a fundamental Right Guaranteed under article 21 of Constitution of India. Which also, does not forbid the government from incepting, monitoring or decrypting data and allows surveillance following some standard regulation such that the surveillance must be legitimate, proportionate and necessary. Less Intrusive alternatives must be used but Pegasus Spyware is extremely intrusive and does not follow any of the above stated standards.
The tools and measures of government offer little transparency pertaining to government functionings under section 69 for instances when Internet Freedom foundation asked for the no. of times order under section 69 is used government refused to provide such basic and general information even stating national security to be its reason. The tools of the legal system provide a wall around how the surveillance is being conducted by the government and in which nature and for what purpose such surveillance is being used. This makes the citizen fully helpless because it cannot use the constitutional remedies provided under section 32 and section 226 because of inaduacacy of proofs, evidence and information. This clandestine nature of governance makes citizens a vulnerable subject of state.
Even the recent bill introduced in parliament Draft Personal Data Protection Bill is silent on the surveillance bill and adding to that it provides immunity to the government agencies from the purview of DPDPB and The report submitted by Committee of Experts headed by former judge of Supreme Court Justice B.N. Srikrishna on a Data Protection Framework for India (Chair: Justice B. N. Srikrishna) to the Ministry of Electronics and Information Technology on July 27, 2018 is silent on the surveillance reforms. However, currently there are two private bills introduced in parliament primarily focusing on surveillance reform.
Psychological, Social, and Economic Impacts of Pegasus Spyware Surveillance
Although, NSo Publicly claims that it respects the human rights of the individual, as enshrined in the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labor Organizations Declaration on Fundamental Principles and Rights at Work. But having access to and surveillance over any persons data without his consent is in itself an infringement of human rights as nobody would like that all the personal and private information about
After analysing the evidences related to psychological impact of surveillance it can be clearly concluded that indiscriminate surveillance lead to the extreme level of stress, fatigue and anxiety and effects productivity and personal Control, social cohesion, and ultimately our future. A government doing surveillance over its citizens cannot claim that it wishes for the well being of citizens and wants the growth and progress of individual, society, economics and nation.
In a series of classic experiments during the 1950, Psychologist Asch showed that Surveillance encourages conformity to social norms and this conformity is so strong that it forces an individual to follow a crowd even after knowing that crowd is fully wrong. Mass Surveillance kills the innovation, critical thinking, or originality which will definitely restrict the progress and the ill effects of society like casteism, sexism, Racism, Nationalism, Capitalism will become more strong and will lose its natural speed of declination even which will affect the entire society and humanity devastatingly.
In all the Feminist theory the consent has been given a very much importance that should be respected at each and every step and it needs to be make sure that such consent is free and fare. The Pegasus Spyware snatches this right to consent and makes them a subject to legal vulnerability which doesn’t hamper right to privacy but bodily integrity, mental peace, dignity, etc.
Surveillance and Shaking Democracy
A Research Suggests that people can tolerate only limited surveillance which means surveillance is bearable only when it trades someone else liberty but the moment they realise they themself are also being surveillanced that breaks up the social contract into danger and makes society to stand in opposite to their government.
A recent study found that surveillance does not give greater control to government over populace, likewise if member of a team feels that they and the leader have a common social identity only then a team can function It is a very well known fact and always used in politics the way political parties organise their campaign and rallies. The main target of all the rallies is to show and make citizens realise that they are the parts of the same social group and share the same identity.
The purpose of Security services through surveillance is to increase the distance between state and society and they make assure that they will be seen as outgroup so that they can increase the influence and this state surveillance put the state and security services at a position of loggerhead and dissolve the necessary linkage between state and society. There are just two ways to resolve it: either to use totalitarianism, which will break all the bonds of social identity between politician and electorate and democracy will convert into a police state and grouping the state and society as different groups or to end the spying and surveillance.
There has come a state where the state knows everything about the society even the smallest act of society whereas the society does not know anything about the state action and this asymmetry will give rise to malignancy and end democracy.
State cannot act as both ingroup and Outgroup, state cannot claim to be serving the security and liberty to its citizen at the same. When any spying or surveillance is used by the state it primarily forgets the effect it has on the psychology of people. This spying and surveillance shrink the thought of appropriate behaviour and thinking to be so narrow that every smallest deviation can be seen as a crime which causes exclusion and for which the punishment will be called. A time will come when there will be left nothing to put surveillance on, all creativity will die, people will stop taking risks and no innovation and drastic achievements will be seen. That’s what is trying to bring into action by this spying surveillance : people will stop critically thinking and analysing the situation and accept the things the state is offering without doubting it and questioning it. This may soon end any voice which dissent, which can bring reformes and drastic changes in society, criticism and dissents are the building blocks of democracy once they die. Democracy will die altogether. Edward Snowden is right that technology cannot be rolled back but definitely its usage can be regulated, and must not be allowed to function as legitimate industry, reeling in profit and flowering and blossoming on the pulsing transcontinental highways of free market must not be utilised in giving the government a face of tyrannical and policing state. Undoubtedly, there is a need to make stringent laws and provisions in advance to protect the data and fundamental rights of the individual but only political actions can change it because the actions which are right now being infringed with legal tools will be infringed with Illegal action.
 Priyanka Chaturvedi, Pegasus affair is an assault on privacy, The Pioneer (Jul. 26, 2021), https://www.dailypioneer.com/2021/columnists/pegasus-affair-is-an-assault-on-privacy.html.
 Richard Willet, Pegasus Unveiled: The Cyber-Surveillance Weapon Of Scientific Dictatorship, Truth 11 (Jul. 21, 2021, 1:00 p.m.), https://truth11.com/2021/07/21/pegasus-unveiled-the-cyber-surveillance-weapon-of-scientific-dictatorship/.
 Probing Pegasus: On Bengal ordering inquiry into snooping row, The Hindu (Jul. 29, 2021, 12:00 a.m.), https://www.thehindu.com/opinion/editorial/probing-pegasus-the-hindu-editorial-on-the-bengal-government-ordering-inquiry-into-snooping-row/article35595256.ece.
 Jay Mazoomdar, How Pegasus can infect a device; what information can be compromised, The Indian Express (Jul. 29, 2021, 9:50 a.m.), https://indianexpress.com/article/explained/pegasus-whatsapp-spyware-israel-india-7410890/.
 David Strom, Understanding the Pegasus project, Avast (Jul. 22, 2021, 10:41 a.m.), https://blog.avast.com/pegasus-and-spyware-avast.
 Cyrus John, Pegasus Spyware: What Is It & Should You Worry?, The Quint (Jul. 18, 2021, 10:39 p.m.), https://www.thequint.com/videos/what-is-pegasus-and-how-it-affects-your-phone#read-more.
 Teo, How to find hidden spyware on Android, JOA (Sep. 5, 2020), https://joyofandroid.com/know-if-anyone-is-spying-or-tracking-my-android-phone-with-hidden-spyware/.
 Apurva Vishwanath, A look at the laws for surveillance in India, and concerns over privacy, The Indian Express (Jul. 29, 2021, 9:45 a.m.), https://indianexpress.com/article/explained/project-pegasus-the-laws-for-surveillance-in-india-and-the-concerns-over-privacy-7417714/.
 Communication Surveillance in India, Chinmaya IAS Academy (Jul. 13, 2021), https://currentaffairs.chinmayaias.com/communication-surveillance-in-india/.
 Public Union for Civil Liberties v Union of India, (1996) AIR 1997 SC 568.
 The Indian Telegraph Act, 1885.
 The Information and Technology Act, 2000.
 The Official Secrets Act, 1923.
 Anindita Sanyal, Snooping By Pegasus Spyware A Threat To National Security, Illegal: Kapil Sibal, NDTV (Jul. 20, 2021, 6:00 p.m.), https://www.ndtv.com/india-news/snooping-by-pegasus-spyware-a-threat-to-national-security-illegal-kapil-sibal-2490798.
 Pawan Duggal, Pegasus controversy, a legal viewpoint Expert Opinion, India Today (Jul. 22, 2021, 2:43 p.m.), https://www.indiatoday.in/india/story/pegasus-controversy-legal-viewpoint-expert-opinion-1831216-2021-07-22.
 Washington Post Staff, Takeaways from the Pegasus Project, The Washington Posts (July 21, 2021, 4:14 p.m), https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/.
 Transparency and Responsibility Report, 2021, NSO Group, June 30, 2021.
 ANI, Government of India Response to the media reporting under “pegasusProject”, Twitter (Jul, 2018), https://twitter.com/ANI/status/1416800154871468036.
 Yashaswani Basu, Pegasus spyware surveillance: The devil lies in what we don’t know, Bar and Bench (Jul. 20,2021, 11:46 am), https://www.barandbench.com/columns/pegasus-spyware-surveillance-the-devil-lies-in-what-we-dont-know.
 (2017) 10 SCC 1.
 Yashaswani, supra note 19.
 IFF keeps pushing against secrecy in surveillance. CIC orders MHA to adjudicate on our request for transparency. Internet Freedom Foundation, https://internetfreedom.in/iff-keeps-pushing-against-secrecy-in-surveillance-cic-orders-mha-to-adjudicate-on-our-request-for-transparency/.
 A Free and Fair Digital Economy, PRS India, India, https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy.
 Supra note 17.
 Social identity approach, Wikipedia, https://en.wikipedia.org/wiki/Social_identity_approach.
 Kendra Cherry, The Asch Conformity Experiment, Very Well Mind (Apr. 3, 2020), https://www.verywellmind.com/the-asch-conformity-experiments-2794996.
 Marie Helen Mars, The social consequences of a mass surveillance measure: What happens when we become the ‘others’?, 40 International Journal of Law Crime and Justice, 65, 71-74, (2012).
 Emins Subasic, Leadership, power and the use of surveillance: Implications of shared social identity for leaders’ capacity to influence, 22 The Leadership Quarterly, 170, 174-180, (2011).
 Chris Chambers, NSA and GCHQ: the flawed psychology of government mass surveillance, The Guardian (Aug. 26, 2013), https://www.theguardian.com/science/head-quarters/2013/aug/26/nsa-gchq-psychology-government-mass-surveillance.
 Arundhati Roy, Only Political Action Can Mitigate the Disastrous Effects of Pegasus Spyware, The Wire (July. 27, 2021), https://thewire.in/rights/pegasus-spyware-india-arundhati-roy.