September 28, 2021




Tags: Cybersecurity, Pegasus


Categories: Cybersecurity, Privacy

Pegasus: India needs urgent surveillance reform

Information is power. A range of organisations — from private military firms such as NSO to various instruments of the State — collect information to empower governments. The quest for unbridled power and critical information often leads to using unprincipled and unlawful means.

Snooping is a grim reality since the days of Chanakya, or indeed, ever since human beings constituted themselves as political units and statecraft evolved. But while recognising the compelling circumstances that may make it necessary at times, it constitutes a grave threat to democracy.

In the case of Pegasus, the nature of the technology is additional cause for concern. The NSO Group co-founder is quoted as saying, “Pegasus is a Trojan horse that could be sent flying through the air to (break into) devices”.

The government has denied that there has been any illegal interception in India, but there is overwhelming circumstantial evidence and some hard forensic evidence, obtained through mobile verification toolkit (MVT), to suggest that the Pegasus spyware indeed infected a set of targeted mobiles. Since unauthorised interception and hacking are offences under section 25 of the Telegraph Act and sections 43 and 66 of the Information Technology (IT) Act, the Opposition has paralysed Parliament proceedings, asking for a discussion and judicial probe. The issue has derailed the monsoon session of Parliament that ends this week.
Reports of the widespread use of Pegasus have unnerved mobile users across the world. The technology war between advanced spyware systems and the defending Android and Apple operating systems will continue, each trying to outdo the other.

The core issue, however, is surveillance and who ordered it. Even if the government denial is to be believed, the targeting of such a huge number of mobiles should be the object of an impartial probe. And even beyond this probe is the critical issue of surveillance methods and the need for reforms.

In 1997, the Supreme Court (SC) in PUCL vs UOI laid down the legal framework for telephone interception by the government. The Telegraph Act and IT Act 2000 give legal backing for interception of phones and computers. But in a Right to Information (RTI)-enabled regime, it is mandatory on the part of government to regularly audit interception logs and assure Parliament and citizens that due process has been followed.

Since privacy is a fundamental right, it cannot be breached except in rare circumstances. A first information report can be lodged against illegal tapping. Unfortunately, there will have been a more robust legal architecture if the data privacy bill, after necessary revisions, had been passed — but after deliberations of a select committee, it remains in cold storage.

The avenues for relief for victims, except the judiciary, are limited.

The Pegasus attack calls for structural reform. Surveillance cannot be ordered and overseen by different layers of the executive alone. Ten agencies in India have the power to do so. The first anomaly is that the sanctioning officer, the home secretary, is of the same rank as the heads of these 10 agencies. Further, the oversight mechanism is even poorer, with the committee comprising the Cabinet secretary and two other secretaries.

Has there been a case of a single rejection by the oversight committee or refusal of sanction to intercept in more than a few cases? Doesn’t the public ought to know these figures, and decision-making processes, with examples, to repose confidence in the system?

This untrammelled power to intercept needs parliamentary or judicial oversight as a minimum correction. Such power can only be exercised in cases of national security, crime investigation and public emergency/safety. The SC judgment on privacy in 2017 makes it mandatory that such interventions meet the considerations of legality, necessity and proportionality.

The government’s intransigence over the issue and the Opposition’s refusal to allow Parliament to function are hardly helping the cause of democracy. Incidents of brazen political misuse of interception powers have been raised time and again. What suits one political party while in power will not when it is in Opposition — hence, there is a need for all sides to come together, with the government agreeing to initiate surveillance reform. The Opposition should also participate in this joint effort to draw the contours of a new directive, after discussing relative merits/demerits of judicial and parliamentary oversight. It will help all parties, and ultimately the victims.

It’s time to take these reforms to the next level too, by bringing intelligence agencies under parliamentary oversight by enacting a legislation. In United Kingdom, the internal intelligence agency MI5 is governed by The Security Services Act 1989 and the external intelligence agency by the Intelligence Services Act 1994. Similarly, in the United States, the Central Intelligence Agency (CIA) is overseen by the CIA Act of 1949.

Parliamentary oversight would require a tight group of Members of Parliament (MPs) across party lines, nominated by the prime minister. They can be kept in the loop about key decisions and made aware that all operations are in the nation’s interest. After 9/11, a bipartisan committee nominated by President George W Bush and the Congress, called the 9/11 Commission, investigated the failure of intelligence agencies and prepared a blueprint for reform. The time has come for Indian MPs to do the same.

Pegasus may not even leave traces of malware in infected mobiles, but it does permanently scar a democratic system. The United Nations rapporteur for freedom of expression has called for banning the manufacture, sale and use of such spyware. However, nations themselves must act in the interest of free speech and expression. India, as the world’s largest democracy, has to walk the talk on the constitutional guarantees of freedom. An independent probe is a must — and so is the case for surveillance reform and parliamentary/judicial oversight of intelligence agencies.

(This was first published in Hindustan times)