Abstract
The article dwells upon the problem of ‘Cyber snooping in relation to the recent Pegasus attack’ which showcases the negative aspect of digital life. The research paper goes on to talk about how in the name of ‘National Security’ the government has denied giving information about things that infringe the rights of its citizens. It also throws light upon the power of Judicial Review that the Supreme Court exercises and talks about its judgment on the Pegasus spyware case.
The result of this study suggests that the government has to relook the way it uses the defense of ‘national security’ and they will have to maintain a proper balance between civil rights and the restrictions that the government imposes in order to protect its citizens from outside danger.
The problem of the fragile Indian cyber security infrastructure has long been a part of the problem and this paper highlights some of the loop-holes in our privacy laws and goes on to give suggestions as to what the Indian government should do in the earliest hour. As the digital sphere is getting advanced day by day, it is the need of the hour to focus on the laws that will lead to smooth functioning if the same.
Keywords
Cyber-snooping, Right to Privacy, National Security, Cyberlaws, Supreme Court
Introduction
In this contemporary world, heavy dependence is witnessed on the digital ecosystem. It has been estimated that a total of 127 new devices connect to the internet every second.[1]The online market is making our life easier and safer, be it working from home or education and in many other social-spheres. But every coin has two sides of it; the more we are connected to the internet the more we are vulnerable to external threats.
We live in an epoch where our whole data is stored in a drive or cloud-based platform and can be hacked easily with one click, which can lead to breach of an individual’s right to privacy.
Cyber snooping is an unauthorized access to another person’s or company’s data. Recent years have seen a trend of data breach in a heavy amount. A cyber-attack on Maharashtra power grid which supplies 1000 MV to the city everyday had to halt its work for a day or two. A cyber-attack on an airline data cloud was witnessed in May 2021, which resulted in leaking of the personal information of the passengers (approx. 5 million passengers’ personal data were hacked). The Indian government recorded that there were approximately 2 million cyberattack cases in 2020 which was 3 times that of the previous years..
The whole problem of cyber-attack is exacerbated when the country has weak cyber security infrastructure and lack of will-power by the government to look into the matter and act as a straw that broke the camel’s back. It hasn’t paid proper heed to the fact that the right to privacy is very intricate to each and every citizen and the violation leads to loss of confidence in the system and government as a whole.
In this research paper I will talk about the Supreme Court’s judgment on the recent Pegasus spyware case and the problems attached to the existing cyber laws of India.
Research Methodology
This research paper used a doctrinal method and was primarily structured upon secondary sources of information. The paper used news articles, different law books, Indian Constitution, legislations, foreign laws and the Indian case laws. The paper has paid importance to journals, and has worked extensively with the help of online portals and web pages.
Literature Review
“Information is the oil of the 21st century, and analytics is the combustion engine.”
-Peter Sondergaard, 2011.
“Cybercrime also called computer crime, is the use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. Cybercrime, especially through the Internet, has grown in importance as the computer has become central to commerce, entertainment, and government.”
Because of the industrialization and widespread use of the internet, it has erased the boundaries between two countries which helps a cyber-criminal sitting in the USA to commit with a person who’s residing in India. A computer security agency recently claimed that serious and invisible cyberattacks have been witnessed all around the world by countries like US, India and world organizations. Cyber-crime losses about $300 billion to 1 trillion to the world’s economy which is 0.4% to 1.4% of total GDP, which is just more than one per cent of the global GDP.[2]
The situation becomes worse when the government is reluctant to solve the problem that is faced by its citizens, as we’re seeing the same in the Pegasus case where the Indian government denied giving any information citing ‘national security’ as its concern. The Supreme Court of India came as a saviour when they go beyond what their jurisdiction is, to solve the problem of the society at large. Courts in a federal constitution are regarded as the guardian of the constitution and protection of the rights of individuals. Article 32(1)[3] further provides for the rights to move to the Supreme Court by appropriate proceedings for the enforcement of the rights conferred by Part III[4] of the Indian Constitution.
Pegasus Attack
Recently individuals from nearly 45 countries including Indian leaders, journalists, and activists are suspected to have been affected by Pegasus software. Pegasus is a spyware that is developed by the Israeli cyber firm, NSO group. Users’ entire stored data can be accessed by the use of this software, and once users’ mobile or personal data server is invaded by Pegasus it will have control on the entire functionalities of the device and can remotely control the users’ entire system.[5]The NSO group claims to only license the Pegasus technology to law enforcement and intelligence agencies of “vetted government”.
The Union government has refused to take any clear stand as to whether it has used the spyware or not and has not given any information when asked by the Supreme Court citing “national security” as the reason.[6]But the apex court turned down the ‘national security argument saying “The state cannot keep a secret from the court merely on the bogey of ‘national security’ and expect the judiciary to remain a “mute spectator”.[7] The Supreme Court decided to set up an independent committee to investigate the allegation. The functioning of the three members Technical Committee will be overseen by the retired Supreme Court judge Justice RV Raveendran.[8] This judgment also reiterates the judicial activism of the Indian Supreme Court.
Judicial Activism is a judicial philosophy holding that the courts can and should go beyond the applicable law to consider broader societal implications of its decisions.[9] Modern trend of Judicial activism began in 1973 when the Allahabad HC rejected the candidature of Indira Gandhi in State of Uttar Pradesh v. Raj Narain. The introduction of public interest litigation by Justice V.R. Krishna Iyer further expanded its scope.[10]
National Security vs. Right to Privacy
“Surveillance is not new, but technology has permitted surveillance in ways that are unimaginable”, Sanjay Kaul remark in Puttaswamy Judgment[11] that declared the fundamental right to privacy.
Pegasus spyware has raised certain questions about the extent to which in the name of national security, the Indian government can deny giving information.
Union minister for electronics and information technology, Ashwini Vaishnav stated before the court that there are certain provisions through which the Union Government can legally monitor its citizens and has the right to deny information pertaining to the security of the state. He referred to Section 5(2) of Indian Telegraph Act 1885, Section 69 of Information Technology Act, 2000, and the Information Technology (Procedure and Safeguard for Interception, Monitoring and Decryption of Information) Rules, 2009.
The installation of Pegasus spyware on the target’s phone goes beyond the power of “electronic surveillance” as given under Section 69 of IT Act 2000. This is illegal and comes under Section 43 and 66 of the Information Technology Act. Hacking is a criminal wrong and no exception has been attached for the purpose of national security[12]. The Pegasus infractions thus represent a case of illegal and unconstitutional surveillance. Moreover, none of the central legislation defines the term ‘national security’. In Venkatesh Nayak case[13], the government said “National security covers not only the matters covering defence and foreign relations but also political and economic stability as well as public order”. But the government nevertheless denies giving certain information in the name of national security. Government should know that they can lawfully surveil or deny giving information when it comes to the security of the state, but they should prove and justify the same in the Court.
“Government should give a proper explanation when it is a concern of citizens’ Right to Privacy. Government should not take an adversarial position when the fundamental rights of the citizens are at threat.”[14]
The laws that the Union Minister stated have already been challenged in the Indian Court. The executive branch under these laws has unchecked and extremely broad powers of surveillance that are devoid of any meaningful safeguards, with no judicial authorization or independent oversight.
Right to Privacy
Privacy is not mentioned in the Constitution. The first case to address the issue was M.P. Sharma v. Satish Chandra.[15] In 2017, Supreme Court ruling in a nine-judge bench headed by then CJ J.S Khehar held that the Right to Privacy is a fundamental right and is an integral part of the right to life and liberty under Article 21.[16] This case recognized that a person has complete autonomy in his or her life and can make his or her choices freely.
“Right to Privacy is a globally recognized right.
Article 12 of the Universal Declaration of Human Rights, 1948, and Article 17 of the International Covenant on Civil and Political Rights (ICCPR), 1966, legally protects persons against “arbitrary interference” with their privacy, family, home, correspondence, honour and reputation. India became a signatory of the same on April 10, 1979.[17]”
So, any unauthorized surveillance on individuals which hinders their Right to privacy should not be carried on and the government should not hold the information just in the name of ‘national security’. There should be a harmonious balance between the protection of national security on the one hand and the protection of enjoyment of individual liberties on the other.
“A world without privacy is a world with unchecked surveillance, and constant surveillance is antithetical to human dignity.” One of the lawyers representing the petitioners, Shyam Divan commented.
Loopholes in our Data protection laws
We need to ask one important question, is our data protection law competent enough to protect the rights of the citizens?
The Supreme Court placed seven points of reference in front of the Technical Committee. Court expects the committee to come up with recommendations regarding the setting up of a well-equipped independent premier agency to investigate cyber security vulnerabilities, for threat assessment relating to cyberattacks and to investigate instances of cyberattacks in the country. Court has also asked the committee to make recommendations pertaining to the enactment of legal provisions on surveillance and also for enhancing and improving the cyber security of the nation and all its assets and also to ensure the prevention of invasion of the citizens’ right to privacy, otherwise done in accordance with the law. Though this is a good starting point, we need to understand we’ll have to do much more than this.
The cyber security law in India is at a nascent stage when it comes to well-developed and complex software, such as Pegasus it will not be able to handle it. Where China, Singapore, Japan and many other countries are having a well-equipped cyber-security platform, India is lagging behind when it comes to protecting its citizens from external threats dominating the arena of cyberspace. Having weak cyberspace risks a citizen to higher external cyber threats and also shows the nation in poor limelight in front of the whole world.
There are many lacunas which government has to look into-
- The National Cyber Security Policy which was released by the Government of India in 2013, had laid down certain strategies to tackle threats from cyberspace. But there has been limited implementation since then.
- India doesn’t currently have a comprehensive cyber security law. Information Technology Act 2000 deals with cybercrimes. But there are numerous cybercrimes that are not comprehensively dealt with by the Information Technology Act 2000. Section 43(a) of the Information Technology Act deals with unauthorized access to a computer while Section 43(c) has reference to introducing any computer contaminant or virus. Section 66 provides for imprisonment and a fine up to Rs.5 lakh for offences listed in Section 43.
Apart from the Information Technology Act, the Indian Penal Code, 1860 also deals with the crimes related to cybercrimes but it doesn’t provide a comprehensive outlook. Though Information Technology Act, 2000 has an overriding effect over the Indian Penal Code, 1860 provisions, there have been some instances where Indian Penal Code provisions have been applied in certain cases.
There are also sector-specific cyber laws for the Reserve Bank of India, Securities and Exchange Board of India, etc. but, we need to understand that a lot has changed since then and these laws are anachronistic. A comprehensive data protection law to address the gap in the existing framework for surveillance is yet to be enacted.
- The rise of digital payments, more influx of people in digital media platforms, etc. have increased the vulnerabilities related to cybercrimes. Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 promulgated under Information Act, 2000 has some provisions pertaining to cyber laws but it doesn’t cover the whole issue. This new Act gives a free hand to the government to regulate social media intermediaries and there is a concern pertaining to Rule 4(2)[18] of the Rule 2021, which mandates that significant social media intermediaries should provide the details of the first originator of the message upon judicial order or under Section 69 of the Information Technology Act, 2000 as per the Information Technology (Procedure and Safeguards for interception, monitoring and decryption of information) Rules, 2009. These provisions can be more disastrous for the users.
- Currently, illegally obtained evidence is admissible in courts in India, as long as it is “relevant”. Courts have held that “even if a document is procured by improper or illegal means, there is no bar to its admissibility if it is relevant and its genuineness is proved.” Extending this rationale to the operation of electronic surveillance would reduce the incentive of law enforcement agencies to comply with even the bare minimum level of procedural safeguards enshrined in the Information Technology Act and the Interception Rules, 2009. This likely increases the risk of privacy violations by the state and reinforces a ‘crime control’ model, where the state prioritizes the reduction of crime and efficiency in the criminal justice system over individual liberty and freedom.
Suggestions
There are numerous cyber agencies working under different government departments. The government needs to synergize them and should have a clear line of authority so that all existing resources can be utilized optimally.
State surveillance will further increase by a proposed law on personal data protection.[19]The current draft of the Personal Data Protection Bill which was introduced in Lok Sabha in 2019 should be amended to clearly restrict the government’s discretionary power, and mandate prior judicial authorization for access to data and surveillance on a case-by-case basis.
For surveillance reforms, it is important to amend the existing laws to ensure that evidence obtained illegally (such as through hacking, surveillance) or improperly should not be admitted as lawful evidence in criminal proceedings. This will introduce accountability and improve the rule of law and privacy for all citizens.
The absence of proper data protection law and robust cyber-ecosystem renders the fundamental right to privacy meaningless.
Conclusion
Firstly, the Indian government should have a balanced approach towards protecting national security and upholding the right to privacy of its citizens. Governments’ interests will have to be protected while individuals’ enjoyment of civil liberties and fundamental rights needs to be also safeguarded simultaneously.
Secondly, India should accept the fact that its cyber infrastructure is weak and vulnerable to external malware and should have well-defined laws that govern them and should have a strategy that lays out the guidelines on how to tackle them. India should set up High Power Committees to regulate the existing mechanism and critically analyze the loopholes that exist which makes it difficult to manage the imminent danger.
Finally, we have seen in Gobind v. State of Madhya Pradesh[20], decided in 1975 which essentially amalgamated constitutional right to privacy with the right to personal liberty and is to be infringed only by a narrowly-tailored law that served for the interest of the state. The Supreme Court ought not to allow the government to baldly get away with asserting a national security interest, but require it to demonstrate not only how national security is served by surveillance and denying information on the basis of it, but also how that was only the reasonable way of achieving national security.
- SHASWAT KASHYAP
GUJARAT NATIONAL LAW UNIVERSITY
[1]Col. Sanjeev Relia (Retd.), India’s tryst with a New National Cyber Security Policy, FINANCIAL EXPRESS (Aug. 4, 2021, 3:28 PM), https://www.financialexpress.com/defence/indias-tryst-with-a-new-national-cyber-security-policy-heres-what-we-need/2304053/.
[2]MacAfree, The Economic Impacts of Cyber Crime and Cyber Espionage, Center for Strategic and International Studies 1, 5 (2013), https://csis-website-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/60396rpt_cybercrime-cost_0713_ph4.pdf.
[3]INDIA CONST. art. 32, cl. 1.
[4]2 DD BASU, CONSTITUTION OF INDIA (2010).
[5]Prachi Bhardwaj, National Security cannot be the bugbear that the judiciary shies away from, SCC ONLINE (Nov. 10, 2021, 10:50 PM), https://www.scconline.com/blog/post/2021/10/28/pegasus-national-security-supreme-court/.
[6]Manohar Lal Sharma v. Union of India, 2021 SCC OnLine SC 985.
[7]id. at 985.
[8]Manohar Lal Sharma v. Union of India, LL 2021 SC 600.
[9]CHRISTOPHER WOLFE, JUDICIAL ACTIVISM 4 (Roman & Little field Publisher, Inc. (1997).
[10]T.R. Andhyarujina, Disturbing trends in judicial activism, THE HINDU (Aug.6, 2012, 2:33 IST), https://www.thehindu.com/opinion/lead/Disturbing-trends-in-judicial-activism/article12680891.ece.
[11]Justice K.S. Puttaswamy v. Union of India, AIR 2017 SC 4161.
[12]Vrinda Bhandari, The Pegasus Case Must be used to Press for Change in Surveillance laws, TIF 1, 2 (2021), https://www.theindiaforum.in/sites/default/files/pdf/2021/08/06/the-pegasus-case-must-be-used-to-press-for-change-in-surveillance-laws.pdf.
[13]Venkatesh Nayak v. M/O Home Affairs, (2009) CIC 14214
[14]Ram Jethmalani v Union of India, (2011) 8 SCC
[15]M.P. Sharma v. Satish Chandra, 1954 SCR 1077.
[16]K.S. Puttaswamy v. Union of India, (2014) 6 SCC 433.
[17]BS Web Team, Privacy a fundamental right, says SC: All you need to know about the issue, BUSINESS STANDARD (Jan. 9, 2020, 16:46 IST), https://www.business-standard.com/article/current-affairs/right-to-privacy-sc-verdict-today-all-you-need-to-know-about-the-issue-117082301198_1.html.
[18]Intermediary Guidelines and Digital Media Ethics Code Rules 2021, §4(2), Acts of Parliament, 2021 (India).
[19]Human Rights Watch, India: Spyware use Violates Supreme Court Privacy Ruling, Human Rights Watch (Aug. 26, 2021, 9:00 AM EST), https://www.hrw.org/news/2021/08/26/india-spyware-use-violates-supreme-court-privacy-ruling#.
[20] Govind v. State of Madhya Pradesh, 1975 AIR 1378