Menu
burglar, burglary, surveillance camera

PEGASUS SPYWARE AND RIGHT TO PRIVACY

Publications, Research paper

ABSTRACT

Pegasus spyware was developed by an Israeli organization called NSO with the goal of assisting governments around the world in monitoring, mostly to stop terrorist activities. Yet, in contrast to Pegasus spyware’s stated objectives, it is not employed to put an end to such activities; rather, its use has led to the invasion of several people’s privacy. The Pegasus software is designed to destroy the foundation of democracy, eliminate the independence of the court, and repress those who seek to expose the wrongdoing of those who are in positions of authority. This research paper helps to get a better idea on how Pegasus is being used to infringe our constitutional rights and to briefly explain various laws prevalent in India which protects an individual from hacking his data. Lastly, it deals with the Supreme courts stand over the issue of Pegasus.

KEYWORDS: Pegasus, Terrorism, Privacy, Constitutional Rights.

RESEARCH METHODOLOGY

The research is doctrinal method of research and has used several primary and secondary sources to collect relevant data and of critical in nature. Primary sources include cases and legislations whereas secondary sources include several Articles and journals.

INTRODUCTION

Many surveillance techniques exist based on the target monitoring equipment. The three main goals of government monitoring are electronic surveillance, reducing crime and criminal investigation. Even the most democratic and liberal nations- the United States, the United Kingdom, or India itself- have occasionally seen instances of the administration abusing its monitoring capabilities and breaching citizens’ privacy. The Pegasus snoop gate scandal of 2021 was a widespread spyware scandal that targeted a variety of reporters, political dissidents, opposition figures, activists, and graduates. It is one of the cases that highlights the importance of privacy and data protection to preserve the free press and reasonable democratic practices from the autocracy of the ruling party.

LITERATURE REVIEW

  • “Rehan Bhasin, Pegasus: An infringement of right to privacy”1

This journal helped me to understand the Pegasus spyware and why it has been highlighted in the recent times. It also explained the various instances in India which were linked with Pegasus and made a connection with the Indian political scenario.

  • 2

This journal mainly dealt with the concept of privacy and its implications. It discussed various incidents around the world and explained that there was a need for balance between the citizens privacy and govt. surveillance.

This article explained in detail all the statutes in India which are governing the technology and offences pertaining to it. It also explained in detail the chronological judgements given by courts making right to privacy as a fundamental right.

PEGASUS SNOOP GATE 2021

NSO is an acronym for N- Niv Carmi, S- Shalev Hulio, and 0- Omri Lavie, the business’s three founders. NSO is an Israeli technology company. Pegasus, also known as Q Suite, is touted as “a world-leading cyber intelligence system that enables law enforcement and intelligence organizations to remotely and secretly harvest” data from “almost any mobile devices”, including those that run on Android and IOS. The malware, a trojan horse virus, is named Pegasus after the winged horse of Greek mythology since it may be sent flying through the air via messages, emails, etc. By 2016, it had been established that Pegasus could read texts, monitor calls, gather passwords, locate the target device’s cameras and microphones, and gather data from apps. Pegasus is sold by NSO Group to “verified governments” for “lawful interception”, which is commonly believed to mean stopping terrorism and criminal organizations, despite the company’s assurances to the contrary.

1.BLJ 715, 2582-5534 (2021)

2.JCRT 358, 2320-2882 (2022)

3.TLP (May 8, 2023,9.00 AM), https://www.tnlp.co.in/

Pegasus gained widespread attention in August 2016 after an unsuccessful attempt was made to deploy it on the iPhone of Emirati human rights activist Ahmed Mansoor was discovered when he got a string of SMSs enticing to reveal “new secrets” about the cruelty that was taking place in UAE prison systems if he clicked on specific URLs/web links. Mansoor became concerned about the texts and contacted Citizen Lab, a data controls research facility, to look into the SMSs. According to Citizen Lab’s findings, if Mansoor had clicked the link, his cell phone would have immediately been hacked and injected with malware. Citizen Lab used the IP address that was contained in the text to connect the attack to NSO Group.4

PROJECT PEGASUS

A group of foreign media outlets have collaborated on the “Pegasus Project”, a journalistic inquiry into the Israeli monitoring firm NSO Group and its users. In 2020, Amnesty International and Forbidden Stories, a media non-profit group located in Paris, France, made a list of approximately 50000 names that had been labelled as “Persons of Interest” by users of the Pegasus program public. Under the title of “project Pegasus”, the identities on this list were forwarded to 17 different media outlets. The only Indian media organization to obtain the list with the identities of Indian victims was The Wire.

WHO WERE THE TARGETS?

In India, the list reportedly includes two ministers from Prime Minister Narendra Modi’s Cabinet, three opposition leaders, and more than 40 reporters. Rahul Gandhi, a well-known opposition leader, is among them. The list also includes phone numbers of various UN embassies and other ambassadors5. Even the most prominent politicians, including Rahul Gandhi, the leader of the largest opposition party in India, were not exempt. Other prominent figures targeted by the spyware include Prashant Kishore (Political strategist), Ashok Lavasa (Former election commissioner of India), Umar Khalid (Former leader of Democratic Students’ Union in Jawaharlal Nehru University) and many more.

4.Pegasus spyware: French President Macron changes phone after hack reports, BBC, (May 9,2023,9.40AM) https://www.bbc.com/news/world-europe-57937867

5.Massive data leak reveals Israeli NSO Group’s spyware used to target activists, journalists, and political leaders globally, (May 9,2023,9.45AM), https://www.amnesty.org/en/latest/news/2021/07/the-Pegasus-project/

HOW DOES IT WORK?

There are two widely known methods through which Android or iOS devoices can be infected with it:

  1. Needs contact with the owner: tricking the target into clicking on a harmful link using emails or texts that are frequently customized for the unique target.
  2. A technique that doesn’t involve the owner– this frequently involves taking advantage of software faults, operating system bugs, or app connections that the maker of the device or software developer is unaware of.
  3. They are known as “zero-click” attacks, meaning they were carried out without the target’s explicit consent (such as a missed call) or any action on their part (such as clicking a dangerous, cloaked link, also known as “spear phishing”). Emails, texts, contact lists, location information, images, and videos are among the personal and sensitive data that it is capable of copying and harvesting.

USAGE IN THE POLITICAL SCENARIO

The most starring name among the list of targets is that of the woman and her eleven family members who had accused the former Chief Justice of India, Justice Ranjan Gogoi of sexual harassment due to which the Pegasus spyware creates an apprehension on the spirit of democracy and the use of powers in a non-arbitrary manner. Moreover, there are reports of the year 2019 which claim that the Pegasus spyware was used to topple the Congress-JDS coalition Government from Karnataka which the NDA government led by B.S then took over. Yediyurappa. Further, there are allegations that nearly 300 phones were hacked using Israeli spyware during or before the general elections of 2019 which the BJP won by a thumping margin. The 300 phones that were alleged to be hacked were of people that were not “friendly” with the Modi Government.

LEGAL PROVISIONS RELATED TO ELECTRONIC SURVEILLANCE

Currently, there is no explicit legislation protecting data protection or privacy in India. The Information Technology Act of 2000 and its following revisions, as well as laws like the Indian Telegraphs Act of 1885, provide a legal framework for India’s surveillance regulations. The Information Technology Act of 2008 also created CERT-In (Indian Computer Emergency Response Team), a department inside the Ministry of Electronics and Information Technology of the Government of India.

  1. Section 69 IT Act, 20006:

This section permits the decryption, monitoring, and interception of digital data when it serves the following purposes:

  • The sovereignty of India,
  • Closer ties with a foreign state,
  • Concerns pertaining to defence,
  • State-wide safety,
  • An insight into the offence.
  • Rule 3, Information Technology (Procedure for safeguards for the interception, monitoring, and decryption of information) rules, 20197:

First, Note the causes of the interception. The order for interception may be prolonged for a maximum of 180 days, but it must not surpass 60 days from the date of issue. Documents received by interception must be destroyed within six months. No information should be disclosed to a third party. Only after the fulfilment of all the above-mentioned criteria intercepting of messages is legal.

  • 8:

A public official now has the legal right to intercept communications in the event of a public emergency or in the benefit of the common welfare. Such an interception cannot be unfounded because it must meet one or more of the following requirements.

  • India’s independence and sovereignty
  • Positive connections with other countries
  • The proviso to this section states that press messages intended for publication that are accredited to the Central Government or any State Government shall never be intercepted unless such section forbids them.
  • Public order
  • Protection of the State.

6.Information Technology Act 2000, §69.

7.Information Technology Rules 2019, R. 3.

8.Indian telegraph act 1885, § 5.

  • Section 43 of the IT Act provides that “any person who without permission of the owner of a computer system, accesses; or secures access to; downloads; copies; or extracts any data from the system; introduces; or causes to be introduced any computer contaminant or computer virus into any computer; damages; disrupts or denies access to such computer system, etc shall be liable to pay damages by way of compensation to the extent of Rs. 1,00,00,000/”9
  • Personal data protection bill, 2019:

The bill was introduced in December 2019 by the current Union Government. The bill, 2019, came into the picture to respect the right to privacy of each individual residing within the territory of India. On the face of it, the bill seems to be reform but with a deep study, one will come across a few flaws that have not been catered to. The exemptions specified in the Bill are rather hazily described, for instance, the exclusion from the terms of this act for punishment or inspection does not identify the method of doing so and may be abused by the government for political gain. Moreover, the personal data protection bill, 2019 has exempted government officials from its purview and has also empowered the Government to exempt any of its agencies.

A CLEAR INFRINGEMENT ON THE RIGHT TO PRIVACY

What does the right to privacy mean? “Privacy” is defined by the Court as the “condition or situation of being free from people’s scrutiny to encroachment into or interference with one’s acts or choices”. The “right to be left alone” has been used to express the right to exist. The right to life is guaranteed by Article 21 of the Indian Constitution, and it includes more than just the existence of animals. The right to life encompasses the right to a dignified existence. The State has a responsibility to safeguard human dignity as well as promote it by making efforts to do so.

The Supreme Court has argued in its seminal work on privacy that privacy is essential to dignity. Privacy therefore covers not only the physical body but also integrity, personal autonomy, data, communication, consent, demonstrations, acts, thoughts, and appearance. Many contemporary civilizations acknowledge the need of privacy, not only for humanitarian purposes but also because it protects individuals from a legal point of view.

9.Information Technology Act 2000, §43.

JUDICIAL DECISIONS-

People’s Union of Civil Liberties v. Union of India10

A public interest litigation was filed by the petitioner, PUCL, a non-profit organization, contesting the constitutionality of Section 5(2) of the Act, which permitted the National Government or the State Government to invade texts during a national emergency or for national safety if they believed it was appropriate to do so for a variety of reasons, including the sovereignty and integrity of India, cordial relationships with other states, and public order.

A two-judge bench of the Supreme Court determined that cell phone monitoring violates a person’s right to privacy while considering the constitutionality of section 5(2) of the Telegraph Act. It further said that telephone calls are an expression of a citizen’s right to freedom of speech and expression under Article 19(1) a of the Constitution, telephone call interception must be a legal restriction under Article 19(2) of the Constitution. 

While deciding validity of Section 5(2) court gave guidelines when interception orders could be issued. Two criteria, namely the “occurrence of any public emergency” or in “the interest of public safety”, had to be met before this clause could be used. The Court observed; “it is no doubt correct that every Government, exercises some degree of operation as a part of its intelligence but at the same time citizen’s right to privacy has to be protected from being abused by the authorities”

Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors.11

Judge K.S. Puttaswamy, a retired judge of the Karnataka High Court, submitted a petition to start this litigation in regard to the Aadhaar Project, which was led by the Unique Identification Authority of India (UIDAI). The UIDAI assigned individuals of India a 12-digit identification number called an Aadhaar number. In the interest of streamlining delivery of services and weed out fraudulent claimants, the Aadhar project was integrated with a number of welfare programs. Judge Puttaswamy filed a plea in an effort to question the constitutionality of the Aadhaar card program. The standards for the collection of demographic biometric data by the government were contested in 2015 before a three-judge bench of the court on the basis that they violated the right to privacy.

10. People’s Union of Civil Liberties v. Union of India.,(1997) 1 SCC 301.

11. Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1.

A Constitution Court decided on July 18, 2017, that a bench of nine judges should hear the case. The Court stated that after Maneka Gandhi12, this approach of viewing fundamental rights as locked vessels was dropped. The Court further noted that there was inbuilt inconsistency in the popular opinion in the Kharak Singh v. State of U.P. & Ors13 because there was no legal basis for nullifying police surveillance and home visits other than privacy, a right they accepted in principle but ascertained was not guaranteed by the Constitution.

Significantly, the judgment found that the right to privacy was not absolute in nature while also outlining the judicial review process that must be followed when the State intrudes on a person’s privacy. In light of its decision, the right to privacy may be restricted for state objectives.

SUPREME COURTS TAKE ON PEGASUS

There were several writ petitions submitted to the Indian Supreme Court. In Manohar Lal Sharma v. Union of India & Ors14, the court took the issue under examination. The case in question was considered by a three-judge panel that included Chief Justice of India N. V. Ramana, Justice Hima Kohli, and Justice Surya Kant. During the hearing, the Supreme Court gave their justifications for accepting the case.

The court was moved to take the case under consideration by the reports from Citizen Lab and other credible news organizations around the world, as well as the responses from international governments and legal institutions. Some of the plaintiffs who filed these writ petitions with the court claimed to be direct victims of the Pegasus spyware attack, while other applicants were Public Interest Litigants. So, in order to establish the legitimacy of the process, the majority of the petitioners asked for thorough investigations into the claims.

The right to privacy of citizens, freedom of the press, and restrictions on the administration’s use of national defence as a protective layer to obstruct disclosure of information are the three main essentials emphasized by the Supreme Court. The Union of India may refuse to disclose information by asserting national security or other specific exemptions under a certain act, the court ruled, but they must produce evidence to support their decision. It has established seven criteria of inquiry for the committee, including who bought Pegasus and whether the plaintiffs in the case were actually targeted by the program, among other things.

12. Maneka Gandhi v. Union of India.,(1978) 1 SCC 248.

13. Kharak Singh v. State of U.P. & Ors.,(1963) AIR 1295 SC.

14. Manohar Lal Sharma v. Union of India & Ors., W.P (civil) 314 of 2021.
 

COMMITTEE REPORT

The report of the technical committee is separated into three parts. The first section of the report includes publicly accessible research data concerning various types of spyware and how they operate. The second half of the report addresses the results from the 29 mobile phones that were provided to it for analysis. The committee’s findings and recommendations are presented in the third section. The technical committee claims in the third section that there is insufficient proof that the malware discovered in five of the mobile phones belongs to Pegasus.

SUGGESTIONS

Firstly, it is important to launch an impartial public inquiry to unbiasedly look into these accusations and restore public confidence. Second, establishing judicial oversight of surveillance is necessary to uphold the objective of due process of law. Only the judiciary may decide on such situations because of the seriousness of the situation. Third, A stringent data protection law is required to safeguard each person’s right to privacy, including shielding it from government surveillance and unauthorized data collecting. Fourthly, A decision to forbid the use of private spyware would be a positive development.

CONCLUSION

The government is the highest authority in a nation. People rely on their elected officials to protect their freedoms and rights. The state ought to be the very last organization to spy on a person. But as a result of recent instances of state invasion of privacy there is a perception that India’s democracy is in danger. The judiciary has made some helpful remarks, but not enough. Although it is somewhat apparent that data interception on some suspicious individuals is required and helpful for national security purposes to prevent violence, there must be some precautions and strict rules in place to guarantee that the state does not abuse this position. Now, the government must demonstrate its innocence and there is primary duty to enact legislation on data protection.

G. BHARGAVI,

(6th SEMESTER) III YEAR BA.LLB,

DAMODARAM SANJIVAYYA NATIONAL LAW UNIVERSITY, VISAKHAPATNAM.