Author: Sreya S, a student at the National University of Advanced Legal Studies, Kochi
Abstract
This article examines the controversy surrounding the leaked database targeted by NSO’s Pegasus surveillance tool, alleging its use by the Indian government to monitor a wide spectrum of individuals including journalists, politicians, and activists. This issue, currently under judicial scrutiny, raises profound concerns about privacy violations and the potential misuse of powerful surveillance technologies. It argues for regulatory measures to govern the deployment of such tools, emphasizing the need to balance national security imperatives with protections for civil liberties. The discussion extends to the global context, advocating for international norms that align with national laws to safeguard privacy rights while ensuring effective national security strategies.
Introduction
The leaked database of names and numbers allegedly intended for the spy program Pegasus, which the Israeli company NSO sells, sparked a massive uproar. On August 5, 2021, a bench of the Chief Justice of India N.V. Ramana and Justice Surya Kant noted that, given the accuracy of the news reports, the allegations that the government spied on citizens, journalists, ministers, lawmakers, and activists using technology based in Israel were “no doubt serious.”
Although the matter was under appeal, it sparked concerns about the potential abuse of this military-grade software, which was sold with the explicit consent of the Israeli Defence Ministry. The possibility of using surveillance technologies for illegal political purposes that violate people’s rights to privacy and human dignity also gave rise to concerns.
This article contends that while it is the sovereign duty of any nation to empower intelligence and security agencies in combating criminals and terrorists, cyber tools, akin to other military weaponry, must be subject to regulation to mitigate potential abuse and unintended harm to civil society. The discourse on privacy versus national security should transcend simplistic dichotomies. Contrary to popular belief, enhancing individual privacy can enhance national security. It calls for international deliberation and the adoption of global standards, aligned with national laws, to establish cohesive norms.
The Origins of the Controversy
On July 18, Forbidden Stories, a Paris-based non-profit media organization, and Amnesty International jointly disclosed a list of phone numbers belonging to journalists, activists, and political leaders allegedly targeted by the Pegasus surveillance tool. Named the ‘Pegasus Project’, the investigation involved a consortium of 80 journalists from 17 media outlets across 10 countries, including The Wire, The Guardian, and The Washington Post. The leaked database contained 50,000 names, including 300 phone numbers from India, encompassing business executives, human rights activists, journalists, diplomats, military leaders, and senior politicians from 34 countries. Notable figures identified in the database included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Pakistani Prime Minister Imran Khan.
A diplomatic and political dispute flared across multiple nations, including India, France, Hungary, South Africa, Rwanda, and Morocco, following revelations about the use of the Pegasus spyware. France launched investigations into allegations that the spyware, reportedly linked to Morocco, was misused. Israel responded by forming a senior inter-ministerial Task Force under its National Security Council to probe global allegations of spyware misuse. On July 29, Israeli authorities conducted a raid on the office of the NSO Group, the company behind Pegasus, as part of their investigative efforts.
Morocco refuted allegations of spying on foreign leaders and initiated defamation lawsuits against Amnesty International and Forbidden Stories. Rwanda denied targeting the phone of the South African President, asserting its lack of technical capability for such large-scale espionage activities. Neither India nor Pakistan directly addressed claims suggesting Delhi may have targeted Imran Khan for surveillance.
In an interview, NSO CEO Shalev Hulio stated, “We don’t have and have never had any ties to the list that was published.” NSO maintains that it exclusively sells its technologies to law enforcement and intelligence agencies of “vetted governments” for the purpose of preventing criminal and terrorist activities. Hulio expressed concerns about what he described as an “attack” on the Israeli cyber sector, suggesting a coordinated effort involving a consortium of journalists worldwide and the involvement of Amnesty International, indicating a potential orchestrating force behind the controversy.
The Indian government had stated that it was committed to safeguarding the privacy of its citizens, and adhered to established protocols for the lawful interception of electronic communications under Section 5(2) of the Indian Telegraph Act, 1885, and Section 69 of the Information Technology (IT) Act, 2000. Yet, the government did not issue any statement regarding its acquisition or employment of Pegasus spyware within India. An Indian Express calculation had estimated the initial expenditure for surveillance targeting Indian targets to be well over Rs 56 crore, suggesting that surveillance at such a scale could only have been undertaken by state agencies or potentially another nation.
A Closer Look at Its Technology
The reported misuse of the global telephone system for surveillance purposes was an ongoing challenge, compounded by difficulties in conducting thorough investigations. When devices are tracked or messages intercepted, traces may not remain on the target’s device, complicating efforts for investigators. According to findings from The Citizen Lab, an interdisciplinary laboratory at the University of Toronto, the Pegasus spyware exploited vulnerabilities in the global mobile phone system to monitor calls, texts, and device locations. NSO customers were able to acquire a system that could be integrated with local telecommunications infrastructure or utilized through a cloud platform connected to telecommunications providers globally.
As part of the ‘Pegasus Project,’ Amnesty International conducted a forensic analysis of 67 phones from a pool of 50,000 suspected targets. Among these, 23 phones were confirmed to have been successfully infected with Pegasus, all of which were iPhones. Additionally, 14 phones showed signs of attempted Pegasus infections, with 11 being iPhones and 3 being Android devices. The prevalence of Apple and Android operating systems on these smartphones underscores their susceptibility. Amnesty International suggested that Pegasus operators potentially utilized a rogue cell tower or deployed equipment at mobile operator sites to conduct network injections, masking malicious data requests as legitimate ones. Furthermore, Pegasus exploited Apple’s iMessage service to execute zero-click attacks through iCloud accounts associated with Gmail and Microsoft Outlook email addresses.
Privacy vs. National Security
The Pegasus scandal brings up a number of topics pertaining to the current discussion about privacy vs national security. Governments can intercept electronic communications in order to deter threats to national security and to prevent or discover crimes. This is a widely acknowledged standard. “You can see terrorists getting caught, you see crimes being stopped,” remarked a person intimately involved in the project’s setup, following the Central Monitoring System’s 2013 launch in India. You must be watched over. This is to keep you and your nation safe.”
The government is authorized to monitor suspicious people in specific situations under the provisions of the Indian Telegraph Act and the IT Act, 2000. The Union Home Secretary, or another appropriate authority, must provide their assent before anything can be done. It is the responsibility of political and security leaders to use technology in this digital age of artificial intelligence and end-to-end encryption to comprehend risks and solve problems.
However, on August 24, 2017, the Indian Supreme Court ruled that the right to privacy is a basic right that is safeguarded by the Indian Constitution. The government’s efforts to monitor personal information and data are subject to increased scrutiny as a result of this verdict. The civil society must be convinced by state authorities that technologies are not being abused for mass or uncontrolled monitoring intended to forward political agendas.
Finding a careful balance between national security and privacy is necessary. Although these two are frequently perceived as conflicting needs, this isn’t always the case. It is critical to recognize that enhancing personal privacy can enhance national security. Unrestricted acquisition of personal data can provide important insights into the attitudes, emotions, ideologies, and convictions of significant segments of the populace. Such knowledge can be used by an adversary to stoke societal unrest and change the behaviour of the masses. This is but one illustration of how inadequate privacy can harm the interests of a country.
A recent study from the Internet Freedom Foundation revealed concerns that BSNL might be gathering and monetizing user data without their explicit consent. Of particular worry is the fact that over half of BSNL’s mobile network equipment is supplied by two Chinese firms, Huawei and ZTE, potentially raising issues about these companies accessing data without users’ knowledge. This issue extends beyond BSNL, as the lack of a data protection law means there are currently no regulations governing which entities can gather specific types of data.
In the absence of a robust legal framework, the protection of personal data remains alarmingly weak. According to the World Economic Forum’s Global Risks Report 2019, India experienced its largest data breach in 2018, involving its Aadhaar government ID database, which reportedly compromised the records of all 1.1 billion registered citizens.[xiii] More recently, Air India disclosed a breach affecting 4.5 million passengers, exposing sensitive information such as names, dates of birth, contact details, credit card information, passport details, and frequent flyer data.[xiv] Such data breaches often result in the sale of compromised information to malicious actors, posing significant threats to national security. While surveillance of foreign governments is often conducted covertly, the legitimacy of such actions has been questioned. The revelations by Edward Snowden highlighted extensive global surveillance by the U.S. and its ‘Five Eyes’ intelligence partners (Australia, Canada, New Zealand, and the United Kingdom). India has also been implicated in similar surveillance activities, raising concerns when foreign technologies are employed for these purposes.
If Indian agencies were indeed utilizing the Pegasus software, there is a concern regarding the potential transfer of collected information to other entities. All companies are legally obligated to comply with their home country’s laws on matters of national security and cannot refuse governmental requests. Additionally, there have been suspicions that the Israeli government may also access information gathered by NSO, the maker of Pegasus.
In March 2018, the U.S. Congress enacted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which stipulates that companies under a country’s jurisdiction can be compelled to provide data they control, regardless of where it is stored globally at any given time.[xvi] Similarly, China’s National Intelligence Law of 2017 mandates that organizations and citizens must support and cooperate with state intelligence efforts in accordance with the law.
As previously discussed, the debate between individual privacy and national security is complex and cannot be viewed in simple terms. Insufficient protections for individual privacy can create opportunities for other nations to gather critical data that could be used against our national interests. This risk is heightened if foreign entities are involved in collecting such sensitive data. Not only is there a possibility of data being transferred abroad, but there is also a concern that the government could be influenced or pressured by foreign actors due to vulnerabilities in data security practices.
Efforts to address the challenges posed by the surveillance industry require both national and global regulatory measures. Research from Citizen Lab underscores the inadequacies in regulating the surveillance sector, where products are frequently misused despite claims of self-regulation by companies.
A 2019 report presented to the United Nations Human Rights Council highlighted the lack of transparency and oversight in the private surveillance industry. The U.N. Special Rapporteur proposed an immediate halt to the worldwide sale and transfer of private surveillance technology until comprehensive human rights protections are put in place. These safeguards are essential to ensure that governments and non-state actors use surveillance tools in ways that respect human rights.
While a complete moratorium on surveillance technology sales may be challenging to implement, there is a call for stricter regulations governing the sale and transfer of such technologies. The United Nations could play a pivotal role in developing and advocating for these norms, encouraging member states to adopt comprehensive regulations that uphold human rights standards in the use of surveillance technologies.
Conclusion
The Pegasus controversy underscores the need for balanced regulations that ensure both national security and privacy. While governments have a duty to equip security agencies with tools to combat threats, unchecked data collection and inadequate handling pose significant security risks. In India, the enactment of the Personal Data Protection Bill is crucial to build trust in safeguarding privacy and holding violators accountable.
It’s imperative for India to develop indigenous technological capabilities to prevent unrestricted use of foreign applications for harvesting Indian citizens’ data, which could potentially be exploited across borders for intelligence purposes. National security must be supported by indigenous technologies that include robust safeguards to protect the privacy and human rights of all citizens, as guaranteed by the Indian Constitution.
FAQS
1. What is the Pegasus surveillance tool controversy about?
The controversy involves allegations that the Pegasus spyware was used by governments to surveil journalists, politicians, activists, and others, raising concerns about privacy violations.
2. Why is the Pegasus Project significant?
The Pegasus Project revealed a list of potential surveillance targets globally, highlighting issues of privacy infringement and misuse of surveillance technologies for political purposes.
3. How does the debate on privacy vs. national security unfold in this context?
The debate acknowledges the need for surveillance to combat threats but underscores the risks of unchecked surveillance on civil liberties and democratic values.
4. What international responses have there been to the Pegasus revelations?
The revelations prompted calls for stricter international regulations on surveillance technology to ensure transparency and prevent misuse.
5. What is the role of the Personal Data Protection Bill in India?
The Personal Data Protection Bill aims to establish clear guidelines and penalties for data privacy violations, addressing concerns raised by incidents like the Pegasus controversy.