Shibrah Aftab Khan, a law student at University of Kashmir.  

Abstract

The Pegasus spyware controversy has exposed critical tensions between state surveillance imperatives and constitutional privacy guarantees in India. This article analyzes the legal and ethical ramifications of the Pegasus incident, framing it as a case of systemic overreach that undermines democratic accountability. By examining evidence from investigative reports, judicial precedents, and statutory frameworks, including the Indian Telegraph Act, 1885; the Information Technology (IT) Act, 2000; and the Digital Personal Data Protection Act (DPDPA), 2023, the article critiques the inadequacy of India’s surveillance laws to meet the proportionality and transparency standards mandated by the Supreme Court in Justice K.S. Puttaswamy v. Union of India (2017). It highlights gaps in oversight mechanisms, the state’s evasion of accountability, and the urgent need for legislative reform to reconcile security objectives with fundamental rights.  

Proof and Evidence: The Pegasus Controversy  

In July 2021, the Pegasus Project, a global investigative consortium, revealed that military-grade spyware developed by Israel’s NSO Group had targeted over 1,000 individuals worldwide, including Indian journalists, activists, politicians, and judges. Forensic analyses by Amnesty International and Citizen Lab confirmed Pegasus infections on devices linked to high-profile figures such as journalist Siddharth Varadarajan and political strategist Prashant Kishor. Pegasus enables unauthorized access to encrypted communications, location tracking, and microphone/camera activation, effectively transforming smartphones into surveillance tools.  

The Indian government’s response has been marked by opacity. Despite demands in Parliament and the Supreme Court, it refused to confirm or deny procurement or deployment of Pegasus, citing national security. In Manohar Lal Sharma v. Union of India (2021), petitioners argued that such surveillance, if state-sponsored, violated Article 21’s right to privacy. The Supreme Court appointed an expert committee to investigate, but its 2022 report remains classified, raising concerns about transparency.  

Legal Discussion: Constitutional and Statutory Frameworks

Constitutional Guarantees and Judicial Precedents

The Puttaswamy judgment (2017) affirmed privacy as a fundamental right under Article 21, requiring any infringement to satisfy a four-pronged test: legality, legitimate aim, proportionality, and procedural safeguards. Surveillance regimes must thus operate within a framework that prevents arbitrariness.  

However, India’s primary surveillance laws, the Telegraph Act and the IT Act, fall short of these requirements. Section 5(2) of the Telegraph Act authorises wiretapping only in “public emergency” or “public safety” cases, with prior approval from the Home Secretary. Similarly, Section 69 of the IT Act authorises interception for national security or public order, as approved by a designated officer.

In People’s Union for Civil Liberties v. Union of India (1996), the Supreme Court mandated procedural safeguards for surveillance, including post-facto review by a committee. Yet, compliance remains inconsistent, and targets are rarely notified, even post-surveillance.  

The Digital Personal Data Protection Act, 2023: A Flawed Shield? 

The DPDPA, enacted in August 2023, introduces consent-based data processing and establishes a Data Protection Board. However, Section 17(2)(a) exempts government agencies from compliance if surveillance is deemed necessary for “sovereignty, security, or public order.” This blanket immunity undermines accountability, enabling unchecked data collection without the safeguards required under Puttaswamy.  

Gaps in Surveillance Laws and State Accountability

1. Absence of Judicial Oversight: Surveillance orders under the Telegraph and IT Acts are issued by executive officials, violating the separation of powers.  
2. Vague Terminology: Terms like “public emergency” lack precise definitions, enabling misuse.  
3. Non-Notification: Targets remain unaware of surveillance, depriving them of recourse.  
4. Remedial Deficits: The DPDPA provides no statutory remedy for state-sponsored breaches, leaving victims reliant on protracted constitutional litigation.  

The state’s reluctance to reveal information pertaining to Pegasus exacerbates these issues. In Anuradha Bhasin v. Union of India (2020), the Court emphasised that national security cannot trump judicial scrutiny. However, the government’s use of “privileged claims” to withhold evidence maintains impunity.

Conclusion: Legal, Ethical, and Democratic Implications

The Pegasus saga underscores a profound democratic paradox: a constitutional democracy employing secrecy and technological prowess to surveil its own citizens, thereby eroding the foundational trust between the state and the governed. Legally, India’s surveillance architecture remains rooted in colonial-era frameworks and is increasingly ill-suited to contemporary notions of privacy and individual autonomy as recognized under the Constitution. Ethically, the unfettered growth of espionage tools not only intrudes into the intimate spaces of personal liberty, but it also hinders free speech, dissent, and the open exchange of ideas, all of which are essential elements of a functioning democracy. Politically, the normalization of clandestine surveillance operations risks entrenching authoritarian tendencies, consolidating unchecked executive power at the cost of transparency and accountability.

Urgent reforms are indispensable to arrest this democratic backsliding. A comprehensive surveillance law must be enacted, incorporating stringent safeguards such as mandatory judicial pre-authorization for interception activities, clearly defined grounds for surveillance, and stringent procedural controls to prevent abuse. The Digital Personal Data Protection Act, 2023 must be amended to eliminate sweeping exemptions granted to government agencies, thereby ensuring that privacy protections extend uniformly across all actors, including the state itself. Furthermore, an independent and autonomous oversight body, separate from executive influence, must be established with the mandate to audit, review, and publicly report on surveillance activities periodically.

Without the enactment of these critical reforms, India risks institutionalizing a surveillance regime that not only undermines the right to privacy but also threatens to dismantle the constitutional ethos of liberty, dignity, and accountability upon which the Republic is founded.

FAQ Section  

1.  What is Pegasus spyware?

Pegasus is a malware developed by NSO Group that infiltrates mobile devices to extract data, track locations, and activate cameras/microphones without user consent.  

2.  Is surveillance legal in India?

Yes, but only under specific conditions. The Telegraph Act (1885) and IT Act (2000) permit interception for national security, subject to executive approval. However, these laws lack robust oversight.  

3.  What constitutional protections exist against surveillance?

Article 21, interpreted in Puttaswamy, guarantees privacy as a fundamental right. Surveillance must be necessary, proportionate, and procedurally fair.  

4.  Can victims of illegal surveillance seek remedies?

Options include filing writ petitions under Article 32/226 for constitutional violations or complaints to the Data Protection Board (under DPDPA, 2023). However, remedies are limited for state actions.  

5.  Does the DPDPA, 2023, protect against government surveillance?

No. The Act exempts government agencies from compliance in the name of national security, creating a significant accountability gap.  

References

• Supreme Court of India. Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1. Available at: https://indiankanoon.org/doc/91938676/ 
• Indian Telegraph Act, 1885. Available at: https://legislative.gov.in/sites/default/files/A1885-13.pdf 
• Information Technology Act, 2000. Available at: https://www.meity.gov.in/writereaddata/files/itact2000/it_act2000_updated.pdf 
• Digital Personal Data Protection Act, 2023. Available at: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 
• Supreme Court of India. People’s Union for Civil Liberties v. Union of India (1996) 1 SCC 301. Available at: https://indiankanoon.org/doc/1009119/ 
• Amnesty International. (2021). Forensic Methodology Report: How to Catch NSO Group’s Pegasus. Available at: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ 
• Supreme Court of India. Anuradha Bhasin v. Union of India (2020) 3 SCC 637. Available at: https://indiankanoon.org/doc/126685356/ 
• Pegasus Project, Forbidden Stories. Available at: https://forbiddenstories.org/case/the-pegasus-project/