Author: Drushti Shah, Adv. Balasaheb Apte College of Law
To The Point
“Privacy”. Been a 21st century kid the most fights I have with my parents is on this above quote word. Will I be Right if I say none of us have passwords to our phones, to apps that we use? Nowadays, it’s rare to encounter a phone without a password. Why is that? Because we desire to keep our personal information private, shielded from everyone, even our own families.
But imagine discovering that an unknown person has gained access to your phone and all your private data without your consent and without even touching your device. Wouldn’t that be a shocking revelation? While some may find this scenario amusing, it’s a reality we’ve been facing for several years now.
Abstract
Imagine the unsettling feeling of knowing that all your private phone data has been accessed by someone. All your messages, photos, videos, phone calls, and even your camera are within reach of a person living far away. Many might wonder, “Is this really possible?” The answer is yes.
Pegasus is a software that has turned privacy into a major concern. This article will explore:
What Pegasus is
Its effects on the privacy of citizens in various countries
The situation in India regarding Pegasus
The Supreme Court’s perspective on the matter
The Proof
An Israeli-based technology and cyber arms firm, NSO Group, developed the notorious Pegasus spyware. The NSO represents the first names of its founders: Niv, Shalev, and Omir. The Pegasus suite of spyware is reportedly capable of compromising an individual’s digital devices through zero-click vulnerabilities—meaning it can infiltrate without any action required from the target. Once the spyware gains access to a device, it allegedly has the ability to retrieve all stored data, including real-time access to emails, text messages, phone calls, and even the device’s camera and microphone. The user of Pegasus is said to gain complete control over the device, allowing them to remotely manage various functionalities.
Classified as cyber arms by the Israeli government, Pegasus can only be purchased by national governments with prior authorization from Israel. According to NSO Group’s own website, the end users of this product are “exclusively government intelligence and law enforcement agencies.”
In September 2018, Citizen Lab, a research institute at the University of Toronto, Canada, published a report outlining the capabilities of Pegasus, indicating that individuals from approximately 45 countries were suspected victims. In May 2019, WhatsApp Inc. discovered a vulnerability in its software that allowed Pegasus spyware to infiltrate its users’ devices. This revelation was followed by confirmation that certain individuals in India had also been affected, acknowledged by the then Hon’ble Minister of Law and Electronics and Information Technology in a Parliament statement on November 20, 2019.
On June 15, 2020, Citizen Lab, in collaboration with Amnesty International, revealed another spyware campaign targeting nine individuals in India, some of whom had already been flagged in the initial spyware incident. On July 18, 2021, a coalition of nearly 17 journalistic organizations worldwide, including one from India, shared the findings from an extensive investigation that suggested the alleged use of Pegasus on numerous private individuals. This research stemmed from a list of about 50,000 leaked numbers, purportedly under surveillance by NSO Group clients using Pegasus. Initially, it was found that nearly 300 of these numbers belonged to Indians, many of whom were prominent journalists, doctors, political figures, and even court personnel.
These reports sparked widespread action internationally, with some foreign governments diplomatically engaging with the Israeli government to verify the allegations, while others initiated internal investigations. On July 18, 2021, the Union Government of India, through the Hon’ble Minister of Railways, Communications, and Electronics and Information Technology, responded in Parliament to inquiries about the alleged cyberattacks and spyware usage. The Minister stated that the published reports lacked factual basis, clarifying that merely appearing on the leaked list did not confirm infection by Pegasus. Furthermore, the Minister noted that NSO had disputed many claims made in the Amnesty report, asserting that India’s statutory and legal framework regarding surveillance and communication interception is stringent, ensuring that no illegal surveillance could occur.
The Legal Jargon
After the statement of Minister, a writ petition was filed in supreme court by many people some of them were the one targeted by Pegasus spyware. The petitioners requested a judicial probe to investigate if the Indian government used Pegasus to spy on journalists and other citizens, and if due process was followed. They also submitted to the Court that Pegasus would have a chilling effect on freedom of speech and expression and violate the right to privacy. They raise the issue of the inaction on the part of the Union of India to seriously consider the allegations raised, relating to the purported cyberattack on citizens of this country. Additionally, the apprehension expressed by some Petitioners relates to the fact that, keeping in mind the NSO Group disclosure that it sold its Pegasus software only to vetted Governments, either some foreign government or certain agencies of the Union of India are using the said software on citizens of the country without following the due procedure established under law. Therefore, to ensure credibility of the process, most of the Petitioners are seeking an independent investigation into the allegations. Key Issues before the court was-
Should the Court order an investigation to determine if the Union Government used Pegasus spyware?
If the Union Government has used Pegasus spyware, does this violate the right to privacy?
If the Union Government has used Pegasus spyware, does this violate any surveillance related legal framework?
The Apex court requested the union government to respond the petition through affidavit. Tushar Mehta the Solicitor general from the union side submitted a limited affidavit. The affidavit stated complete denial of all allegations made against the Union. It said that the petitions were only based on unsubstantiated media reports which cannot be made a basis for invoking writ jurisdiction. The affidavit also stated that the Union will form a committee of experts to investigate the issue to prevent any wrong narrative from being spread. But the court was not satisfied with the limited affidavit and stated that the ‘limited affidavit’ was insufficient as it lacked the Union’s stand with respect to the allegations. The court asked the respondent to submitted a full detailed affidavit on which the Solicitor General stated that a certain disclosure of facts will hamper the national security of the nation. The Attorney of the petitioner side criticised the idea of union government to form a committee of experts on its own and stated that it would lack transparency and creditability. The court taking in consideration of petitioner concern of the privacy and safety of the citizens of country appointed a investigation committee independent of union government to investigate the matter. In August 2022, parts of reports by the committee were submitted and read in open court. The report said 5 of 29 devices assessed by the committee had suspicious malware. However, the report did not confirm whether this malware was Pegasus. The committee is yet to submit the complete report before the Apex court. While arguing the senior advocate on petitioners side questioned whether the spyware was used by the government or not? “If they have used it before…there is nothing preventing them from using it today,” he stated. To which Justice Kant responded that there is nothing wrong with using the spyware—concerns arise based on who it has been used against. He added “terrorists cannot have a privacy right.” The verdict of the hon’ble court is still pending as the committee is yet to submit the complete report.
Conclusion
At its core lies a fundamental question: Can the State, under the guise of national security, overstep constitutional safeguards and silently breach the right to privacy? The revelations surrounding Pegasus, though not conclusively proven in the Indian context, have undeniably triggered deep concerns over unchecked surveillance, the potential misuse of state power, and the weakening of democratic institutions.
The Supreme Court’s decision to appoint an independent committee was a significant step in upholding judicial independence and citizen rights. However, the absence of a final report and verdict leaves the matter hanging in ambiguity, prolonging the fear and uncertainty among the public. As we await further clarity, it is essential to remember that technology, while a powerful tool for governance, must never be weaponized against the very people it seeks to serve. A transparent and accountable framework for surveillance, backed by strong judicial oversight, is the need of the hour to ensure that privacy remains a cornerstone of democracy and not a privilege granted selectively.
FAQs
What is Pegasus?
Pegasus is a spyware created by Israeli based NSO Group which can access data of any device through zero click vulnerability.
What is Right to privacy?
The Right to Privacy being a part of right to life means that every individual has the right to keep their personal life, choices, information, and communications free from unwanted intrusion, whether by the government, corporations, or other individuals.
How does Pegasus spyware get on your phone?
Zero-click exploits use bugs in popular apps like iMessage, FaceTime and WhatsApp. Pegasus can infiltrate a device using the protocol of the app once bugs are found.
