Authors: Soundarya.S and V.L .Rajamatangi Year of study: 3rd
Institute of affiliation: School of Excellence in Law
Image Source: cloudsek.com
Pegasus is of news today. It has triggered a major political controversy in India and around the world. This triggered major political controversies and it has a global collaborative character. It mainly targets the opposition parties, journalists, social activists etc. Here, we see the origination of Pegasus and how does it work. We also specify the Canadian organization THE CITIZEN LAB and the evolution of the Pegasus malware. It violates our very foundations of constitutional rights and liberties. Pegasus malware is a legitimate tool for surveillance coming under the legal provisions of the India Telegraph Act, 1885 and Information Technology Act, 2000. But the real problem arises when there are no checks and balances in executing the power. We have indulged in the understanding of the provisions and regulations present on them regarding the Pegasus malware. Initially, it uses the “spear-phishing technique”. In later versions “zero-click attack technique” was employed. In this article we shall discuss more about Pegasus spyware and the legal framework around state surveillance and how does it violate our constitutional rights.
Keywords: Political controversies, Global Collaborative character, THE CITIZEN LAB, Social Activists, Journalist, Constitutional Law, SPEAR PHISHING TECHNIQUE, and ZERO CLICK ATTACK.
Pegasus spyware is now at the centre of news which triggered major political controversies around the world. Project Pegasus is a part of a global collaborative investigation that involved many popular media such as, The wire from India, The Guardian from the UK and many other human rights organizations such as Amnesty International. It also involved a few not- for profit organizations like Forbidden stories, a Paris based organization. This collaborative, conducted research with regard to the usage of a spyware and found that thousands of people around the world, especially noted personalities, were targeted. In India, many people have been targeted including Opposition Leaders, Constitutional Authorities, Journalists, Social Activists and Business people.
HISTORY OF PEGASUS
It is a highly sophisticated military-grade spyware developed by Israeli Cyber arms firm NSO group. Pegasus spyware enables the surveillance of smart devices such as mobile phones, desktops, laptops etc. This was discovered in the year 2016 after a failed installation attempt on iPhone of human activists led to revealing details about spyware, its abilities and security vulnerabilities. In 2016, researchers at Canadian cybersecurity created an organization called THE CITIZEN LAB who initially encountered Pegasus on a smartphone. The main person included in this organization was Ahmed Mansoor. In 2018, this citizen lab published a report that identified 45 countries in which Pegasus was used in which India was also included. In 2019, it was revealed that journalists and human rights activists were targets of surveillance in India by operators using Pegasus. In 2021, international investigative journalism revealed that various governments used the Pegasus to spy on government officials, opposition politicians, journalists, activists and many others. It also revealed that the Indian government used it to spy around 300 people between 2017 -2019.
WORKING OF PEGASUS SPYWARE
Pegasus spyware is primarily meant to target all types of phones both IOS and android based phones. It has been designed to attack targeted devices through multiple routes such as SMS, WhatsApp. It has existed since 2017, it has been said that this malware was used to target many journalists, politicians, social activists. Initial versions were known for the “spear-phishing technique” for carrying out cyber-attack. In spear phishing, a fraudulent mail is sent out in order to deceive the target and it is designed to carry out a behavioral change in targeted phones.
In its latest version “zero-click technique” was employed to attack the targeted phones. It doesn’t require a user intervention to lead to infection of targeted mobile phones. Once it is done, the attacker gets complete control over the phone. It can harvest any data from the device such as SMS, email, WhatsApp chats, photos and videos, activate the camera, record calls etc. All this happens without the knowledge of the user. It is designed in such a way that it does not leave any evidence of the attack on the user’s device. It only uses WIFI not mobile data to transfer the data as a large amount of data is transferred. Once it’s done, the attacker gets all sensitive information related to the targeter.
CYBER SECURITY RISKS
Pegasus spyware is used for targeted surveillance and not a tool for mass surveillance. In its initial version “clickbait attacks” were used i.e., a fraudulent mail, or call is raised to attack the user‘s phone. If people have awareness about these social engineering techniques people will be able to differentiate between genuine messages and fraudulent messages. Cyber security protocols such as firewall browser can be installed to curb those fraudulent attacks.
In the later version, a “zero-click attack” has been employed; without any user intervention, it can infect the device. This makes it even more difficult for the user to prevent it.
LEGAL MECHANISMS IN INDIA
The NSO has admitted that they sold this malware only to vetted Foreign Governments to investigate and prevent terrorist and national security incidents. So, these governments deploy the malware through their security agencies. The primary purpose of this malware is to fight terrorism and deal with crimes to fight against national security. This makes Pegasus a legitimate tool for surveillance. The same is misused by the government when there are no checks and balances in the system.
In India, lawful interception of communication is allowed through two important legislations:
INDIAN TELEGRAPH ACT 1885:
This law enables interception of calls through landlines, mobile phones
Sec 5 provides Central and State government to intercept the calls on the occurrence of public emergency or in the interest of public safety on the grounds of: –
1. Sovereignty and integrity of India
2. Security of the state
3. Public order
4. Incitement to the commission of an offence
5. Friendly relations with foreign states
In the People’s Union Civil Liberties case, a not-for-profit organization approached the supreme court in 1997 challenging the provisions of the sec 5 of the Telegraph Act. In this case, the Supreme Court recognized the right to privacy but not as a fundamental right. But however, it did recognize the importance of an individual‘s privacy. The Supreme Court highlighted the threat to privacy through government surveillance so it called for legal mechanisms which could protect the individual’s privacy from any misuse of surveillance powers. So, Supreme Court issued some guidelines which were codified in rule 419 (A) of the Indian telegraph rules, 1951 in 2007
As per Rule 419(A), a direction for interception under Section 5(2) may be issued only by the Union Home Secretary at the Centre, or the State Home Secretary or in unavoidable circumstances, by another authorized officer. This ensures that there is a high level of scrutiny of government officials in approving state surveillance. But however, these safeguards are not sufficient as there is no independent accountability of the government agencies in carrying out surveillance.
INFORMATION TECHNOLOGY ACT 2000
Section 69 provides the legal framework of electronic surveillance for interception of all forms of electronic communication such as mobile phones, laptops, etc. It empowers the Central or State Government or any other competent authority to direct any agency of the appropriate government to monitor, intercept or decrypt any information transmitted, generated, received or stored in any computer resource. It provides broader provision than Telegraph Act 1885 by interception, monitoring and decryption of digital information for the ‘investigation of crime’. It has set aside the grounds of public emergency and public safety. In case of investigating any criminal offence, the government can invoke this provision to carry out digital surveillance. That is why section 69 of the Information Technology Act always comes in for heavy criticism. Such state surveillance can result in a violation of fundamental rights and liberties. State surveillance runs into conflict with Article 19 and Article 21
It guarantees the right to free speech and expression which is a very foundation of constitutional democracy but if state surveillance has no checks and balances it could threaten the very foundations of our constitution.
It guarantees the right to privacy which was upheld in the K.S Puttaswamy case, where the Supreme Court recognized the right to privacy as an integral part of the right to life which is guaranteed under Article 21. So that being the case if state surveillance does not have checks and balances it can violate the right to privacy. So, the government can misuse its powers which had created major political controversies surrounding the Pegasus malware as the list of potential targets involved many opposition parties, journalists, activists. In order to ensure that state surveillance doesn’t breach the individual’s right to privacy. The Supreme Court put in place a three-fold test under the landmark judgement in K.S Puttaswamy v. Union of India. The Supreme Court declared that the right to privacy is a fundamental right under article 21. The supreme court ensures this three-fold test which has to be satisfied with the state if it is breaching an individual right to privacy.
The safeguards are as follows:
- Firstly, there must be a law. The state can carry out such surveillance only when it is sanctioned by law. We have the Information Technology Act and Telegraph Act. But the problem is with agencies which are carrying out the surveillance. Are they established by law? In India, we have many Intelligence Agencies but a very few of them have been set up through law such as national investigation agencies.
- Secondly, the need for the law. There must be a legitimate aim for the state surveillance. It should be in the interest of public safety.
- Thirdly, the means must justify the ends. The state must have tried every possible way to collect the information. When no other alternative exists, the state should carry out with state surveillance. The state has to show that carrying out such surveillance is necessary.
- A legal framework is needed to regulate the functioning and operations of security agencies. Intelligence agencies like Research and analysis wing (RAW), which is responsible for foreign intelligence and the intelligence bureau which is responsible for internal security should be brought under the law by doing so, these agencies will be accountable to the parliament.
- We need more transparent legal safeguards. The current act such as the IT Act and the Telegraph Act are not sufficient, it must be more comprehensive and ensures that there is accountability through parliament.
- In an era of digital surveillance, we need a strong data protection law. A few years back, a data protection law was drafted. But still, it is pending for its legal sanction.
- The users should update their phones regularly to ensure the data security breaches.
These measures will go a long way in reforming surveillance in India. It helps to have checks and balances over the government in ensuring state surveillance.