For over two years now, the Supreme Court of India has failed to question the Indian government on its alleged use of Israeli spyware, known as Pegasus, against journalists, civil society activists, and political opponents of the ruling regime. Consequently, digital security threats against opponents of the federal government in New Delhi – headed by Prime Minister Narendra Modi, belonging to the right-wing Hindu nationalist Bharatiya Janata Party (BJP) – have continued unabated.
In September and October 2023, several Members of Parliament, opposition political leaders, including some working in the office of Rahul Gandhi, the leader of the opposition in the lower house of Parliament, along with journalists and anti-corruption advocates belonging to the Organized Crime and Corruption Reporting Project (OCCRP), were sent the following “alert” by Apple:
“State-sponsored attackers may be targeting your iPhone… These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.”
This episode took place more than three years after the alleged misuse of Pegasus in India became part of an international scandal. A host of countries, from the US to Mexico, Hungary, France, Morocco, Azerbaijan, Turkey, Saudi Arabia, Iran, Pakistan, and India, among others, were affected by the reported misapplication of the surveillance spyware.
The scandal was exposed by the Paris-based international non-government organization, Forbidden Stories, which received a data leak of some 50,000 phone numbers on which Pegasus had apparently been used. Amnesty International joined the effort to investigate the leak. The numbers were shared with more than 80 journalists working in 17 media organizations across the world, including The Wire in India.
Those willing to have their phones forensically examined saw the information being scrutinized by technical experts in Europe and Canada (at the Citizen Lab). The investigation was conducted over the span of three months and was made public in July 2021.
Named after a mythical winged horse from Greek mythology, Pegasus is one of the world’s most powerful cyberweapons. It is a zero-click-bait spyware, meaning the person who is using a “compromised” mobile phone remains unaware if, how, when, and where their phone has been “infected.” Before the advent of Pegasus, one was required to click on a link to enable malware to enter their phone.
Pegasus has reportedly been deployed to track not just the political opponents of those in power, journalists, lawyers, judges, government officials, and human rights activists in several countries, but also those within reigning governments who rulers want to keep an eye on. The spyware has been used to listen to, read, and view conversations, text, and audio messages as well as videos over electronic mail and text communications on the mobile phones of heads of government such as France’s President Emmanuel Macron and the former Prime Minister of Pakistan, Imran Khan.
The NSO Group, the privately-owned Israeli company that developed this dangerous surveillance tool claims that it is used for law-enforcement: for nabbing terrorists, drug dealers, and pedophiles, for tracking drones, and even for finding people trapped in the rubble of a collapsed building. This spyware – and its clones and imitations, including one named Predator – is meant only for government law-enforcement agencies after due authorization by the Israeli government. However, Pegasus is misused by regimes across the world, especially authoritarian ones, as Laurent Richard and Sandrine Rigaud argue in their recent book “Pegasus: The Story of the World’s Most Dangerous Spyware” (Macmillan, 2023). The two journalists worked with Forbidden Stories.
A personal disclaimer is required at this juncture. This writer is among those whose phones were forensically examined and who have petitioned the Supreme Court of India for violation of their rights, including the right to privacy.
Whereas several governments in different countries have initiated probes into allegations of misuse of the spyware, the government of India has brazenly stonewalled attempts to disclose whether it has used Pegasus, despite the intervention of the country’s highest court.
On October 27, 2021, the Supreme Court formed a committee headed by the now-retired judge of India’s apex court, Justice R.V. Raveendran, with two members assisting him: Alok Joshi, former Director of the government’s external intelligence agency, the Research and Analysis Wing (R&AW) in the Cabinet Secretariat and a 1976 batch officer of the Indian Police Service; and Sundeep Oberoi, Chairman of the sub-committee of the International Organization of Standardization, International Electro-Technical Commission, and Joint Technical Committee.
The committee was supported by another panel of three technical experts: Naveen Chaudhary, a professor of cybersecurity and digital forensics at the National Forensic Sciences University, Gujarat; Prabaharan P., an expert of cyber security and professor at Amrita Vishwa Vidyapeetham University, Kerala; and Ashwin Anil Gumaste, a professor of computer sciences and engineering at the Indian Institute of Technology, Bombay.
A day before the then Chief Justice of India (CJI), N.V. Ramana, retired on August 26, 2022, he observed in court that the government of the day had disregarded the committee he had appointed. He remarked, “We will say one sentence – the government did not cooperate with the technical committee on scrutiny of the devices for Pegasus spyware.”
That day, he was presiding over a three-judge bench alongside Justices Surya Kant and Hima Kohli. He opened the voluminous three-part report, and the judges went through it quickly. The CJI said the technical committee had examined 29 phones and found malware in five of them but could not state if the malware was Pegasus. He then added that the Raveendran committee’s report would be uploaded on the Supreme Court’s website but noted that the technical committee’s report would be uploaded after redacting certain portions, as committee members had requested that personal data not be disclosed.
CJI Ramana said the Raveendran committee had recommended changes in the existing law on surveillance and also suggested that the protection of privacy be enhanced “along with the cyber secrecy of the nation.” The CJI said the committee’s recommendations and observations could be made public.
The bench stated, “Such a course of action taken by the respondent Union of India, especially in proceedings of the present nature which touches upon the fundamental rights of the citizens of the country, cannot be accepted…The mere invocation of national security by the State does not render the Court a mute spectator.”
Earlier, when CJI Ramana asked the Solicitor General of India, Tushar Mehta, who represents the Union government, to answer a straight question – has any agency within the Indian government purchased or used Pegasus – he refused to answer “yes” or “no,” ostensibly on the grounds that the answer would jeopardize “national security interests.”
After the Raveendran committee and the technical committee submitted their reports in a sealed cover, despite CJI Ramana’s observations in court, late at night on August 25, 2022, the Supreme Court decided to “re-seal” the report and keep in the “safe custody” of the court’s Secretary General. The legislative journalism website The Leaflet commented, “The decision to keep the two reports under wraps, despite the CJI’s oral commitment to upload them on the Supreme Court’s website, disappointed those who expected some degree of transparency from the highest court.”
The case was supposed to be heard after four weeks, according to CJI Ramana’s claim. More than two years have since lapsed and nothing has happened. Since the case was last heard by the Supreme Court of India, two CJIs were appointed and then retired.
The crucial issue is what the Indian government’s policy on the use of spyware is at present and whether it needs change.
The Indian Telegraph Act of 1885 specifies the circumstances under which the Union government and state/provincial governments can intercept or tap telephones in the event of a “public emergency” or in the “interest of public safety” as per Section 5(2) of the Act. Such tapping or interception can also take place in the “interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offense.”
What are the safeguards that protect a citizen from misuse of the interception process?
In 1997, the Supreme Court of India, in the case of People’s Union for Civil Liberties versus the Union of India, observed that the right to have a telephone conversation in the privacy of one’s home or office is part of each citizen’s right to life and personal liberty (as enshrined in Article 21 of the Constitution of India), which cannot be curtailed except according to the procedure established by law.
The Court clarified that this section does not confer unguided and unbridled power on investigating agencies to invade a person’s privacy and laid down the following safeguards: The tapping of telephones is prohibited without an authorizing order from the Secretary, Ministry of Home Affairs, Government of India (the most senior official in the country’s interior ministry) or the Home Secretary of the concerned state government, and that this order, unless renewed, shall cease to have authority at the end of two months from the date of issue and cannot remain in operation beyond six months. All copies of the intercepted communication are supposed to be destroyed as soon as their retention is considered unnecessary.
In pursuance of the Supreme Court judgment, the Indian Telegraph (First Amendment) Rules, 1999, were framed and notified, and a similar notification titled the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules were notified a decade later in 2009.
These laws, rules, and their interpretation by the country’s apex court appear reasonable in writing. But, as is often remarked, there is an enormous gulf between the letter of the law and the spirit with which it is implemented. The terms and definitions mentioned are open to interpretation and misuse/abuse by law-enforcing agencies and those in positions of power and authority.
At the end of the day, the key point to make is whether India’s rulers have the political will to enforce rules and regulations that promote transparent governance, protect human rights and civil liberties, and work towards a just and humane society that respects individual privacy and which includes not misusing spyware on political opponents, lawyers, activists, and journalists. The danger of inaction is that those wielding power will continue to misuse their authority to silence their critics and undermine democracy in what is described as the “world’s largest democracy.”
(Paranjoy Guha Thakurta is a journalist, author, publisher, and documentary filmmaker.)