Context: The Supreme Court on Friday agreed to hear a petition for an independent investigation, headed by a former or a sitting judge, of mass surveillance of more than 142 potential “targets”.
- The target list includes an extensive host of public figures in India.
- In the past, similar claims were made regarding the use of Pegasus on WhatsApp by the Indian state.
- Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
- WhatsApp was one of the attack vectors used to infiltrate the mobile phones of selected targets using Pegasus.
- Other known vectors include SMS and iPhone’s iMessage service in addition to unknown vulnerabilities that a Pegasus user might exploit to install the spyware.
- WhatsApp sued the NSO Group in a federal court in San Francisco, accusing it of using WhatsApp servers in the United States and elsewhere to send malware to approximately 1,400 mobile phones and devices (Target Devices).
- For the purpose of conducting surveillance of specific WhatsApp users (Target Users).
More in the news:
- The petition ought to be heard urgently as it concerned issues affecting the fundamental rights and civil liberties of citizens and even national security.
- The issue was making waves not only in India but also globally.
What does Petition say?
- Abridging rights:
- Such mass surveillance using military-grade spyware abridges several fundamental rights.
- It appears to represent an attempt to infiltrate, attack and destabilise independent institutions that act as critical pillars of our democratic set-up.
- It sought a full disclosure from the government of whether it had authorised the snooping.
- The legal regime for surveillance under Section 5(2) of the Telegraph Act had been completely bypassed.
- A criminal offence:
- Surveillance/interception is justified only in cases of public emergency or in the interests of public safety.
- The existence of such conditions must be inferred reasonably and cannot be determined solely on the assessment of the government.
- The hack/interception/decryption occasioned by the Pegasus spyware constitutes a criminal offence.
About the NSO group:
- The NSO Group is a Tel Aviv-based cybersecurity company.
- It specialises in “surveillance technology” and claims to help governments and law enforcement agencies across the world fight crime and terrorism.
- Companies managing tech products and solutions even have bounty programmes to reward independent cybersecurity researchers for detecting flaws they may have missed themselves.
- In such an ecosystem, a cyber-offensive tool that would be lapped up by governments around the world would require the tool to trick not only the targets but also the platform through which it is delivered.
- It has built such a tool — Pegasus, the world’s most invasive spyware.
- It can find a route into a target’s device that is unknown to the developer of the device and its software, and without requiring the target to take any action such as clicking a link.
- Its first known state client (Mexico) then equipping itself with cyber-espionage tools to fight drug trafficking, went beyond the script.
- The Mexican government liked Pegasus so much it ended up equipping several of its agencies with the spyware tool.
- It is spyware, they spy on people through their phones.
- It works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
- A presumably newer version of the malware does not even require a target user to click a link.
- Once Pegasus is installed, the attacker has complete access to the target user’s phone.
- The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
- The Pegasus tool at that time exploited a software chink in Apple’s iOS to take over the device.
- Apple responded by pushing out an update to “patch” or fix the issue.
- Pegasus delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission.
- A zero-day exploit is a completely unknown vulnerability, about which even the software manufacturer is not aware, and there is, thus, no patch or fix available for it.
- In the specific cases of Apple and WhatsApp, therefore, neither company was aware of the security vulnerability, which was used to exploit the software and take over the device.
Once installed, what can Pegasus do?
- It can send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.
- The target’s phone camera and microphone can be turned on to capture all activity in the phone’s vicinity, expanding the scope of the surveillance.
- All of this takes place without the target user’s knowledge.
- Pegasus can work on BlackBerry, Android, iOS (iPhone) and Symbian-based devices.
Can Pegasus be used to target just about anyone?
- Technically, yes. But while tools such as Pegasus can be used for mass surveillance; it would seem likely that only selected individuals would be targeted.
- The NSO Group, while disputing WhatsApp’s allegations in the strongest possible terms, has said that:
- It provides the tool exclusively to licensed government intelligence and law enforcement agencies, and not just to anyone who wants it.
Indian Government Response:
- The Ministry of Information Technology (IT) and Communications, told the Lok Sabha that illegal surveillance was not possible in India, given its laws and robust institutions.
- According to it, news reports about the Pegasus software being used to illegally tap phones was an attempt to malign the Indian democracy.
- In the past, similar claims were made regarding the use of Pegasus on WhatsApp.
- Those reports had no factual basis and were denied by all parties, including in the Supreme Court.
- The Israeli company NSO, refusing the claims and pointing out factual inaccuracies.
- The IT minister cited that Section 69 of the IT Act and Section 5 of the Telegraph Act contain provisions for lawful interception of electronic communication for the purpose of national security.
- The government claims all its surveillance is authorised and justified.
- WhatsApp CEO has called on governments and companies to take steps to hold the Israeli technology firm accountable.
- WhatsApp in 2019 sued the NSO group, accusing it of using the former’s messaging service to conduct cyber-espionage on roughly 1,400 user accounts, including those of journalists and human rights activists.
- The use of cyber spy software to hack smartphones even by the government is prohibited under Indian laws.
- A significant number of Indians reportedly affected by Pegasus this time are again journalists.
- The World Press Freedom Index produced by Reporters Without Borders has ranked India 142 out of 180 countries in 2021.
- The press requires (and in democracies is afforded) greater protections on speech and privacy. Privacy and free speech are what enable good reporting.
- Communication surveillance in India takes place primarily under two laws the Telegraph Act, 1885 and the Information Technology Act, 2000.
- No provision, however, allows the government to hack the phones of any individual since the hacking of computer resources, including mobile phones and apps, is a criminal offence under the IT Act.
- While the Telegraph Act deals with interception of calls, the IT Act was enacted to deal with surveillance of all electronic communication, following the Supreme Court’s intervention in 1996.
- A comprehensive data protection law to address the gaps in existing frameworks for surveillance is yet to be enacted.
- Surveillance itself, whether under a provision of law or without it, is a gross violation of the fundamental rights of citizens.
- It impacts the right to privacy and the exercise of freedom of speech and personal liberty under Articles 19 and 21 of the Constitution, respectively.
- Such surveillance, when carried out entirely by the executive, curtails Articles 32 and 226 of the Constitution (empowering the Supreme Court and High Courts, respectively, to issue certain writs) as it happens in secret.
- The affected person is unable to show a breach of their rights.
- This violates not only the ideals of due process and the separation of powers but also goes against the requirement of procedural safeguards as mandated in K.S. Puttaswamy (Retd) v. Union of India (2017).
- The programmes such as CMS, TCIS, NETRA, CCTNS, and so on, none of which has been authorised by any statute, and thus fall short of the 2017 K.S. Puttaswamy judgment.
- In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India’s intelligence agencies are “potentially unconstitutional”.
- Since they are not constituted under a statute passed by Parliament — the National Intelligence Agency being an exception.
- In its 2019 election manifesto, the Indian National Congress was a first for a national political party calling for parliamentary oversight of intelligence agencies.
- In 2012, the Planning Commission and the Group of Experts on Privacy Issues, pointed out:
- Divergence in laws on permitted grounds,
- Type of interception,
- Granularity of information that can be intercepted,
- The degree of assistance from service providers, and
- The “destruction and retention” of intercepted material.
- Although the grounds of selecting a person for surveillance and extent of information gathering has to be recorded in writing, the wide reach of these laws has not been tested in court against the cornerstone of fundamental rights.
- Role of Judiciary.
- Only the judiciary can be competent to decide whether specific instances of surveillance are:
- Whether less onerous alternatives are available, and
- To balance the necessity of the government’s objectives with the rights of the impacted individuals.
- The need for judicial oversight over surveillance systems in general, and judicial investigation into the Pegasus hacking in particular, is also essential;
- Because the leaked database of targeted numbers contained the phone number of a sitting Supreme Court judge, which further calls into question the independence of the judiciary in India.
Threats to democracy:
- The phones of the woman who had complained of sexual harassment against a former Chief Justice, and her family, might have been subject to this form of surveillance is chilling.
- If the shadow of Pegasus also hangs on the case, the court will be seen not just as an error-prone institution, but one whose proceedings are possibly impacted by shadowy surveillance.
- Officials of the Election Commission, and political colleagues subject to this kind of surveillance, will inspire less confidence in free and fair elections.
- It raises the question of what methods might in future be adopted to turn the course of elections.
- The national security implications of these revelations are enormous:
- The explosive growth of surveillance technology vendors is a global security and human rights problem.
- It is not primarily China, but democratic states like Israel and UK, that are selling technologies for deepening the surveillance powers of states.
- There needs to be a global compact, or at least one amongst democratic states, on regulating these technologies.
- Even if authorised (which is doubtful), the use of Pegasus poses a national security risk.
- Pegasus is not just a surveillance tool. It is a cyber-weapon being unleashed on the Indian polity.
Examples of State Surveillances:
- In 2012 in Himachal Pradesh:
- The new government raided police agencies and recovered over a lakh phone conversations of over a thousand people.
- Mainly political members, and many senior police officials, including the Director General of Police (DGP), who is legally responsible for conducting phone taps in the State.
- In 2013, India’s current Home Minister was embroiled in a controversy dubbed “Snoopgate”, with phone recordings alleged to be of him speaking to the head of an anti-terrorism unit to conduct covert surveillance on a young architect and her family members without any legal basis.
- The Gujarat government admitted the surveillance, including phone tapping, but claimed it was done on the basis of a request made to the Chief Minister by the woman’s father.
- Yet, no order signed by the State’s Home Secretary (a legal necessity for a phone tap) was ever produced.
- The Gujarat High Court shut down an inquiry into “Snoopgate” upon the request of the architect and her father, on the shocking basis that it “did not involve public interest”.
- In 2009, the United Progressive Alliance government swore in an affidavit in the Supreme Court that the CBDT had placed Niira Radia, a well-connected PR professional, under surveillance due to fears of her being a foreign spy.
- Yet, while they kept her under surveillance for 300 days, they did not prosecute her for espionage.
- There are dozens of such examples of unlawful surveillance which seem to be for political and personal gain.
- These have nothing to do with national security or organised crime.
- Yet, there are few examples of people being held legally accountable for unlawful surveillance.
- Surveillance reform is the need of the hour in India.
- Not only are existing protections weak but the proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities.
- Post-Watergate reforms:
- The legacy of the Church Committee can be seen in the fact that the Snowden revelations in 2013 did not uncover any spying on Opposition politicians, journalists, judges, and human rights defenders for partisan political ends.
- What was shocking about the Snowden revelations was the extent of NSA’s surveillance, the overreach of the powers provided under the PATRIOT Act;
- As well as the lack of sufficient checks and balances provided by the Foreign Intelligence Surveillance Court.
- The Snowden revelations led to meaningful reform of that court, and controversial domestic surveillance provisions of the PATRIOT Act expired in 2020.
- India need reforms aimed at:
- Professionalising intelligence gathering,
- Bringing intelligence agencies under parliamentary oversight,
- Making them non-partisan, and
- Ensuring that civil liberties and rule of law are protected.
- This is India’s Watergate moment, and the Supreme Court and Parliament should seize it.
Israeli Commission review:
- When the review is finished, Israel’s Mossad spy agency demand to see the results and assess whether it needs to make corrections.
- Pegasus has been implicated in possible mass surveillance of journalists, human rights defenders and 14 heads of state.
- Their phone numbers were among some 50,000 potential surveillance targets on a list leaked to rights group Amnesty International and Paris-based Forbidden Stories.
- NSO has stated that it exports to 45 countries, with approval from the Israeli government.
- The company could not disclose the details of its contracts due to “issues of confidentiality,” but said that it would offer full transparency to any government seeking more details.
About the Zero-Click attacks:
- One of the worrying aspects of the Pegasus spyware is how it has evolved from its earlier spear-phishing methods using text links or messages to zero-click attacks which do not require any action from the phone’s user.
- This has made it the most powerful spyware out there, more potent and almost impossible to detect or stop.
- Working of the Zero-click:
- A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error.
- So all awareness about how to avoid a phishing attack or which links not to click is pointless if the target is the system itself.
- Most of these attacks exploit software that receives data even before it can determine whether what is coming in is trustworthy or not, like an email client.
- The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory.
- Can Zero click be protected?
- Zero-click attacks are hard to detect given their nature and hence even harder to prevent.
- Detection becomes even harder in encrypted environments where there is no visibility on the data packets being sent or received.
- Ensure all operating systems and software are up to date so that they would have the patches for at least vulnerabilities that have been spotted.
- One way to go is to stop using apps altogether and switch to the browser for checking emails or social media, even on the phone.
Telegraph Act of 1885:
- Section 5(2) of the Telegraph Act states:
- On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorised in this behalf by the Central Government or a State Government;
- May, if satisfied that it is necessary or expedient so to do in the following conditions:
- The interests of the sovereignty and integrity of India,
- The security of the State,
- Friendly relations with foreign states or
- Public order or for preventing incitement to the commission of an offence.
- The reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order.
- These are the same restrictions imposed on free speech under Article 19(2) of the Constitution.
- Additionally, a proviso in Section 5(2) states that even this lawful interception cannot take place against journalists.
- Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.
Supreme Court Previous Intervention:
- In Public Union for Civil Liberties v Union of India (1996), the Supreme Court pointed out lack of procedural safeguards in the provisions of the Telegraph Act and laid down certain guidelines for interceptions.
- Court Observation:
- The authorities engaging in interception were not even maintaining adequate records and logs on interception.
- Tapping is a serious invasion of an individual’s privacy.
- Court Upheld:
- Setting up a review committee that can look into authorisations made under Section 5(2) of the Telegraph Act.
- Every Government exercises some degree of subrosa operation as a part of its intelligence outfit but at the same time citizen’s right to privacy has to be protected from being abused by the authorities of the day.
- The Supreme Court’s guidelines formed the basis of introducing Rule 419A in the Telegraph Rules in 2007 and later in the rules prescribed under the IT Act in 2009.
About Rule 419A in the Telegraph Rules:
- It states that a Secretary to the Government of India in the Ministry of Home Affairs can pass orders of interception in the case of Centre.
- A secretary-level officer who is in-charge of the Home Department can issue such directives in the case of a state government.
- In unavoidable circumstances, Rule 419A adds, such orders may be made by an officer, not below the rank of a Joint Secretary to the Government of India;
- Who has been duly authorised by the Union Home Secretary or the state Home Secretary.
About IT act 2000:
- Section 69 of the Information Technology Act and the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 were enacted to further the legal framework for electronic surveillance.
- Under the IT Act, all electronic transmission of data can be intercepted.
- So, for a Pegasus-like spyware to be used lawfully, the government would have to invoke both the IT Act and the Telegraph Act.
- It adds another aspect to the telegraph rules that makes it broader.
More About Types of Cyber Attacks.
More about the Cybersecurity in India.