Pegasus Spyware: A Menace to Democracy

Reading time : 6 minutes

What is a Spyware?

‘Spyware is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user. For example, by violating their privacy or endangering their device’s security’.[1]

These Spywares could also be used for Commercial purposes like monitoring the screens for advertisement, either way this leaves the people with a potential threat of data breach and misuse of personal information.

The Pegasus Spyware

A Spyware is designed as such that it enters into the computer or mobile of the person and without the consent of the person transmits the data to third party without any knowledge of the person whose device is being infected with it.

The PEGASUS Spyware has been developed by an NSO group which is an Israeli company has built the most influential spyware and the objective of this spyware is to get through the device of the person that has to be bugged and give out private information about the person on whose device the spyware has been infected which in short turns the device into a surveillance or a monitoring device which the third party can blatantly use to violate the Fundamental Right of life and personal liberty enshrined in Art 21 of the Indian Constitution. However, the parent organization of the Pegasus spyware claims that they built this for the governments around the world to help them spy on terrorist activities and criminals, which has not been the case with the claims of the media Consortium around the globe.

‘Pegasus Spyware was first identified around 4-5 years ago when a human rights activist from the United Arab Emirates received a text message that was actually a phishing setup. He sent these messages to the security agency and it was found out that if he (the user) had opened those links – his phone would have been infected with the malware, named Pegasus.’[2]

How does the Pegasus Spyware work?

The Spyware can bug the device through a text message or that directs the device to a website installing the spyware without the knowledge of the user some claims have even been made that there is no user interaction required and just a simple delivery of the text message is sufficient enough to infect the device for the iOS users which claims itself to be the most protected device it is the I-text which can bring the catastrophe.

Once the Spyware has been installed, which is quiet easy in this case the third party can access the texts, mails, call logs, photos and much more from the device. In fact, the access of the device is given as such that the camera and microphone can also be operated by the third party.

‘NSO Group sells the software to governments only. A single licence, which can be used to infect several smartphones, can cost up to Rs 70 lakh. According to a 2016 price list, NSO Group charged its customers $650,000 to infiltrate 10 devices, plus an installation fee of $500,000.’[3]

Laws in India Regarding Tapping and Surveillance

The rules governing the surveillance laws can be divided under two heads namely the telegraph Act, which particularly deals with the surveillance over tapping of calls and the Information technology Act, 2002 that deals with the interception of data.

Telegraph Act

‘Section 5, of the Telegraph act deals with the wire-tapping laws, that means in case of an emergency any authorized public official has been given the authority to intercept phone calls only in the interest of the public safety. However, such interception has to satisfy the certain grounds of sovereignty and integrity of India; the security of the State; public order; friendly relations with foreign states and preventing incitement to an offence.’[4]

The broad connotations could led to the potential misuse of the loopholes of the Section 5 of the Act so the Supreme Court in the case of People’s Union for Civil Liberties V. Union of India[5] brought up the 419A of the Telegraph Rules 2007 which gave the secretary to the government of India of Home Affairs to pass orders relating to the wire-tapping which gives authority only to a limited and high ranked officials of the government and the misuse of the same would be answerable by the official.

Section 69 of the IT Act, 2002

‘Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may, subject to the provisions of sub-section (2), for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.’[6]

The IT Act, 2000 is different from the Telegraph Act as in case of the latter only when there is an emergency can there be the wire-tapping of and on the contrary, when any investigation needs to be done by the government of India, Section 69 could come into force.

The K.S. Puttaswamy V. Union of India Case of Right to Privacy

The K.S. Puttaswamy judgment, ruled that privacy could only be breached under the following three heads:

The restriction must be by lawful in nature;

It must be necessary and proportionate;

It must be in the state interest (national security & sovereignty).

The judgement held that the issue of Privacy could arise from the State held Entities as well as the Non-state held.

The court stated that Right to Privacy is an inherent and integral part of Part III of the Constitution that guarantees fundamental rights to its citizens. The conflict in this area mainly arises between an individual’s right to privacy and the aim of the government to implement its policies. Thus, a balance needs to be maintained between the two.

The area of Pegasus is slightly different from mere surveillance and wire-tapping because the spyware hacks the phone and Section 43 of the Information Technology Act, 2000 prohibits the same without the consent of the user of the phone and the punishment for the same is given under Section 66 of the Information Technology Act, 2000 with imprisonment for a term which my extend to 3 years and fine which may extend to an amount of Rs. 5 lakhs.

What the Government has to say about the allegations?

The government has out rightly denied any such claims as fictitious, concocted and baseless and tells that these are false and misleading; also, India’s Minister of Electronics & IT also claims that including the Parliament, there has been no unauthorised interception by Government agencies. Furthermore, Government agencies have well-established guidelines for interception of any kind of data from a third party, which includes authorization and supervision from high ranked officials in central as well as in the state governments, for reasons in national interest.

In the recent past, similar claims were made regarding the use of Pegasus on WhatsApp by the Indian government. Those reports were also lacking factuality and all the parties, including WhatsApp in the Apex Court, categorically denied them.

The Indian government further claims that every case of interception, monitoring, and decryption of any kind of data is approved by the competent authority i.e. the Union Home Secretary. These powers are also available to the competent authority in the state governments as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.

Opposition’s claims

‘Opposition parties demanded an independent inquiry and accountability from the government over the use of Pegasus software to spy on ministers, legislators, and journalists and other various known people.

Political parties such as the Congress, TMC, NCP, Left parties, RJD, and Shiv Sena all demanded an investigation.

The Congress called the Centre’s actions “treasonous,” and the Home Minister was called to give an account for the whole incident on the spying matter, which included the spying and hacking of journalists’, judges’, and politicians’ phones. They further demand the resignation of the Home Minister,” the Congress tweeted, “We cannot emphasize enough how important it is to uphold our democratic and constitutional ideals and principles for the protection and security of all of our residents. An International Ransomware Meant Solely for Government agencies has hacked into the phones of our citizens. Accountability is required.”

“The Modi government is hacking into its own journalists, opposition leaders, and constitutional authorities using foreign military grade spyware. It is basically fighting for the destruction of our democracy and constitution,” the CPI (M) stated.’[7]

Issues regarding Government’s spying

‘In 2012 in Himachal Pradesh, the new government raided police agencies and recovered over a lakh phone conversation of over a thousand people, mainly political members, and many senior police officials, including the Director General of Police (DGP), who is legally responsible for conducting phone taps in the State.

In 2013, India’s current Home Minister Amit Shah was embroiled in a controversy dubbed “Snoop gate”, with phone recordings alleged to be of him speaking to the head of an anti-terrorism unit to conduct covert surveillance without any legal basis (as there was no order signed by the State’s Home Secretary which is a legal necessity for a phone tap).’[8]

Such examples of unlawful surveillance, which are done for personal gains ae unethical and destroying the very essence of democracy but on the contrary is also the need for this age as most of the things happen over an electronic device in this technological age.

Recommendations regarding Surveillance

In 2010, then Vice-President called for a legislative basis for India’s agencies and the creation of a standing committee of Parliament on intelligence to ensure that they remain accountable and respectful of civil liberties.

The Cabinet Secretary in a note on surveillance in 2011 held that the Central Board of Direct Taxes having interception powers was a continuing violation of a 1975 Supreme Court judgment on the Telegraph Act.

In 2013, the Ministry of Defence-funded think-tank published a report, which recommended that the intelligence agencies in India must be provided a legal framework for their existence and functioning; their functioning must be under Parliamentary oversight and scrutiny.

In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India’s intelligence agencies are “potentially unconstitutional”. This is because they are not constituted under a statute passed by Parliament — the National Investigation Agency being an exception.’[9]

How to stay protected from the Spyware?

 As per the current scenario, there is no particular solution for the zero-click attack where the device is hacked even without the owner’s knowledge. However, there are certain tips that can potentially minimize the risk of the devise getting hacked and giving out information to third party without any consent.

  • The device has to be updated with relevant patches and upgrades. A standardised version of an OS creates a base for hackers to target, it is still the defence.
  • Avoiding public and free Wi-Fi services especially while accessing sensitive and private information. The use of a VPN is a good hack when there is a need to use such networks.
  • Opening links from only known and trusted contacts and sources when using the device. Pegasus is deployed to iOS devices through an iMessage link. The same advice applies to links sent via email or other messaging applications.
  • Although it may sound obvious, limit physical access to the device while ensuring only trusted people operate your device. One can do this by enabling pin, finger or face locking on the device.
  • Encrypt the device data and enable remote-wipe features where available. If your device is lost or stolen, you will have some reassurance your data can remain safe.

Conclusion

The controversy on the Pegasus spyware hacking in the devices of the various high-class journalists’, judges’, and politicians is of a very grave nature and needs proper and timely investigation. In a digital age where technology is taking over the world the word ‘Privacy’ comes into play and as stated above in the Case of K.S. Puttaswamy V. Union of India popularly known as the Aadhar case it was held that Right to privacy is a Fundamental right guaranteed by the Indian Constitution and taking away the right should have serious consequences, just because the political party ruling the center has certain powers does not mean that they have the privilege to do as they want. According to the laws of the India, hacking is illegal and if the government is doing so then the Judiciary needs to interfere which is currently happening and proper detailed investigation is being carried on.

On the contrary, the government is denying any such claims of hacking. The software of installing and using Pegasus is a costly affair and the laws relating to surveillance in the country needs proper authentication by top officials of the centre as well as the state which means that if such a thing is happening then officials at top level must be aware and only with their consent is this spying possible and if the Apex court through its findings come to a conclusion that hacking and spying was being done then the government has to pay a very hefty penalty for that.

The Israeli NSO group that made the spyware made it for easement of the governments to catch cyber criminals and stop the cases of terrorism and it has to be limited to that use only. With the advancing digital era the use of software like Pegasus will be much more common in the coming times and certain strict rules and regulations regarding the same, not only does rule and regulation help in bettering a situation but the proper adherence to the rules laid down would be very essential otherwise there will be a lot of exploitation over the world by powerful and rich people that has to be checked upon. The unchecked use of such spywares could lead to the threat to democracy where people will not have free will, which is the very essence of democracy.


[1] Spyware available at: https://en.wikipedia.org/wiki/Spyware (last modified on 20th July 2021)

[2] History on Pegasus available at: https://www.geeksforgeeks.org/what-is-pegasus-spyware-and-how-it-works/ (last modified on 02 August2021)

[3]Editorial, ‘ETech Explainer: what is Pegasus spyware and how it works’, The Economic Times, 21st July 2021

[4] Indian Telegraph Act, 1885, S.5

[5] People’s Union for Civil Liberties v Union of India AIR 1997 SC 568

[6] The Information Technology Act, 2000 (Act 21 of 2000), s. 69

[7] Tanya Napolean, The Pegasus controversy: it’s Implications in India, 04 August 2021

[8] Pegasus Spyware issue in India, available at: https://www.legacyias.com/pegasus-spyware-issue-in-india-explained/ last modified on (July 20th 2021)

[9] Pegasus Spyware issue in India, available at: https://www.legacyias.com/pegasus-spyware-issue-in-india-explained/ last modified on (July 20th 2021)

Author: S Ashwin Nair, SINHGAD LAW COLLEGE, PUNE

Editor: Kanishka VaishSenior Editor, LexLife India.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s