As a recent trigger to already existing data privacy concerns in the country, more than 300 Indian phone numbers, including those of serving ministers, journalists, opposition leaders, and one sitting judge, are thought to have been hacked using the spyware Pegasus.
According to an investigation by an international media consortium, that released the Pegasus report, more than 50,000 phone lines from throughout the world were allegedly targeted for hacking using the spyware Pegasus, which the Israeli NSO Group only sells to government organizations. The source of the leak, as well as how it was verified, were not divulged. While the mere presence of a phone number in the data does not indicate a hacking effort, the consortium believes the data indicates prospective targets of NSO’s government clients. According to the Washington Post, the list contains 37 compromised smartphones. Further, Amnesty International discovered that 40 Indian journalists were selected as potential targets between 2017-2021.
What is Pegasus?
Pegasus is a spyware technology developed by former Israeli intelligence personnel.
The NSO Group, alias Q Cyber Technologies, markets Pegasus as a “world-leading cyber intelligence tool” that allows law enforcement and intelligence agencies to remotely and discreetly retrieve data from practically any mobile device.
How Does the Spyware Work?
Pegasus has several methods for achieving zero-click installations. One over-the-air (OTA) technique is to send a covert push message to the target device, causing it to load the spyware without the target being aware of the installation, which he has no control over anyhow.
This is the “NSO peculiarity,” according to a Pegasus brochure, “which greatly differentiates the Pegasus solution” from any other spyware on the market.
Until early 2018, NSO Group clients depended mostly on SMS and WhatsApp texts to persuade targets to click on a malicious link, resulting in mobile device infiltration. This would be an ‘Enhanced Social Engineering Message’ (ESEM), according to a Pegasus brochure. When the phone is routed to a server via a malicious link packaged as ESEM, the operating system is checked and the appropriate remote exploit is delivered.
Then, in its October 2019 report, Amnesty International first reported the use of “network injections” which allowed attackers to install spyware “without demanding any engagement from the target.” Pegasus only transmits scheduled updates to a Command and Control (C&C) server to avoid consuming a lot of bandwidth and alerting a target. The spyware is meant to elude forensic investigation, prevent detection by anti-virus programs, and can be deactivated and uninstalled by the attacker as needed.
Devices Vulnerable to Such Attacks
Practically all devices are vulnerable to an attack by the spyware. This includes both Android and IOS devices. Apple’s default iMessage app and the Push Notification Service (APNs) protocol, on which Pegasus is built, have been routinely used to attack iPhones. The spyware may imitate an app installed on an iPhone and send itself as push notifications through Apple’s servers. Pegasus connects to the attacker’s C&C’s servers after installation to receive and execute commands, as well as give back the target’s personal information such as passwords, contact lists, calendar events, text messages, and live phone calls. The attacker also has access to the phone’s camera and microphone, as well as the GPS function, which can be used to track down a target.
Legality in The Indian Context
The right to privacy was deemed a fundamental right of all citizens by a nine-judge Supreme Court bench in the case of Justice K.S. Puttaswamy vs. Union of India in 2017. The Supreme Court found that a citizen’s right to privacy includes the right to control how their data is used, i.e., decisional autonomy over their data. Following the Supreme Court’s decisions, it is evident that the lack of independent monitoring is untenable and illegal, in addition to being in violation of worldwide democratic principles. A morally cognizant government would see the Puttaswamy decision as having a disabling connotation. This would mean that the state cannot be deemed to enjoy such rights unless an enabling legislation was established giving the state rights to make action and do all that the Bill permits and in the manner that it permits. Because there was no enabling framework in place, the state could not, for example, snoop on any devices at all, even if it had a “compelling state interest.”
Personal Data Protection Bill, 2019 in Context of Pegasus Report
Subsequent to the recognition that Persons have a right to privacy against the state – The Personal Data Protection Bill, 2019 was introduced to protect the personal data of individuals. The objective of this bill was to provide for the protection of people’ privacy in relation to their personal data, as well as to form a Data Protection Authority of India for these objectives and matters pertaining to an individual’s personal data. The Bill however, provides an exemption to government agencies when acting in the interest of ‘security of the state.’
Much of what is going on in India right now, whether it’s the Chinese app ban, increased stringency of e-commerce rules, new social and digital media rules, or the snoop gate hacking through Pegasus, is all linked to personal data protection in some way. However, while the passing of the Personal Data Protection Bill is indeed the need of the hour, the legislation, will be of little help in dealing with a surveillance issue like the Pegasus report. The proposed bill has the potential to address other challenges while advocating for improved surveillance reforms. However, in its current form, the Personal Data Protection Bill may not be a solution to government monitoring because it exempts the Indian government from accountability. The proposed bill not only fails to consider the larger objective of surveillance reform, but it also offers significant loopholes for state monitoring and surveillance. For example, the bill states that Personal data can be processed without consent of the individual if the state requires it for benefits to the individuals. Further, the central government has the authority to protect any of its agencies from the Act’s provisions in the interests of state security, public order and India’s sovereignty and integrity. Personal data processing is also exempt from the Bill’s rules for a variety of additional objectives, including the prevention, investigation, or prosecution of any crime, or journalistic purposes.
Data protection is at the center of a lot of what’s going on in the country. Citizens will be heavily impacted if the bill does not become law. However, the data protection bill lacks significant surveillance reform provisions and grants the government broad discretion. Surveillance reforms were also declared outside the scope of data protection by the Justice Srikrishna Committee.
Call For Surveillance Reforms
The mask of surveillance, as Justice Subba Rao recognized in his renowned dissenting position in the case of Kharak Singh, acts as a “psychological constraint” on an individual and prevents her from thinking or acting freely. This was later upheld in the Puttaswamy judgement, different countries have different surveillance laws to regulate the level of spying. In the same way as the European Union has General Data Protection Regulations, the United States has robust civil rights protection. However, unlike these countries, India does not confront surveillance issues aggressively. As a result, many are advocating for surveillance changes. Just like the Supreme Court gave specific directions regarding telephone tapping in Re: Peoples Union of Civil Liberties vs. Union of India; surveillance in other forms, employing different technology, requires an appropriate legal framework as well.
When asked if the Indian government had purchased and used Pegasus, there was a non-committal response. A template mention of current surveillance capabilities under the Telegraph Act and the Information Technology Act was included by the government. The statement remains that no unauthorized interception had occurred. However, this seems to be too broad an assurance. The scope of such authority needs to be curtailed, leading to a subsequent surveillance regulation.
The disclosures in the form of the Pegasus report have tremendous national security consequences. Surveillance technology companies’ fast rise is a global security, privacy and human rights issue. What is concerning is that it is democracies like Israel and the United Kingdom, that are selling technologies to strengthen state surveillance authorities. Hence, there needs to be a global agreement on controlling and regulating these technologies. If Pegasus is present in India, we are peculiar because we are part of a group of largely authoritarian and semi-authoritarian countries that use this technology. It does not reflect well for a democracy to have surveillance measures of the kind in place. Pegasus’ usage, even if authorized, creates a national security danger. The greater danger here is not the whistleblowers’ motivations. It’s that by not having a competent, credible, and responsible institutional mechanism, we’ve made ourselves exposed to rights violations and security threats. If the Pegasus claims are true, we are living in a qualitatively different environment of citizen surveillance. It is for this reason, that we need to bring in legislation dealing with data protection and surveillance laws now more than ever.
(This post has been authored by Sanvi Bhatia, a II Year Law Student at NALSAR Hyderabad)