This article has been written by Charishma. K.S, enrolled in the CA PROGRAM in LawSikho.

Introduction 

We live in an era where all wars begin as cyberwars. Recently, the entire world was outraged by the revelations by an International media Consortium about Pegasus spyware which is developed by the NSO group, probably the most powerful virus ever created. Overnight, the virus had created headlines and ignited political skirmishes. Do you know the objective of this Pegasus spyware project and how it works, and what it costs? 

How this spyware infringed the basic rights of an individual furnished in the Indian Constitution? Do you know the legislations concerned with surveillance laws in India?  Do we need to take urgent action against the misuse of this spyware? The alleged use of the most powerful use of spyware on journalists, Human rights defenders, politicians, and others across the world including India, has given rise to issues concerning the right to privacy. Like this many basic questions have been driving the human mind insane. This article clarifies the basic yet serious /questions about this contradiction spying program. 

The Pegasus spyware

The Pegasus spyware or software is a surveillance tool and the most powerful spyware ever invented. Across the world, This hacking software or spyware is marketed, licensed, and developed by the Israeli company “NSO Groups“. The document released by NSO groups presents the capabilities of this malicious software in detail. This spyware or software makes use of the “Zero-day” vulnerability which means faults in the OS of mobile which is unknown to the phone’s user and has not been patched. Hence, Pegasus identifies such flaws and enters into the operating system of the targeted person’s mobile. 

The hacking can be accomplished through “Zero-click” records that don’t need any human interaction or human error.  The new form of attack has rendered the Pegasus spyware the most hazardous software that jeopardises the individual right to privacy. It can hack billions of phones running either Android or ISO working networks. The spyware can also be installed over a wireless transceiver (radio transmitter and receiver) located near the target. It can turn your phone into a surveillance device. 

Once it gets installed on the targeted phone, Pegasus contacts the attacker’s command and control servers to executive and receive instructions and send back the target’s private data. It allows you to trace the messages, call records, calendar events, and photos and can watch you through your phone’s camera, or turn on the microphone to tape your conversations. It can pinpoint everything starting from where you are to whom you meet. NSO groups sell this malicious software to the government only. To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server. The spyware is designed to evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by the attacker, when and if necessary. A single license can be used to infect several smartphones and costs up to 70 Lakhs. According to a 2016 price list, NSO group charged the customers $650,000 to infiltrate 10 devices, plus an installation fee of $500,000.

The NSO groups 

In 2010, NSO Group Technologies was established in Herzliya that is situated in the north of Tel Aviv, by Niv Carmi, Shalev Hulio, and Omri Lavie. The NSO group is an acronym of the first names of its three founders. NSO groups produce products that enable the government to spy on citizens. During terrorism and criminal investigations, NSO groups company helps “Government intelligence and law-enforcement agencies to use technology and meet the challenges of encryption by describing its products roles on its website.” Nevertheless, as you might imagine, the civil liberties and groups aren’t satisfied with the spyware-for-hire business, and restricting the business to government clients does little to hush their suspicions.

History of Pegasus

Back in 2016, the Pegasus spyware was first discovered by researchers at a Canadian cybersecurity organization infecting phones through text messages or emails that trick a target into clicking on a malicious link which is called spear-phishing. The Citizen Lab first discovered Pegasus on a smartphone of Ahmed Manor, a human rights activist. 

1. In September 2018, The Citizen Lab published a report in which Pegasus spyware was used in 45 countries which included India. 
2. In 2019, WhatsApp uncovered that the NSO’s software has been used to send malware to more than 1400 phones by taking advantage of a zero-day vulnerability. Malicious Pegasus code could be installed on the phone just by placing a WhatsApp call to a targeted phone, even if the target number didn’t answer the call. During that time also many human rights activists and journalists had been targeted by Pegasus in India. 

Now, it has started taking advantage of vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. And Apple says that it has been continuously refurbishing its software to prevent such attacks. An international investigative journalism investigation showed that various governments used the software to spy on opposition politicians, journalists, activists, government officials, and many others.

The recent story of the Pegasus project

A list of 50000 phone numbers leaked by the news outlets of Forbidden stories, Paris-based journalism nonprofit, and right groups Amnesty International worldwide showed that we’re potentially targeted by Pegasus spyware or software and sent to media of different countries. The investigation on Pegasus spyware by forbidden stories called it a Pegasus project, during the investigation, forensic analyses and technical support were provided by Amnesty International’s Security Lab. We are not sure of how many were targeted for surveillance and how many of those attempts were accomplished.

According to the Washington Post, After performing forensic analyses it is been found that 22 smartphones in India are on the list, and at least 10 targeted with Pegasus, seven of them are successful Initially, a database of 50000 numbers have been targeted for surveillance by clients of NSO groups was revealed by the Forbidden stories. 

The news organisations working on this new Pegasus project were able to find the owners of 150) numbers across at least 10 countries. Thus, an important attempt should be made to differentiate the names that appear on the list. Subsequently, On July 27, 2021, ‘The wire’ on its list so far the news has revealed 155 Names in collaboration. With 16 other media organizations. That list includes political figures, activists, students, lawyers, and journalists, among others. 

The legal backing of Pegasus spyware

Concerning national security and public safety, there are legal provisions for communicating and thwarting, accessing digitally stored information.  The Pegasus software is wholly private and initiates lives, which have no stance on any public interests. The data obtained through software have been used to negotiate institutions, steal elections, attack opposition campaigns and even dislodge the opposition government. This vulnerable sector is due to a lack of awareness and specialists in digital security. The other anti-social elements and terrorists started using most of the cyberspace which provides them more gateways.

Legislation for surveillance technologies like Pegasus in India 

Pegasus, a modern surveillance tool that trembled the Indian democracy and there have been questions rising to the extent white importance of national security can be used as a protection by the citizens in the state for surveillance. Hence it argues for national security in the Pegasus scandal. There is more it requires that the Indian government must adhere to international democratic norms regulating surveillance technology.

NSO groups in its statement proclaimed that they sell the snooping malware only to intelligence agencies and the government. But the union government didn’t admit that they are using the Pegasus spyware or dealing with the NSO group. However, there are established procedures and protocols through which law interception of electronic communication is carried out for national security and safety “Ashbin Vishnu stated in the parliament. He also cited Section 5(2) of the Indian Telegraph Act, 1885, Section 69 of the Information Technology Act, and the Information Technology Rules, 2008 (procedure and safeguards for the interception, decryption, and monitoring of Information) as time-honored protocols for legal interception by the competent authorities. 

And also the Government of India has contended that all communication surveillance takes place legally in India.  The Telegraph Act, 1885, and the Information Technology Act, 2000  are the two laws primarily concerning communication surveillance in India. The Telegraph act deals with the interception of calls and the IT Act 2000 was legislated to deal with electronic communication, coming after the Supreme Court intervenes in 1966.

Telegraph Act, 1885 

Section 5(2)f the Telegraph Act reads as “On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorized in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the government making the order or an officer thereof mentioned in the order: Provided that the press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this subsection”.

Under Section 5(2) of the Telegraph Act, the government can intercept calls only in certain situations such as in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order, or for preventing incitement to the commission of an offence. Hence, the same restrictions are imposed on Article 19(2) of the Constitution. 

In addition to this, Section 5(2) says that even this interception cannot take place against journalists,” Provided that the press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained unless their transmission has been prohibited under this “sub-section.”

Public Union Civil Liberties v.  Union of India : Intervention by Apex Court

In this case, the public union of civil liberties filed public interest litigation concerning telephone tapping in recent days.  The petitioner challenged the constitutional validity of Section 5(2) of the telegraph act. And also a writ petition was filed by CBI in the wake of the report on “Tapping of politician’s phones.” The Apex Court observed that the authorities dealing in interception were not even logs on interception and maintaining adequate records. 

Henceforth, the Apex Court said that ‘Tapping is a serious invasion of an individual’s privacy. With the growth of highly sophisticated communication technology, the right to sell telephone conversation, in the privacy of one’s home or office without interference, is increasingly susceptible to abuse. It is no doubt correct that every Government, however democratic, exercises some degree of Sub-rosa operation as a part of its intelligence outfit but at the same time citizen’s right to privacy has to be protected from being abused by the authorities of the day.”

Justice KS Puttaswamy (Red) and Anr. v. Union of India and others 

In 2017, the nine-judge bench of the Supreme Court of India, in this case, held that the right to privacy to be a fundamental right. The Apex court premised the verdict on the principle that,” Privacy is the ultimate expression of the sanctity of the individual”.  It also held that the following principle (i.e.) “Principle of proportionality and legitimacy must be satisfied to impose restrictions on right to privacy. While concluding this case, it is noted that Justice Sanjay Kishan Kaul observed that “Surveillance is not new, but technology has permitted surveillance in ways that are unimaginable.”

Information Technology Act, 2000

Apart from Article 19(2) of the Indian Constitution and Section 5(2) of the telegraph act 1885, the information technology rule 2009 and Section 69 of the Information Technology Acts further provides the legal framework for electronic surveillance such as the procedure for safeguards for the interception, monitoring, and decryption of information for the investigation of the offence. 

Information Technology (Procedure for Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009

The detailed procedures for the safeguard of an individual are enshrined in IT Rules 2009, such as :

1. Taping of reasons for interception of any information.
2. Direction for interception shall not exceed 60 days from the date of its issue. It can be also renewed but the period shall not exceed the total period of 180 days. Destruction of records of information collected from such interception within 6 months unless such information is required for functional needs.
3. The confidential obligation of intermediaries is not to disclose any information acquired to a third party.

However, Section 69 of the IT act does not authorise any agency to install spyware to hack mobile devices for this. When the same section is read with Section 43 of the IT Act 2000, criminalises the hacking of the device

Need for proper reforms 

The Pegasus outbreaks made us recognize the lack of a proper legal framework to deal with the advancement of surveillance techniques in many countries across the world. The cyber laws of most of the countries only focused on electronic commerce and electronic format. To name a few countries such as China, Vietnam, and Singapore have dedicated cybersecurity laws.

When it comes to the cybersecurity context of India, it is important to note that the last framework on an interception in India was laid back in the year 2000. Though, the use of spyware is illegal which constitutes cyber crimes under Section 66 read with Section 43 of IT Act, 2000. Hence, the advancement in surveillance techniques over the past decade requires the urgent need to have a dedicated cybersecurity law.  

It is necessary to make appropriate checks and balances on the misuse of surveillance technologies, even the amendment of Section 69 of the IT Act. Required regarding the advancement of surveillance technology. The Pegasus scandal is a wake-up call for the proper legal framework of cybersecurity but also to limit the potential misuse of spyware. 

Conclusion

Presently, cyber warfare is a steaming concept that would be inclined to be a weapon of any future conflicts. As the hell of war enhances conditional online, there is no need to send military troops into canals and onto the border to invade any other nation. Instead of weapons like guns and missiles, upcoming wars will be fought by hackers and terrorists using computer codes to damage the enemy’s infrastructure or to steal data from other nations to attain their political goals. 

The Pegasus spyware is the best current example. There is an urgent need for a legal framework for the surveillance of such hacking spyware. The current situation shows that there is an immediate requirement for the proper legal framework to encounter cyber-warfare situations in the future. The government pretends like they don’t know anything about this illegal hacking on such a large scale, there is indirect de-democratization in darkness. 

References 

• https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/  
• https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/ 
• https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/ 
• https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html 
• https://www.google.com/url?sa=t&source=web&rct=j&url=https://citizenlab.ca/wp-content/uploads/2018/09/Citizen-Lab-NSO-Group-09-2018.pdf&ved=2ahUKEwjoibWgyYPyAhWIIbcAHdUqDAsQFjAFegQIIxAC&usg=AOvVaw2GFsls2lNaBotYioFdkMSx/ 
• https://www.google.com/ur
• lsa=t&source=web&rct=j&url=https://main.sci.gov.in/judgment/judis/14584.pdf&ved=2ahUKEwiI_O3cqoXyAhXDQ3wKHSPZCu8QFjAEegQIEBAC&usg=AOvVaw3m_ju1zHErqUb6Dlf0ov9- 
• https://indiankanoon.org/doc/1740460/ 
• https://thewire.in/rights/project-pegasus-list-of-names-uncovered-spyware-surveillance 

---