The article is written by Vishruti Chauhan pursuing BA LLB from Symbiosis Law School, Hyderabad. The present article analyses the Pegasus case which was instituted by WhatsApp against Israeli Spy Firm NSO. Further, the article discusses what is Pegasus and how it works. The effect of such spyware in Indian jurisdiction and the laws about the same have also been analysed.
Spyware has been a very grey area in case of surveillance among various countries. Spyware has been regarded as an important aspect since it is deemed to be very important to monitor and target users which may be linked to criminal or terrorist activities. On the other hand, it is also very controversial as, under the wraps of targeting criminal activities, such associations or companies might attack civil members of society or protestors in any area. This is a very crucial aspect to note as through such interference there can be a case of cyberwar or cyberattack which can change the political system of a country like Estonia. The Pegasus case has given a warning of upcoming challenges in cybersecurity and the laws essential for it.
Facts of the case
- NSO Group Technologies is a surveillance-based company in Israel. ‘Pegasus’ spyware was created by this company. It is a private company which tracks terrorists, drug traffickers and other criminals which helps the government intelligence and law enforcement to meet the challenges of encryption and technology.
- On 29th October 2019, WhatsApp, which is owned by Facebook Inc., filed a suit in California Court against the NSO Group Technologies.
- Whatsapp alleged that the spyware ‘Pegasus’ being used by the said company hacked the phone systems of 1,400 users across the countries in the world. It has also alleged that such users were civil members of the society, journalists and Human Rights defenders from almost twenty countries.
- NSO Group was not able to respond or appear in the court and thus notice of default was entered in the court.
- It alleged that the company was using computer infrastructure and remote access to inject the spyware into user’s devices through WhatsApp and caused a malicious code to establish a connection with the users and the company without any user’s interference.
- NSO groups alleged that they were not served the notice about the lawsuit properly on time which is against the International laws.
- Whatsapp argued that several attempts were made to serve the notice to the company.
- On 6th March 2020, NSO filed an application to the California Court to set aside the previous decision as the notice was not served on time which is a violation of The Hague Convention under the incomplete service rendered by Whatsapp.
- On 26th November 2019, NSO filed a separate lawsuit against Whatsapp in Israel alleging that Facebook has blocked their private accounts. Facebook replied that they had done so because of security reasons.
Arguments and decision
NSO argued that the petitioner had violated the services of process under the international law by not providing a legal notice of the lawsuit which was filed in the California Court of law. Further, they also argued that they had no intention of targeting WhatsApp users and were only targeting the customer’s database provided to them. Furthermore, they also argued that the customers in the company are foreign sovereigns and being a private agent to such users and of a foreign state, there is immunity provided under the US Courts for such foreigners. It also argued that they have functioned in the capacity of a supplier and thus they follow the instructions of their customers or the government, thus they cannot be held liable.
Whatsapp argued that the step taken by the NSO is deliberate and with intent to spy on people connected to social causes or different civil members of the society. It demanded permanent injunction from the court to block NSO so that they cannot intrude in the computer systems of WhatsApp and Facebook. It alleged that NSO had violated the California Comprehensive Computer Data Access and Fraud Act and had wrongfully breached and trespassed the property of WhatsApp.
In July 2020, The District Court of California gave the decision in favour of WhatsApp and held that the lawsuit will proceed. The court was not satisfied with the argument that NSO had no intention of targeting the WhatsApp users. Further, the court also held that regarding the immunity, it is only applied to the US citizens who are private entities and the company was not considered as a foreign state. The court also held that the jurisdiction for the case will remain in California as NSO exceeded the authorised access and attacked the servers of WhatsApp located in California.
What is Pegasus?
Pegasus is spyware developed by Israeli cyber arms firm NSO to keep a track on the user’s mobile device. In this spyware, a link is sent to the user or targeted person and as soon as the targeted person opens that link, malware is injected into the device which allows surveillance on the target. A new version of the same is alleged to be more powerful and destructive and does not even require the user’s interference. The organisation created such spyware to keep an eye on the terrorist activities and other criminals. The NSO works with the government of different countries and law enforcement to conduct such activities. The Citizen Lab, based in the University of Toronto, stated that Pegasus exploits the security feature and it penetrates the user’s device without his knowledge. This kind of exploitation is known as “Zero-Day exploit” which means that it is an unknown vulnerability of which the user and not even the manufacturer is aware of. It is difficult to fix such issues in a device. Knowledge of this particular spyware emerged when a Human Rights activist was targeted through SMS links on his mobile phone. There have been various incidents in Israel itself but it was through the WhatsApp suit that was filed that the gravity of the situation came into the picture.
Effects of Pegasus Spyware
The allegations made by WhatsApp in the application filed to the court are very serious. WhatsApp has alleged that once this spyware has transmitted to a user’s device, it can access emails, SMSs, passwords, location, network details, browsing history and device settings. The Citizen Lab has alleged that apart from contact lists and emails, it can also access the device’s camera and microphone and thus recording every call and message.WhatsApp also alleged that Pegasus has exploited video and voice call function through which the spyware enters into the device without the user’s knowledge.
Other spyware like Pegasus
CVE-2019-11931– After the Pegasus case, WhatsApp was targeted with another same kind of attack. This attack prompts the user to download an MP4 file through any contact which would result in breaching the security of the device and the spyware will violate the device’s Denial of Services (DoS) and Remote Code Execution (RCE). This can breach any device’s security without the knowledge of the user.
CoolWebSearch– It is a spyware that installs itself on Microsoft Windows based computers. Once infected it can slow down the speed of the connection of the computer. The pop-ups can further lead to redirecting the user to other websites and collect private information about the user. Certain versions of it can use advertisements to infect the computer and can access the user’s history as well.
Gator– It was a defunct software company known for adware products. It used to download the user’s software and tracked online user’s browsing habits and patterns. The company emerged as one of the firsts to track the user’s behavioural pattern on the online platform and used advertisement using such patterns for marketing.
Exodus– It is an IOS version and uses phishing traps so that users are aligned to download malicious apps through which surveillance is possible. Apple’s Developer Enterprise Program was used to infect the devices and legitimately spread the spyware. It could use the user’s device’s photos, videos, contact list and locations as well.
DROPOUTJEEP– It was used by the National Security Agency to spy on targeted users through their laptops and mobile devices. It had the capability of spying the files, folders, camera, location, mic, voicemail, SMSs and contact lists. Without the knowledge of the user, the NSA could spy on such a person and access to location, messages and contacts that are being used.
Indian laws in the wake of spyware attacks
The Pegasus case worked as an awakening call in India. As alleged by WhatsApp, there were many Indian activists and civil members who were being spied through this spyware. This raises a question to the issue of data protection and privacy in India. In the case of Justice Puttaswamy v. Union of India, ‘Right to Privacy’ was recognised as a fundamental right and as any other fundamental right, it is also barred by some limitations. In the opinion of Justice Chelameshwar, there are four tests which can be used in privacy matters-
- Arbitrary State action can attract reasonableness enquiry under Article 14.
- Issues relating to obscenity or public order can attract Article 19.
- Concerning the case of life and personal liberty in a just, fair and reasonable manner, Article 21 can be attracted.
- In a case where there is a compelling state interest, the highest level of scrutiny is required.
It is very clear from the judgment that privacy being a fundamental right is a private part of citizens and thus to be protected as a right provided under Article 21 which provides Right to life and personal liberty. Even when certain restrictions are imposed due to public order or national security, it should not take away the basic right of people.
The Pegasus case has highlighted how Spywares can breach a user’s privacy and personal data. Thus, it becomes very crucial to examine and bring a strong policy in terms of data privacy. Section 69 of the Information Technology Act, 2000 and Section 5 of the Telegraph Act, 1885 gives the right to the Government for surveillance over the users in the Country. It provides for various grounds of sovereignty, integrity, security, defence etc, on which the Government can put surveillance on the people following the law, without their permission. The same Act, under Sections 43 and 66, criminalises any act of unauthorised access to the computer and even the Government is included under this provision. However, the breach of such a kind raised various questions including the safety of digital users in India and the liability of the Government in terms of data being under surveillance.
The Personal Data Protection Bill of 2019 was one of the awaited bills of the year especially after the Puttaswamy Judgment in 2018. The bills provide for various features and establish a Data Protection Authority of India to protect personal data, prevent misuse of any personal data, protect the interest of the individuals and promote awareness about data protection and data policy. The Bill also provides for the transfer of data outside India but with express consent on the individual. Data Collection is to be done for a specific purpose and information collected should be restricted to that purpose with the express consent of the individual. The bill explains sensitive personal data as well such as financial data, biometric, caste, political belief etc and provides restriction for collection of the same except where consent is given. Data Fiduciaries, as defined under the said Act, and can be the Government as well, is an entity or an individual which decides the purpose of processing such personal data. Measure which has to be followed by such fiduciaries has also been defined.
Section 35 of the Bill has been in controversy since the Bill emerged in December. This provision exempts the Government from all other provisions in the bill on the ground of sovereignty, integrity and the security of the state, public order, friendly relation with other countries and for preventing incitement to the commission of any cognizable offence related to the before-mentioned reasons given. This has grabbed the attention of many experts and many people have shown concerns over the same. The sections seem to be very arbitrary and broad. There is no accountability and transparency as in the name of security or integrity, the Government can misuse the information being collected. However, some experts also argued that it is a necessary step and reviewing the necessity of spyware in the first place (to target criminals and terrorists), Government must be given such power so that there is no hindrance in the executive action. But the dilemma remains in place as it contradicts with the whole purpose of Right to privacy being a fundamental right.
Spyware cases like Pegasus are a starting point of a digital warfare age. With the advancement in technology, such incidents are likely bound to happen more. It is very crucial that there are stringent laws in case of foreign illegal access to devices and the limitations of spyware control. The Pegasus case also highlighted the need for regulating the spyware as the objective of targeting users who are criminals or suspicious of any such activities can prolong to spying on individuals as well such as activists and protestors and in a long term may damage the whole structure of democracy and privacy of individuals.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: