The technical committee missed the June 20th deadline, and submitted its final report on Pegasus investigation in July-end
The refusal of many victims, named in the Pegasus list, to hand over their phones for forensic investigation led to the delay in submission of the report
The Union government operates a slew of surveillance programmes without any legal framework and they are beyond the statutory purview of the Telegraph Act and the IT Act: IFF’s Apar Gupta told the committee
After multiple delays, the Supreme Court-appointed three-member technical committee has finally submitted its report on the Pegasus row. The Supreme Court is likely to hear the case on August 12, 2022.
On October 27, 2022, a three judge bench comprising Chief Justice NV Ramana, Justice Surya Kant and Justice Hima Kohli constituted a technical committee on the issue and asked it to submit the report expeditiously.
For the uninitiated, Pegasus is spyware developed by Israeli cyber-arms company NSO Group that can be covertly installed on one’s mobile phones through a zero-click exploit. According to the NSO Group, Pegasus is sold only to government bodies across the world.
In July-August, 2021, Indian news platform The Wire, in collaboration with 16 other global media organisations, investigated the Pegasus project and revealed a list of 174 influential Indians who were targeted through the spyware. The New York Times later confirmed the report that the Indian government had bought Pegasus from Israel as part of a bigger deal.
On the request of the technical committee, the Supreme Court in May 2022 extended the deadline to submit the report to June 20, 2022. The Committee, however, missed the deadline and submitted the report by July-end.
Since its inception, the technical committee had been struggling with people’s apathy towards the matter. A majority of the victims named in the list refused to hand over their phones to the committee.
Cybersecurity expert Anand Venkatanarayanan, IIT Kanpur Prof Sandeep Shukla, Internet Freedom Foundation (IFF) cofounder Apar Gupta, veteran journalists N Ram, Siddharth Varadrajan, Sashi Menon, J Gopikrishnan, and MP John Brittas are among the experts and victims who agreed to participate in the investigation.
Pegasus Snooping Row
Once infiltrated using Pegasus, the entire control of a smartphone – be it an Android phone or Apple – can be handed over to the Pegasus operator, who can remotely control all the functionalities of the phone and switch on or off different features.
Venkatanarayanan, in his submission to the committee, explained that Pegasus spyware has existed since 2016. Since then, the spyware has been updated multiple times. In the beginning, it was activated by sending an SMS to the target mobile, and the target user had to click on the link to activate the malware. Over the years, the malware became fully automated and needs zero click from the target.
The latest version of the malware is so powerful that it even stops Apple iPhones and Android mobiles from sending crash reports and log files which could help trace its presence.
According to an Amnesty report, over 50,000 mobile phone users were identified as people of interest by the clients of the NSO Group. Out of these, over 300 mobile numbers belonged to Indians. These users may have been infected by the spyware. In 2019, WhatsApp stated that the Pegasus spyware infected at least 1,400 users globally, including 121 users from India.
By August 2021, the mobile phones of 10 Indians were forensically analysed and confirmed to have been infected by Pegasus.
IT minister Ashwini Vaishnaw, Minister of State for Food Processing Industries Prahlad Singh Patel, MP Rahul Gandhi and his seven aides, former Supreme Court judges, Supreme Court registrars and other staff, former CBI chiefs Rakesh Asthana and Anil Verma, Dalai Lama’s staff, and a number of journalists and activists were in the list of 174 Indians who are believed to have been the victims of Pegasus.
J Gopikrishnan, in his submission to the Committee, pointed out that it was clear that funds were allotted for buying Pegasus spyware in the Union Budget of 2018. The National Security Council was allotted INR 333 Cr in that year’s Budget as against INR 33 Cr in the previous year. The extra INR 300 Cr was marked for cybersecurity. Later, the use of Pegasus began.
Can Supreme Court Alone Fix The Consistent Violation Of Data Privacy?
On October 27, 2021, the Supreme Court said that the Government of India can not get “a free pass every time” under the garb of “national security”, and formed a technical committee to investigate the Pegasus issue for violation of the right to privacy and freedom of speech.
However, the big question is if the Supreme Court alone can fix the issue when there is no clarity and data protection laws to safeguard data privacy.
IFF’s Gupta, in his submission, said that the Union and state governments are empowered to conduct surveillance under Section 5(2) of the Indian Telegraph Act, 1885 (‘Telegraph Act’), and Section 69 of the Information Technology Act, 2000 (‘IT Act’).
Section 69 of the IT Act also provides a process and procedure as per Rule 419-A of the Telegraph Rules, 1951 (as amended) and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 for surveillance, he added.
Besides, there are also “Standard Operating Procedures” issued by the Ministry of Home Affairs dated May 19, 2011, on this. Under Section 5(2) of the Telegraph Act, the executive is permitted to direct interception of messages only ‘on the occurrence of public emergency’ or ‘if it is in the interest of public safety’.
Similarly, under Section 69 of IT Act, the executive may issue directions for interception if it is in the interest of the grounds stated therein, which are similar to those listed under Section 5(2) of the Telegraph Act. However, neither Section 5(2) nor Section 69 permit surveillance ‘for the purposes of national security’ or ‘maintenance of public order’ or ‘prevention and investigation of offences’.
“In the absence of clarity in the definitions of the grounds specified in Section 5(2) of the Telegraph Act and Section 69 of the IT Act, it cannot be said that the existing boundaries of state surveillance are well understood or enforced,” wrote Gupta.
The Right To Information (RTI) applications filed by the Internet Freedom Foundation (‘IFF’) revealed that before the general elections of 2019, the Department of Telecommunications (DoT) had sought bulk call data records from telecom operators.
Pegasus is just one of the surveillance tools. Amid a lack of clarity and safeguards, the Union government has invested heavily in building various surveillance programmes such as the National Intelligence Grid (NATGRID), the Centralised Monitoring System (CMS), Crime and Criminal Tracking Network System (CCTNS), and the proposed National Automated Facial Recognition System (AFRS) that operate without any legal framework and are beyond the statutory purview of the Telegraph Act and the IT Act, Gupta alleged.
Can the Supreme Court’s judgement on the issue dismantle the entire infrastructure which the government has consistently defended as being essential for national security? It must also be noted that this infrastructure has been under continuous cyber-attacks from Chinese and Korean hackers.
Will the Supreme Court’s judgement be able to draw a fine line between privacy, freedom of speech and national security?
Not until we have permanent laws to safeguard people’s data privacy, believe experts.