The Pegasus Affair
Story by Anushka Jain | Art by Rai
If you have been keeping abreast of the news cycle, you may have heard recent groundbreaking revelations made by an international consortium of news organisations, including India’s The Wire, about the extent to which illegal technological surveillance through spyware, such as the NSO Group’s Pegasus, is prevalent around the world and how it is being used to maliciously target those who need to protect their privacy the most.
What is Pegasus?
The NSO Group is an Israeli spyware firm which sells spyware such as Pegasus around the world to “vetted” government clients. According to the company, their “products help licensed government intelligence and law-enforcement agencies lawfully address the most dangerous issues in today’s world. NSO’s technology has helped prevent terrorism, break up criminal operations, find missing persons, and assist search and rescue teams.” NSO’s Pegasus is a hacking software, or ‘spyware’, which is capable of complete infiltration of any device that it infects. Once the spyware is on a device, it can access any data that is on the device, including messages, emails, contacts, whatsapp chats, photos, videos, calendars, and GPS data. It can also turn on the camera and/or the microphone and create recordings.
History of Pegasus in India
In 2019, it was reported that Pegasus was used to target the WhatsApp accounts of 121 Indian citizens, out of which 20 were successfully hacked. India’s involvement in this enormous breach was first found in the report put out by Citizen Lab, which is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada, conducting research on the use of spyware supplied to government vendors and intelligence agencies by the NSO Group, on September 18, 2019. This explainer report listed the various countries affected by the Pegasus software and also explained its functioning.
The report revealed that, in India, a distinct Pegasus system was used to target a number of Internet Service Providers, including Bharti Airtel and MTNL. On May 14, 2019, an article first published in the Financial Times reported that the WhatsApp company had “discovered that attackers were able to install surveillance software on both iPhones and Android phones by ringing up targets using the app’s phone call function.” As per a statement by WhatsApp, this vulnerability was patched and closed. On October 30, 2019, Indian Express published a report containing statements made by WhatsApp which confirmed that the victims of the hack were mostly Indian journalists and human rights activists.
However, the Pegasus saga has taken on a new life in 2021, with The Wire reporting on July 18, 2021 that “a leaked database of thousands of telephone numbers believed to have been listed by multiple government clients of an Israeli surveillance technology firm includes over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others”. The report also detailed that since 2019, NSO has been able to advance Pegasus’s developments to the extent that now Pegasus spyware infections can be achieved through so-called ‘zero-click’ attacks, which do not require any interaction from the device’s owner in order to succeed.
How does Pegasus violate your rights?
No such power to hack the phones of Indian citizens exists under Indian law, and the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices. Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under the Information Technology Act, 2000 and it is only through such hacking that the Pegasus spyware can be used against a person.
Surveillance such as this which was carried out by NSO through its Pegasus software puts the personal privacy of citizens at risk. The risk is especially to informational privacy which was one of the major focuses of the landmark decision in Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1 which affirms the fundamental right to privacy. The Hon’ble Justice D.Y. Chandrachud in this decision focuses on the informational aspect of privacy and its connection with human dignity and autonomy. The decision recognises informational privacy – which reflects an interest in preventing information about the self from being disseminated, and controlling the extent of access to information – as one of the facets of the right to privacy.
The Pegasus affair reveals a need for urgent surveillance reform to protect citizens against the use of such invasive technologies which hamper their fundamental right to privacy and threaten the democratic ideals of our country. Use of such surveillance technology on journalists leads to a chilling effect as it deters them from working and reporting on sensitive matters, some of which may be against the ruling government, as they fear jeopardising themselves and the personal safety of their sources. It also stops human rights defenders from working with vulnerable people, some of whom may have been victimised by their own government, as it could open them up to further abuse.
Therefore, such surveillance cannot be accepted in a democracy. Legislative measures must be introduced in Parliament to uphold the Right to Privacy decision of the Supreme Court of India recognising privacy as a fundamental right. The use of legal or technical means to access data and intercept communications in India must be authorised only in emergency situations, under judicial control and oversight, and with other protections to safeguard our citizens.