Illegal surveillance

Govt must reveal who is targeting Indian citizens

Reports that many Indians have been targeted by the Pegasus spyware are disturbing but not surprising. Installing spyware on a phone is illegal if it is carried out by a private entity but India has no data protection laws, and has an opaque and arbitrary mechanism for authorising surveillance. A list of persons allegedly targeted by Pegasus was released by a multi-organisational investigation involving news organisations, cybersecurity specialists, and Amnesty International. The list includes over 1,000 Indians, including at least 40 journalists, several members of Parliament, including members of the ruling party, ministers and the Opposition, senior judges and civil servants, Dalit activists arrested in the Bhima-Koregaon affair, and industrialists. So far, cybersecurity experts have confirmed that seven of the targets, who consented to having their phones examined, were infected.

The government has issued a statement of denial. But that raises even more disturbing questions. The maker of the spyware, the Israeli firm NSO, claims to sell it only to verified government agencies (NSO claims to have 60 customers across law enforcement, intelligence and the military in 40 countries). NSO sells licences for Pegasus (each licence allows multiple installations), and does the installation (which means it aids in the hacking of the target device), sets up the physical infrastructure to collect and process data, and trains the customer in data collection. All this makes Pegasus an expensive package. Going by NSO’s rack rates, it costs close to $100,000 in capital expenditure to infect a single target and there are overheads to maintaining surveillance. It also requires the setting up of extensive physical infrastructure for monitoring, and involves extended interactions between NSO and the customer.

If the customer in this case wasn’t the government of India, it means some entity with a lot of resources and a large physical footprint has brazenly established an expensive surveillance operation on multiple Indian targets, and carried it out for an extended period — from 2018 to last week. This is a terrifying alternative possibility. Thus, the government must come clean on the issue. This also highlights the need for a strong data protection law that protects the individual right to privacy, including protection from surveillance and unauthorised data collection by government agencies. It also calls for a more transparent mechanism for the authorisation and oversight of digital surveillance, by means of phone taps, spyware installation, requests for personal identifying data from service providers, or anything else.

In India, a senior bureaucrat must authorise a request for surveillance. This is usually under the catch-all umbrella of “national security”. It is a warrantless process and, in practice, there is no compulsion to justify such a request or authorisation, even retrospectively. Indeed, nobody knows outside of the home ministry how many such requests are made, who is targeted, and who exactly has made a request, the reasons, and how many such requests were authorised. In most democratic nations, requests for digital surveillance must be logged and, often, justified at committee level, which means that they are debated in the minutes of meetings (which may be secret). If politicians, bureaucrats, or sitting judges are targets, such requests may have to be justified to a joint parliamentary committee, which has oversight of the whole surveillance process and is capable of considering questions like breach of parliamentary privilege. This incident indicates the urgent need to create such institutional safeguards.