More questions on Pegasus

India needs more transparent checks and balances

The government’s reluctance to file a simple affidavit in the Supreme Court about the deployment of Pegasus spyware will inevitably add to widespread suspicion that the fundamental right to privacy of ordinary citizens was violated by government surveillance. This case is yet another pointer to gaping holes in the legal system. One lacuna is, of course, the lack of a specific law to protect the private and personal data of citizens. Another is the opacity of the process of official surveillance: How it is ordered, on what grounds, by whom, against whom, and with what oversight. There are no answers to those questions and governments hide behind the catch-all phrase of “national security” when any questions are asked.

A multi-organisational, multinational investigation released a list of over 1,000 Indians allegedly targeted by the Israeli Pegasus software. The list includes many journalists, members of Parliament, including Cabinet ministers, judges, civil servants, Dalit activists, industrialists, and even scientists. Cybersecurity experts claim at least seven persons who consented to have their handsets examined have been infected. The makers of Pegasus, Israel’s NSO group, says it only sells to government organisations. Infecting and monitoring a given target is expensive. It costs at least $100,000 to infect a target and human resources must be deployed to carry out subsequent monitoring. If the Indian government is not responsible for this, it is in some sense even more worrying that some other organisation could carry out such extensive surveillance.
 

Every government deploys surveillance for a variety of reasons. But most nations with claims to being democratic have privacy and data protection laws. Those protect the individual’s right to privacy, including protection from surveillance, and unauthorised, overenthusiastic data collection by government agencies. More enlightened legislation like the European Union’s (EU’s) General Data Protection Regulation even offers an umbrella of protection to individuals who are not EU citizens if their data is being collected and held by European entities. A piece of draft data protection legislation was released by a commission headed by retired Justice B N Srikrishna in 2018. That was redrafted extensively to remove the clauses offering protection from data collection or surveillance by government agencies. Even the redrafted version has not been placed before Parliament.

Under the current system, a senior bureaucrat must authorise a request for surveillance. But it is a warrantless process. There is no compulsion to justify such a request, even retrospectively. No data is available on how many such requests are made, and authorised, and why. This runs counter to democratic norms. Such requests must be logged, justified, and minuted officially. If elected politicians, senior bureaucrats, and judges are targets of official surveillance, the requests should perhaps be referred to a joint parliamentary committee to consider issues such as breach of parliamentary privilege. Some of the loopholes exploited by Pegasus are being plugged. Both Google and Apple have released emergency updates to the Android and iOS operating systems to block so-called “zero-day” exploits. However, the continuing lack of appropriate protective legislation, and of institutional safeguards against warrantless surveillance, means that the privacy of Indian citizens does not, in practice, exist. Citizens will remain vulnerable until there is legislative action on this front, and transparent checks and balances are created to prevent unnecessary and unjustified surveillance.