Protecting privacy

Pegasus has exposed systemic vulnerabilities

The revelation that an Israeli company illegally installed surveillance software on the mobile devices of at least 121 Indians has highlighted long-standing problems with India’s data-protection and privacy laws. The Instant messenger, WhatsApp, which is a subsidiary of Facebook, has sued the Israeli company, NSO Group, in a US court for exploiting a vulnerability in the messenger app to clandestinely install surveillance software, Pegasus, which monitors, logs, and transmits more or less all activity on the infected mobile phone. This vulnerability allowed Pegasus to be installed by simply giving a missed call on WhatsApp. Over 1,500 people are said to have been infected worldwide by Pegasus. WhatsApp claims that the intrusions occurred during April-May this year, and that it has since patched the vulnerability. 

On its part, NSO claims that it sells its software only to government agencies, which further complicates the issue. A glance at NSO’s client list does suggest its clients are mainly government. Pegasus software and associated monitoring services are very expensive and it has been sold to the governments of Mexico and Egypt, among others. The list of targeted Indians includes many well-known civil rights activists, lawyers, journalists, and politicians. Since this was the period when India was conducting general elections and a substantial number of the named targets are either members of the Opposition or individuals who have had run-ins with the government, conspiracy theories are inevitably doing the rounds.

The Indian government claims that WhatsApp has not clearly spelt out the vulnerability and used “technical jargon” when it informed the Indian Computer Emergency Response Team and other government agencies about the security issue in May. The government has now convened two parliamentary committees to investigate the issue. More details are likely to emerge as the case is heard in the US. Whichever entity was responsible for targeting Indian citizens and clandestinely installing Pegasus, it clearly broke Indian law. No government agency has yet been identified, as carrying out this operation. If it wasn’t done by a government agency, the law was broken, by definition. Even government agencies are supposed to obtain permission to carry out surveillance operations at a high level, while stating the need for such violations of privacy.

It is also true that the government has delayed putting privacy protection laws in place, which could have allowed a more specific definition of the crime and the appropriate punishment. The Supreme Court ruled in August 2017 that privacy is a fundamental right. Consequent to that, a commission headed by Justice (retired) B N Srikrishna drafted a piece of model personal data protection privacy legislation, which was released in July last year and incorporated public comments by October 2018. Plenty of legislation has been cleared and passed by Parliament since then, but that draft has remained in abeyance. In the absence of such legislation, there are grey areas without a clear definition of when surveillance can be instituted, by which agency, and the safeguards against wantonly monitoring private citizens. This incident brings to light the inherent dichotomy between a Constitution that recognises privacy as a fundamental right and a legislative arm that indefinitely delays passing laws that offer specific protection to that right.