Disclosures from the Pegasus project have thrown democracies across the world in a tizzy. Revelations that spyware sold by Israel-backed NSO group was used to target opposition leaders, civil rights' defenders, union ministers, businessmen, and in India's case even Supreme Court judges have sparked outrage in sections of the society.
Congress President Rahul Gandhi, Union Ministers Ashwani Vaishnaw and Prahlad Singh Patel, political strategist Prashant Kishore and the Supreme Court staffer who in April 2019 had accused former Chief Justice of India Ranjan Gogoi of sexual misconduct and more than 40 journalists could have been potential targets for surveillance by using the NSO Group-owned spyware Pegasus.
Also Read: SC Staffer Who Accused Ex-CJI Gogoi Of Sexual Harassment A Potential Pegasus Target
Responding to the 2019 scandal, Ravi Shankar Prasad had said violation of the procedure could attract penal consequences. "Anyone who has a problem can file an FIR or a formal complaint and the government will look into it. No unauthorised interception has been done," Prasad, who was the Information and Technology (IT) minister at the time had said on the floor in the Parliament.
The Pegasus expose raises key questions: Did the Centre, as a "vetted government" buy the software from NSO Group to spy on its citizens? Or was the software bought by a section of those in power without the government's knowledge or authorisation? Or lastly, if it's not the government's doing, then is it a foreign nation which is spying on Indians?
The Centre's evasive replies to address the issue have muddied the waters even more. This leads us to the key question: Can the government hack phones and snoop on its citizens?
Also Read: 40 Indian Journos In Leaked List Of Potential Targets Of Pegasus Snooping
Can the government snoop on its citizens?
In India, hacking someone's phone or device is a crime. The government cannot do it, private actors cannot do it. There is no law that allows any agency to install spyware/malware on someone's phone and extract information.
However, there are laws that allow the government to snoop on its citizens under exceptional circumstances and in the interest of national security. For example, the government can spy on you if it believes you are a terrorist who may commit acts against national interest. However, the government cannot put you under surveillance or tap your phones if you are a conman wanted for economic crimes. The threshold required by law to spy on a citizen is high.
"We have central laws that allow the government to intercept calls and monitor messages," advocate Apar Gupta told BOOM. "These acts (interception and monitoring) conducted within the limited legal framework implies a more passive role, as opposed to hacking which seems more assertive," Gupta, who is Executive Director of advocacy rights group Internet Freedom Foundation, added.
Snooping on citizens without sanction is illegal, former Supreme Court judge BN Srikrishna had said. Justice Srikrishna is the architect of the long-awaited Data Protection Bill, 2019.
Also Read: WhatsApp Spyware Hack: Should You Be Worried?
Which government agency can spy on you?
On December 20, 2018, the Centre notified 10 central agencies that could snoop on its people by intercepting, monitoring, and decrypting "any information" generated, transmitted, received, or stored in "any computer resource".
These are the Intelligence Bureau, Central Bureau of Investigation, Enforcement Directorate, Narcotics Control Bureau, Central Board of Direct Taxes, Directorate of Revenue Intelligence, National Investigation Agency, R&AW, Directorate of Signal Intelligence, and the Commissioner of Delhi.
Responding to a challenge to the December notification, the Centre backed its notification telling the Supreme Court that surveillance would be done as a last resort and the intercepted data, barring relevant information, would be deleted every six months.
According to a 2014 RTI reply, the Centre issues an average of 7,500 to 9000 snooping orders per month.
"Surveillance is on the rise in India. In 2019, two years after the Supreme Court ruled that the right to privacy is a fundamental right and must be protected against unwarranted surveillance, India was reported to be among the world's top three surveillance states. And since then, instances of surveillance, and hacking, which is illegal in India, have only increased," Namrata Maheswari, Policy Fellow with Access Now, a forum for digital civil rights, told BOOM.
What are the laws that allow the government to spy on you?
The Indian Post Office Act, 1898, the Indian Telegraph Act, 1885, and Information Technology (IT) Act, 2000 lay down the procedure of lawful surveillance of an individual. While the IPO allows for offline surveillance and interception of the article in the larger public interest, the telegraph act and the IT act lays down the laws and procedure which allows the government to spy on one's phone calls, messages, and internet history.
The Congress-led government had introduced the Intelligence Services (Powers and Regulation) Bill, 2011 to regulate the functioning and institute an oversight mechanism for intelligence agencies. However, the Bill lapsed leaving the legislative vacuum unaddressed.
In 2019, the Internet Freedom Foundation (IFF) challenged the provisions of surveillance laws in the Supreme Court, where the matter is still pending.
The Indian Telegraph Act, 1885
Section 5(2) of the Indian Telegraph Act outlined the grounds for interception which included protection of the sovereignty of India, friendly relations with countries, apprehension of incitement of public disorder, and state security on the pre-requisite condition of a public emergency or the interest of public safety.
In 1990, former prime minister Chandra Shekhar alleged the Congress government had illegally tapped phones of 27 politicians, including his own. His disclosure led to the discovery that there were no rules or procedures that governed the conduct or manner in which phones could be tapped.
This changed in 1996 when the Supreme Court in its People's Union of Civil Liberties (PUCL) verdict gave a scathing indictment of the telegraph act for its lack of procedure governing phone tapping and laid down guidelines for the same.
In 2007, the court's guidelines were formalized in Rule 419A which were then incorporated in the Telegraph Rules. The rules, amended in 2014, said that Cabinet Secretary, Home Ministry, or the State Government in-charge of Home Department (in case of State Governments) could authorize interceptions. In unavoidable circumstances, interception orders could be issued by an officer not below the rank of Joint Secretary.
However, misuse of phone tapping continued as there was no judicial or parliamentary oversight. There's no liability for failing to adhere with the rules. Surveillance orders are also exempt from the ambit of the Right to Information Act, 2005.
The 2008-2009 Radia Tapes controversy, Rajasthan Chief Minister Ashok Gehlot's August 2020 admission of tapping MLAs' phones, Essar leaks, and others are testament to the systemic failure.
The Information and Technology Act, 2000
Section 69 of the IT Act allows the government to engage in internet surveillance. While Section 69 mirrors section 5(2) of the telegraph act, it can be additionally invoked during the investigation of a crime. For example, the Delhi Police relied on WhatsApp chats to build its case against those accused in the February 2020 communal riots that hit northeast Delhi.
Surveillance can only be carried out by government agencies, and not private actors. The IT Act penalises hacking and the punishment can include jail term upto three years.
Additionally, the Unified Access Service License (UASL), Internet Service License (ISL), and the Unified License (UL) allow telecom providers to assist the Department of Telecommunications in conducting surveillance after receiving appropriate orders.
Earlier this year in February, the Centre enacted the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 which seek to regulate social media intermediaries, OTT platforms, and digital news media.
Almost all stakeholders who are affected by these rules have challenged the same before constitutional courts in this country escalating their friction with the Centre.
"The new IT Rules threaten to undermine encryption, which is critical to protecting the privacy and security of online interactions. The proposed e-commerce rules allow the government to obtain consumers' data for broad purposes, unrelated to consumer protection. Overall, there seems to be a trend of expansion in surveillance powers, and reduction in secure and private digital spaces," Maheshwari said.
State's security needs to be balanced against Right to Privacy: Supreme Court
In August 2017, the Supreme Court in its landmark KS Puttaswamy verdict accorded Indian citizens the right to privacy. However, this is not an absolute right.
Justice Sanjay Kishan Kaul, one of the nine judges on the bench acknowledged that this right needed to be balanced against the security of the state. To address concerns arising from the possibility of the State's infringement of privacy rights by introducing the 'Principle of Proportionality and Legitimacy' test where: (i) The action must be sanctioned by law; (ii) The proposed action must be necessary in a democratic society for a legitimate aim; (iii) The extent of such interference must be proportionate to the need for such interference; (iv) There must be procedural guarantees against abuse of such interference."
Two years later, the Bombay High Court in its 2019 Vinit Kumar case said the state could not intercept phone calls in economic offences cases, since it did not come under the category of 'public emergency' or 'in the interest of public safety'.
Data Protection Bill
The top court's Puttaswamy verdict gave birth to the Data Protection Bill. It was introduced in the Lok Sabha in December 2019 by then IT Minister Ravi Shankar Prasad. It sought to protect individuals' personal data and establish a Data Protection Authority for the same.
Maheshwari observes that the current bill does not sufficiently guarantee rights and safeguards against arbitrary government action. Arghya Sengupta, founder and research director at Vidhi Centre for Legal Policy concurs.
"Data protection laws are plainly insufficient," he told BOOM. "As part of the Srikrishna committee, we had recommended a specific law for this purpose that prevents unauthorized access while facilitating responsible and logged access for genuine national security reasons. No such law has been contemplated, let alone passed," Sengupta, who was also part of the Srikrishna committee, said.
"Indians are effectively facing a choice between having no data protection law and having one that does not adequately protect their data," Maheshwari said. "India's surveillance laws need to be reformed," she added.
"Existing laws grant centralized, opaque, and unchecked powers to the Executive. We urgently need changes in the surveillance regime in line with strict standards of legality, necessity, and proportionality, she said.
However, Sengupta said the data protection laws laid the framework for a national surveillance law to emerge. "It's important to realize that data protection laws serve the purpose of protecting and empowering data usage. They should not be turned into a national security statute in disguise," Sengupta said. "Important changes take time and require the right timing," he added.