The storm of the recent Pegasus spyware episode raging in the international and domestic media discourses could have varied consequences for diverse constituencies. The revelations, led by Amnesty International, has India keeping company with Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. The list was promptly denied by the NSO Group — the Israeli corporate entity that marketed the spyware. Deniability revealed itself as the strongest suit of Pegasus.
Amnesty’s efforts cannot provide the sinews for legal challenges but they will fan political storms in democracies and India is the only one on the list. This should be a matter of concern. The heart of the issue is the possibility of abusing power in the garb of national security. The abuse lies in the feasibility of illegal deprivation of human rights, especially the right to privacy. Illegal, because snooping is supposedly being done without the due process of law.
From a national security perspective, it is important that whatever be the truth of the Pegasus activity in India, the dangers that technological progress in surveillance methods poses to individual privacy and democratic safeguards through misuse of power cannot be ignored. The groundwork that was done by the erstwhile Planning Commission and certain private entities should be harnessed to evolve legal and structural safety nets.
The individual citizen cannot be left at the mercy of technological grey areas and existing legal loopholes. At the same time, the State must be empowered to conduct intelligence activities to protect and further national interests. Most importantly, the State must not be left to undertake intelligence activities to serve narrow political interests in the name of national security. It is not an easy balance to strike in an ambience of deep domestic political polarisation. It is for elected legislators to stand by the oath taken by them to the effect that the nation must come first.
Modify the legal framework
A right to privacy, per se, is not guaranteed in the Indian Constitution. The courts have, through several judgments, come to a consensus about a limited right to privacy emerging out of a host of other rights, especially the Right to Life and Liberty as espoused in Article 21. The Supreme Court is yet to give its verdict despite the challenges to this interpretation since 2015, although it did pass certain directions on the issue.
In India, two legislations regulate communication surveillance — the Telegraph Act, 1885, and the Information Technology Act, 2000, that deal with the interception of calls and electronic data, respectively. Meanwhile, the interception, monitoring and decryption of digital information is authorised through Section 69 of the IT Act. The statute allows for these actions “in the interest of the sovereignty and integrity of India, defence and security of the State, friendly relations with foreign nations, public order, preventing the incitement to the committing of any cognizable offence relating to the above, and for the investigation of an offence.”
According to a Policy Paper on Surveillance in India, “the rules framed under Section 69 and 69B include safeguards stipulating who may issue directions of interception and monitoring, how such directions are to be executed, the duration they remain in operation, to whom data may be disclosed, confidentiality obligations of intermediaries, periodic oversight of interception directions by a Review Committee under the Indian Telegraph Act, the retention of records of interception by intermediaries and mandatory destruction of information in appropriate cases.” Rule 3 allows the “competent authority” to issue directions for monitoring for a number of specified purposes related to cybersecurity.
Technological developments in surveillance have made it possible to utilise several methods of intrusion into digital devices. The Pegasus spyware and other passive surveillance methods bypass the physical control infrastructure authorised by the government, by not availing it. Pegasus, therefore, operates beyond the existing legal regulatory framework. There is a need to modify the legal framework to include such technologies. Being deniable, the ability to stonewall the occurrence of surveillance by intelligence agencies must be foiled.
The government narrative could be that ‘nothing has happened, Pegasus is entirely fabricated, safeguards are adequate and India’s democracy is alive and kicking.’ However, this would mean that we would miss another chance to protect democracy from the onslaught of illegal utilisation of technology in the name of national security. Moreover, certain multi-national corporations, through data, already know quite a lot about millions of Indians. And yet, these practices continue unimpeded, just so that it can be monetised. The motivation is profit. In the case of State surveillance, the motivation could be national security considerations like prevention of terrorism and crime. It could also be the emasculation of freedom of expression of citizens and political rivals. Legally, national security considerations reign supreme and individuals are incarcerated in a tedious criminal justice system, where the process itself can be the punishment.
The political debate will remain a discourse of mutual recriminations and will be overtaken by other issues in due course of time. But from the perspective of national security, there are sufficient grounds to review the checks and balances that are in place to prevent the misuse of power.
Missing oversight on State surveillance
The major lacuna in the state surveillance system is that review structures lack independent oversight. The Review Committee under the Cabinet Secretary consists purely of executive members when it should rather have a wider pool of people from diverse backgrounds, especially from the judiciary. Importantly, the interception activities of the police and intelligence agencies must be carried out in accordance with the procedures contained in the Telegraph Act, 1885 and the Information Technology Act, 2000, and the Rules framed under those legislations. At this point, passive surveillance by intelligence agencies does not seem to be governed by any legislation.
In 2012, a group of experts was appointed by the Planning Commission to identify privacy issues and prepare a paper to inform privacy legislation in India. They noted “that there were clear inconsistencies with regard to permitted grounds, type of interception, the granularity of information that can be intercepted, the degree of assistance from service providers, and the destruction and retention of intercepted material.” The report concluded that these discrepancies “have created an unclear regulatory regime that is non-transparent, prone to misuse, and that does not provide a remedy for aggrieved individuals.” These legal grey zones can be exploited by the intelligence and investigative agencies.
The use of externally sourced spyware for conducting surveillance must be governed by policies enunciated by the National Information Board, which is headed by the National Security Advisor (NSA) and consists of Cabinet Secretary, Chief of Defence Staff, Chiefs of Armed Forces, and the secretaries of the Ministries/Departments of Foreign, Home, Defence, Finance, Communications, Electronics and Information Technology, Telecommunications, Information and Broadcasting, Space and Atomic Energy along with Intelligence Bureau, Research and Analysis Wing (RAW), National Technical Research Organisation (NTRO), Defence Intelligence Agency (DIA) and the Member Secretary from National Security Council Secretariat (NSCS). The Board is mandated to evolve policies on information security and information warfare and oversee the creation and monitoring of structures for implementation of the policies.
Financial implications of Pegasus
Reports regarding the financial implications of utilising the Pegasus spyware indicate the humungous costs involved, which would ordinarily require the sanction of the Cabinet Committee on Security unless the funds are expended as intelligence funds. The oversight of intelligence funds lies with the Intelligence Coordination Group that is headed by the NSA and includes the Cabinet Secretary and has a member Secretary from the NSCS. Its invitees normally include the Chiefs of the Armed Forces, Secretary of the RAW, Director of the Intelligence Bureau (DIB), Director General of the DIA and Chairman of the NTRO. Tasking of intelligence agencies and reviewing their output is the responsibility of the Intelligence Coordination Group (ICG) headed by the NSA. The Member Secretary is the Deputy NSA who heads the technology and intelligence vertical in the NSCS. The responsibility to oversee, approve and induct high-tech resources for intelligence activities lies with the Technical Coordination Group (TCG), which is headed by the NSA and has as its members the Principal Secretary to the Prime Minister, the Cabinet Secretary, Chairman of the Chiefs of Staff Committee, Secretaries of Space, Department of Atomic Energy, RAW, Scientific Adviser to the Defence Minister, DIB, DGDIA, Deputy NSA, with the NTRO chairman being the Member Secretary. This mechanism is unwieldy and, on some occasions, due to the sensitive nature of the matter at hand, the proceedings are restricted to the intelligence agency and the NSA. It would be preferable to restrict the core size with the rest being invitees based on ‘need to know’ principle.
It would be apparent that the system in place is intended to be robust, broad-based, and maintains the required degree of secrecy of intelligence activities. But, such mechanisms can always be undermined from within, and so there have been moves to have parliamentary oversight of intelligence activities. Since 2019, Congress MP Manish Tewari has been attempting to introduce a private member’s Bill that seeks to do just that. The Bill certainly makes some useful points. But he found no support from his own party and recent news reports indicate that he proposes to reintroduce the Bill consequent to the Pegasus issue.
The deniability of spyware is constantly being challenged by advances in digital forensics. However, deniability gains strength when foreign spyware is used since international cyberspace is ungoverned. Importantly, the demands of surveillance for national security coupled with technological advancements offer great temptation for abuse of power especially when it is unbridled from the existing regulatory framework and independent oversight. Pegasus will come and go but the threat of abuse shall endure.
Lt Gen (retd) Dr Prakash Menon is Director, Strategic Studies Programme, Takshashila Institution; former Military Adviser, National Security Council Secretariat; and former Member, Executive Council, IDSA. He tweets @prakashmenon51. Views are personal.
(Edited by Srinjoy Dey)