In Pegasus battle, the fight for surveillance reform

The gaps in an intrusive surveillance framework are causing severe harm to India’s democratic ideals surveillance reform

A year has passed since the disclosures about the Pegasus Project revealed the threat to India’s democracy. A leading digital news platform reported that the cellphones of at least 300 Indians had been hacked with Pegasus, the spyware from the Israel-based NSO Group; 10 of the cases were confirmed by Amnesty International’s Security Lab using forensic analysis. The victims, important members of India’s constitutional order, included cabinet Ministers, Opposition leaders, journalists, judges and human rights defenders.

India has been aware of the existence of Pegasus since October 30, 2019 when WhatsApp confirmed that the spyware has been used to exploit a vulnerability in its platform to target activists, academics, journalists and lawyers in India. Since then, NSO has been able to advance its technology, and Pegasus can now infect devices without any action on the user’s part. Considering the severity of the threat posed by these disclosures, and the credibility of the evidence which backs them, it is important to examine how each branch of the Indian state has responded, or failed to respond, in protecting the privacy of citizens.

The expectation is that the executive will provide the first response and that government agencies will respond with action given the serious nature of the disclosures. But on July 19, 2021, the Minister of Electronics and Information Technology, Ashwini Vaishnaw, referring to “press reports of 18th July 2021”, refused to directly address the claims made by the Pegasus Project; he stated that the existing legal framework prevents unauthorised surveillance.

On November 28, 2019, the former Minister of Electronics and Information Technology, Ravi Shankar Prasad, had responded similarly to allegations over the use of Pegasus. A report by The New York Times of January 31, 2022 contradicted both their statements and stated that ‘India has bought Pegasus in 2017 as part of a $2-billion’ defence package. The apathy shown by cabinet Ministers has been mirrored by specialised agencies.

In response to disclosures by the Pegasus Project, CERT-IN, the nodal agency, the Indian Computer Emergency Response Team, that deals with cybersecurity threats, has remained silent. However, WhatsApp’s statement in 2019 did compel CERT-In to issue notices to NSO and WhatsApp on November 26, 2019. But the agency has not provided any updates on what has transpired.

Under India’s constitutional scheme, the legislature is responsible for holding the executive accountable. However, practice has failed to match principles. When on July 28, 2021, the IT Committee sought to question officials from the IT Ministry and the Home Ministry on Pegasus, members (primarily from the ruling party), according to news reports, abstained as a bloc and prevented a quorum. Previously, on November 19, 2019, those who had been targeted by Pegasus using a vulnerability in WhatsApp, wrote to the IT Committee which even discussed the issue. However, it has not provided any updates on its findings. Separately, in every parliamentary session since the revelations, the Opposition has sought a discussion and a probe. Both demands have been ignored.

When it became evident that no answers were forthcoming from the executive and the legislative branches, the victims turned towards the judiciary to seek redress. Thus, on August 5, 2021, the victims approached the Supreme Court of India where they demonstrated that forensic analysis had found their phones to have been infected.