Pegasus and the Law

The recent news regarding Pegasus, which is a surveillance software developed by an Israel-based cyber security company, has sparked a lot of controversies. This software revealed one of the largest and highly sophisticated cyber attacks that have been directed onto the civilians wherein this spyware was used to gain access to target phones in India. These targets include numerous journalists, opposition leaders, activists, etc. The “Pegasus Attack” allegedly violated the privacy of prominent Indian citizens and threatened to destabilize economies all around the world through its highly nuanced features. The primary discussion pertaining to this is the lack of effective national and international laws that exist in order to protect civilians from attacks such as this that cause a threat to the privacy and security of a country and its individuals. This is frightening as this is not the only attack that the world has seen and there have been others albeit smaller cyberattacks that have caused detrimental effects such as NotPetya and WannaCry ransomware.

Pegasus and the LawThe advancement of the pandemic has accelerated and highlighted the increasing need for a virtual and digital world but attacks such as these prove to be a boon to the advancement of technology. The more frightening thing is the lack of an adequate legal standing on this that would primarily fall under the scope of the Information Technology Act, 2000 and the rules and regulations laid down therein. However, concerns regarding the violation of certain fundamental rights conferred upon the citizens also come into play. This is because the software is allegedly used for the purposes of surveillance and espionage, which taps into the devices of individuals, gathers the data contained therein, and licenses such data to the government intelligence and law enforcement agencies. According to the developers, this was developed for tracking terrorists and criminals but the recent news reports indicate that this was used by some governments to spy on its citizens. The software has the ability to intercept and transmit various facets of the device including messages, emails, photos and videos, contacts, calendar, camera, GPS Data, etc.

This brings us to the primary issue wherein various human rights and activists’ groups have alleged that the spyware is being used for mass surveillance, which is being done by unknown organizations and government agencies with the intention of serving their political motives and curbing any voices of criticism and opposition that have been raised against the government. This is being done without any proper legal backing and leads to a denial of freedom of speech and expression, among other illegal activities. Thus, it is pertinent to understand the basic laws involved in such a scenario.

The Information Technology Act, 2000 is the primary law relating to activities conducted in cyberspace. Section 69 of the Act bestows the Central or State Government with the power to “intercept, monitor and decrypt” any information on a computer resource. This needs to be done for the purpose of protecting the security interests of the country, sovereignty and integrity of India, the security of the State, and friendly relations with foreign states or public order or for preventing incitement to the commission of an offense. The IT Rules, 2009 on interception, monitoring, and decryption of information provide the meaning of interception, monitoring, and decryption. Interception, as per the Rules can be done in any manner including by using interception devices whereas monitoring can be done only by using monitoring devices. Interception and monitoring could also come under the ambit of “hacking”, which some experts have claimed Pegasus is. However, software such as Pegasus would not be able to fall under the definition of “interception devices” or “monitoring devices” under the Act. Even so, in order to exercise surveillance powers, there are some conditions that need to be fulfilled as per the Act –

  • Prior written permission needs to be obtained by the relevant government agency by means of a reasoned Order of the necessary authority of the State or Central Government.
  • Such an order can be in force for only 60-180 days.
  • Additionally, a review Committee needs to be set up by the Government which is supposed to review the Orders and regularly take stock and record filings on the validity of such orders.

Thus, these steps only need to be taken in urgent circumstances and not in daily parlance.

Section 5(2) of the Indian Telegraph Act, 1885, permits the government to intercept a message or class of messages in the interest of India’s sovereignty and integrity, security, friendly foreign relations, and preventing the incitement of illegal acts. A Proviso to Section 5(2) indicates that even this lawful interception cannot take place against journalists.

The concept of Privacy has been constantly argued on and emphasized by the citizens as a fundamental right and surveillance and phone tapping done without a reason infringe upon these basic fundamental rights. The right to privacy with respect to surveillance was first argued in PUCL v. Union of India in 1996. PUCL challenged the validity of Section 5(2) of the IT Act, 1885 that permits interception by authorized agencies. Although, the Supreme Court did not strike down the provision as unconstitutional; it emphasized the right to privacy and stated that interception by a public authority should be done on two primary conditions, i.e., ‘public emergency’ and ‘interest of public safety’.

In 2017, the abovementioned judgment was upheld in the Supreme Court in the case of KS Puttaswamy & Anr. v. Union of India & Ors. In this case, the Right to Privacy was declared to be a fundamental right and the Court emphasized the principle that “Privacy is the ultimate expression of the sanctity of the individual”. Additionally, it noted that any restriction on the right to privacy must satisfy the “principle of proportionality and legitimacy”.

None of these scenarios satisfied the need for a surveillance mechanism such as Pegasus and this has, in turn, strengthened the need for a strong Privacy protection regime and a Data Protection Bill that would preserve the rights of the citizens and hold any agency that tries to infringe on these rights, accountable.

Thus, with the advancement of technology, it is easier for governments and private agencies to look into the private lives of individuals. In addition to this, there is no fine line between reasonable surveillance and data collection as the government and other authorities tend to infringe upon these rights on the pretext of terrorism and national security. There is a strong need to provide clarity on existing laws and adopt better laws that would deal with data protection and privacy.

Author: Ankita Sethi – a student of Symbiosis Law School (Pune), currently an intern at Khurana & Khurana, Advocates and IP Attorneys.  In case of any queries please contact/write back to us at sudhanshu@khuranaandkhurana.com.

Leave a Reply

Archives

  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010