The Pegasus Spyware controversy has been a huge talking point in India over the course of the past week. The issue raised several important questions on privacy of the common man and surveillance by the government. Notwithstanding the vehement denial by the Indian government of the allegations made, the spyware continues to remain a hot topic for discussion and debate.
What is the Pegasus spyware?
Pegasus is a spyware (a software that enables transmission of data from one device to another) that is used to look into mobile phones and handsets. It was developed and is being operated by an Israel-based technology firm and surveillance company NSO Group. The company, through the Israel Ministry of Defence, licenses and exports the software. However, it does so only to governments and government agencies and not to private parties.
How did the allegations come about?
There were various news reports from top media agencies around the world like Forbidden Stories, Amnesty International, Washington Post, and The Guardian that the Indian government had used the Pegasus software to snoop into the handsets of journalists and politicians. It was all said to have begun in 2017 with PM Narendra Modi’s trip to Israel.
How did the Indian government respond?
The Indian government vociferously denied the allegations and through various statements and verbal responses said that they never used the software with some stating that the allegations were all part of a conspiracy.
Relevant provisions of the Information Technology Act, 2000
Whether or not the Indian government used the Pegasus software is something that is not known at the moment and in fact, might never be known. However, it is essential to look at how Indian laws govern a situation where such spywares are used by the government. If the government had indeed used Pegasus, these legal provisions would be extremely crucial and relevant.
The entire situation falls under the ambit of cyber crimes and hence, it is theInformation Technology Act, 2000 (hereinafter referred to as ‘IT Act’) which will govern it. First and foremost, the important section is Section 69 which deals with intercepting, monitoring or decrypting data from a computer resource by the government. It states that the government can make a request and issue directions for surveilling an electronic device only if it is “necessary or expedient to do in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence”. These reasons must also be recorded in writing. Further, in order for a request for surveillance to be made, approval from a senior police official as well the Home Secretary and Cabinet Secretary must be obtained.
So with regard to Section 69, although the Government can come up with arguments (hypothetically if they are found to have snooped) with regard to the surveillance being necessary, the due process was most probably not followed. The aforementioned arguments are also bound to be quashed because of the sheer amount of handsets that were allegedly snooped into.
Notwithstanding the provisions of Section 69, another important aspect to consider is that using spywares in itself is a cyber crime under the IT Act. Therefore, Section 69 wouldn’t even come into picture when the mode of surveillance used is illegal. Sections 43 and 66 of the IT Act make it very clear that engaging in acts such as those done by spywares is prohibited. While the former states that various acts including accessing and extracting data without permission of the owner are illegal, the latter specifies punishments for the same. Therefore, surveillance by the government using spyware (if it had been done) is illegal as it contravenes provisions of the IT Act.
Whether or not the government engaged in surveillance using the Pegasus software is unknown at the moment. The likelihood of it having happened or not happening is a different kettle of fish that is irrelevant to the discussions on law. But the fact of the matter here is that the IT Act did not envisage a scenario such as this and there could be more clarity in the Act regarding usage of spywares as well as government surveillance. Further, it is the duty of the government to ensure that rights of the citizens of the country are not abrogated. The famous Justice Puttaswamy case judgment led to privacy being recognized as one such fundamental right and the government must ensure that the right is upheld and preserved at all costs.