The recent news regarding Pegasus, which is a surveillance software developed by an Israel-based cyber security company, has sparked a lot of controversy. This software revealed one of the largest and highly sophisticated cyber attacks that have been directed onto the civilians wherein this spyware was used to gain access to target phones in India. These targets include numerous journalists, opposition leaders, activists etc. The "Pegasus Attack" allegedly violated the privacy of prominent Indian citizens and threatened to destabilize economies all around the world through its highly nuanced features. The primary discussion pertaining to this is the lack of effective national and international laws that exist in order to protect civilians from attacks such as this that cause a threat to the privacy and security of a country and its individuals. This is frightening as this is not the only attack that the world has seen and there have been others albeit smaller cyber attacks that have caused detrimental effects such as NotPetya and WannaCry ransom ware.

The advancement of the pandemic has accelerated and highlighted the increasing need for a virtual and digital world but attacks such as these prove to be a boon to the advancement of technology. The more frightening thing is the lack of an adequate legal standing on this that would primarily fall under the scope of the Information Technology Act, 2000 and the rules and regulations laid down therein. However, concerns regarding the violation of certain fundamental rights conferred upon the citizens also come into play. This is because the software is allegedly used for the purposes of surveillance and espionage, which taps into the devices of individuals, gathers the data contained therein and licenses such data to the government intelligence and law enforcement agencies. According to the developers, this was developed for tracking terrorists and criminals but the recent news reports indicate that this was used by some governments to spy on its citizens. The software has the ability to intercept and transmit various facets of the device including the messages, emails, photos and videos, contacts, calendar, camera, GPS Data etc.

This brings us to the primary issue wherein various human rights and activists' groups have alleged that the spyware is being used for mass surveillance, which is being done by unknown organizations and government agencies with the intention of serving their political motives and curbing any voices of criticism and opposition that have been raised against the government. This is being done without any proper legal backing and leads to a denial of freedom of speech and expression, among other illegal activities. Thus, it is pertinent to understand the basic laws involved in such a scenario.

The Information Technology Act, 2000 is the primary law relating to activities conducted on cyberspace. Section 69 of the Act bestows the Central or State Government with the power to "intercept, monitor and decrypt" any information on a computer resource. This needs to be done for the purpose of protecting the security interests of the country, sovereignty and integrity of India, the security of the State and friendly relations with foreign states or public order or for preventing incitement to the commission of an offence. The IT Rules, 2009 on interception, monitoring and decryption of information provide the meaning of interception, monitoring and decryption. Interception, as per the Rules can be done by any manner including by using interception devices whereas monitoring can be done only by using monitoring devices. Interception and monitoring could also come under the ambit of "hacking", which some experts have claimed Pegasus is. However, software such as Pegasus would not be able to fall under the definition of "interception devices" or "monitoring devices" under the Act. Even so, in order to exercise surveillance powers, there are some conditions that need to be fulfilled as per the Act –

  • Prior written permission needs to be obtained by the relevant government agency by means of a reasoned Order of the necessary authority of the State or Central Government.
  • Such an order can be in force for only 60-180 days.
  • Additionally, a review Committee needs to be set up by the Government which is supposed to review the Orders and regularly take stock and record filings on the validity of such orders.

Thus, these steps only need to be taken in urgent circumstances and not in daily parlance.

Section 5(2) of the Indian Telegraph Act, 1885, permits the government to intercept a message or class of messages in the interest of India's sovereignty and integrity, security, friendly foreign relations and preventing the incitement of illegal acts. A Proviso to Section 5(2) indicates that even this lawful interception cannot take place against journalists.

The concept of Privacy has been constantly argued on and emphasised by the citizens as a fundamental right and surveillance and phone tapping done without a reason infringe upon these basic fundamental rights. The right to privacy with respect to surveillance was first argued in PUCL v. Union of India in 1996. PUCL challenged the validity of Section 5(2) of the IT Act, 1885 that permits interception by authorised agencies. Although, the Supreme Court did not strike down the provision as unconstitutional; it emphasised on the right to privacy and stated that interception by a public authority should be done on two primary conditions, i.e., 'public emergency' and 'interest of public safety'.

In 2017, the abovementioned judgment was upheld in the Supreme Court in the case of K S Puttaswamy & Anr. v. Union of India & Ors.  In this case, the Right to Privacy was declared to be a fundamental right and the Court emphasised on the principle that "Privacy is the ultimate expression of the sanctity of the individual". Additionally, it noted that any restriction on the right to privacy must satisfy the "principle of proportionality and legitimacy".

None of these scenarios satisfied the need for a surveillance mechanism such as Pegasus and this has, in turn, strengthened the need for a strong Privacy protection regime and a Data Protection Bill that would preserve the rights of the citizens and hold any agency that tries to infringe on these rights, accountable.

Thus, with the advancement of technology, it is easier for the governments and private agencies to look into the private lives of individuals. In addition to this, there is no fine line between reasonable surveillance and data collection as the government and other authorities tend to infringe upon these rights on the pretext of terrorism and national security. There is a strong need to provide clarity on existing laws and adopt better laws that would deal with data protection and privacy.

Pegasus And The Law

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.