Right to Privacy: Examining the Pegasus Virus Controversy

By Nilesh Mani Singh (4th-year law student pursuing B.A.LL.B.(Hons.) at Gujarat National Law University, Gandhinagar, Gujarat)

Image Source: https://beebom.com/what-is-pegasus-spyware/

The Origin of Pegasus

It is crucial to understand what Pegasus is before delving into its history. Pegasus is a spyware created by the Israeli cyber-intelligence firm called NSO Firm which was founded in 2010. A very simple question here is, what is a spyware? And how has this particular spyware stirred the whole world? Spyware is any computer program that installs itself without your knowledge or consent, then starts covertly monitoring your online activity. Spyware is a sort of software that covertly gathers information about a person or company and sends it to outside parties. This spyware was created specifically to eavesdrop on mobile devices and gather their data. It has been extremely controversial for following politicians, government officials, human rights activists, and journalists before it gained notoriety for the purported data breach. NSO Firm asserted that its malware was only distributed to government security and law enforcement organizations, and that it was used to support rescue operations and deal with criminals. Given that it can function on the majority of Android, iOS, Blackberry, Windows Phone, and Symbian operating systems, the viability of this malware is noteworthy. The biggest grey area of its capabilities is that it can be installed covertly without the device owner’s knowledge. Additionally, this malware can follow a user’s location, read texts, record calls, collect passwords, take pictures, and gather other data. Pegasus has been used by both democratic and totalitarian countries to collect data by utilizing the camera, microphone, and other apps on their target devices. The technique used by Pegasus is called the “Zero-click” technique to take over the devices, which means that no action on the part of the phone owner is necessary for Pegasus to access the system. A device can be infected by Pegasus even via a message or a call through WhatsApp or another service, as opposed to social engineering approaches that demand the user to click a link or visit a website that covertly installs the virus. This spyware’s capabilities don’t end there; it may also self-install if a user deletes the message and misses or ignores the call. Once, inside a device, Pegasus has complete access to all of the data and apps on it, including SMS messages, emails, photographs, contacts, calendars, GPS information and logs. The malware can even access sensitive and private data and information. Pegasus hacks the devices via the “jailbreaking” process for iPhones and the “rooting” method for Android phones. This gives the person who installs it the ability to further alter the phone. The phone’s built-in security features are virtually disabled.

Right to Privacy and Upsurge of Pegasus in India

The concepts of privacy and the right to privacy are difficult to understand; privacy is based on the idea of fundamental rights and typically adapts to new information and communication technologies. The right to privacy is our ability to maintain a space around us that incorporates all of these aspects of who we are. The right to privacy allows us to decide which portions of our domain are accessible to outsiders and to manage the quantity, format, and timing of the information we desire to disclose. In this regard, the upsurge of the Pegasus virus in India came as a big blow to Indians and the grey area of the right to privacy. The rumors about the tracking of Indian personal devices via Pegasus malware first surfaced in July 2021. During this time, information on an effective Israeli spyware program developed by the Israeli cybersecurity company NSO Group was made public. It is thought to have been used to target mobile devices belonging to citizens of India and a few other countries. According to sources, the NSO-produced Pegasus spyware targeted the phones of political leaders in countries including India, the United Arab Emirates, Saudi Arabia, Mexico, Morocco, and Hungary, as well as those of heads of state, lawyers, activists, and journalists. The Pegasus virus attack has also raised questions about how technology companies should be maintaining the right to privacy. The NSO Group, the company that created the spyware, has come under fire for selling it to governments and law enforcement agencies without the proper protections and oversight. The company is accused of violating international law and encouraging human rights abuses.
The explanation above makes it clear that, according to Indian law, intercepting, monitoring, and decrypting information and data is a serious subject that should only be done under certain circumstances with prior clearance from the relevant regulatory authorities. However, neither the Telegraph Act nor the Information Technology Act permits the installation of spyware on devices for hacking purposes, therefore regulatory authorities are unable to give their approval for such installations on devices. The illegal nature of installing Pegasus spyware on targets’ devices without their knowledge or agreement violates Sections 66 and 43 of the IT Act, making those responsible for such actions liable for legal action in India. However, with the increased use of this spyware by governments of various countries for covert actions and its international disclosure, the issue of privacy violation of unknowing citizens has come to the fore. The IT Act was not designed to cover the nuances of government surveillance through spyware. The use of Pegasus spyware outside the bounds of existing laws and due process looks to be a significant infringement in India, where the right to privacy is a fundamental right. The Hon’ble Supreme Court confirmed that telephone tapping violated the basic right to privacy in the case of People’s Union for Civil Liberties (PUCL) vs. The Union of India and Another. Additionally, it established several interception guidelines that were ultimately integrated into the 2009 IT Rules and Rule 419A of the Telegraph Rules. Similarly, the Honourable Supreme Court ruled in the case of KS Puttuswamy v. Union of India that any form of monitoring must be appropriate, required, and proportionate.

A Way Forward

People need to awaken from their deep sleep as the ground realities are changing very swiftly. States are likely to become more powerful in this new world order, and individual digital libraries are likely to be vulnerable to attack. This makes it much more important to have the proper checks and balances to safeguard the enjoyment of digital libraries in a situation like this. Additionally, more and more parties involved must be aware of the ongoing risks that spyware poses to the security of their digital rights, privacy, and freedom. Building up our defenses against these looming privacy threats becomes a crucial factor for digital stakeholders to take into account. To explicitly ensure the golden balance between maintaining the sovereign rights of the government and defending the digital rights and liberties of people, legal frameworks need to be adjusted as necessary.
More importantly, it is now necessary to make more efforts through legal and regulatory methods to create adequate checks and balances to stop the abuse of interception-related capabilities.
In conclusion, the Pegasus spyware scandal has highlighted the need for stricter data security laws and transparency regarding Indian government surveillance practices. The proposed Personal Data Protection Bill is a step in the right direction, but it still has to be improved to ensure that no unauthorized surveillance or data collection violates people’s right to privacy. Only after that will India be able to state with certainty that it upholds the principles of democracy and individual freedom.