The Revelation of A Cyberespionage: The Pegasus Controversy

By Sanjeevani

Introduction

Ever thought twice before scanning a QR or giving an OTP? or wondered before picking an unknown call?  Cyber security remains to be a worldwide concern these days. In the covid menace, where livelihoods have halted, people are entirely dependent on their mobiles from education to paying bills, an Israel-based cyber – surveillance company has been alleged to use the device for tracking sensitive data. 

A startup NSO, initiated by Niv, Shalev, and Omri has been known for a while now due to its owned spyware Pegasus which has been credited with remote zero-click surveillance. Its roots can be traced back to 2010, nonetheless, it has come to light recently after 17 prominent media houses released a report in which NSO sold its spyware to various state and non – state actors who have used it to extract sensitive data from the mobile phones of journalists, influential businessmen, lawyers, and various political leaders. The list includes countries like Morocco, the USA, India, UAE among others.  Indian opposition politicians namely Rahul Gandhi and IT minister Mr. Ashwini Vaishnav have also been made a virtual target. NSO has been adamant to share the details of the purchasers of Pegasus. Its first contract to sell the spyware is suspected to have been with Mexico but as of now, as the company terms, many “vetted governments” have bought the espionage software from the company. The issue has been investigated by the consortium of media outlets which has also released a list of about 50,000 leaked contact numbers. 

Mechanism

The remote zero-click surveillance setup that the spyware uses can attack both android and IOS smartphones through a WhatsApp voice call or a link address and convert them into surveillance hotspots. As the name indicates, the spyware doesn’t need the receiver’s command or any active involvement, it can harm the data through the mere presence of malicious external links. The flawed updates and vulnerabilities which are left uncatered in a mobile device facilitate the path of the spyware to get Installed in a device. Once it is installed, it can control the activities of the device as much as the device’s owner.

An Infringement of Human Rights

Such cybersecurity hacks are a clear infringement of the privacy of an individual. The case in hand also points fingers towards the state’s government as a major stakeholder behind the taping of the mobile phones of various opposition leaders and also some human rights activists. Also, the cost of the spyware is high enough not to be borne by individual identity, this also puts the blame on the Centre for spying over its citizens and evading their privacy.

The issue in hand has various legal aspects attached to it. The cyberweapon infringes Section 69 of the Information Technology Act, 2000 (IT Act). The IT act defines hacking which is termed as the entry of a contaminant or a virus into a system. No exception has been granted in the name of national security. Section 5 (2) of the telegraph act 2007 provides for phone tapping for the sole purpose of messages, the provision has been expanded in its practicality recklessly since then. Such breaches need to be catered to with a strong hand and its scope must be limited to avoid transmission and disclosure of messages.  Interception should be treated as a one-time task when required in the name of national security or some serious breach. spyware like Pegasus opens a window to use a device as a permanent web camera into a person’s private and professional space. In exceptional cases, a specified process has been provided under section 419(a) of the telegraph act which also hasn’t been followed with due diligence by the government. Hacking of phones using the Pegasus spyware constitutes a criminal offense punishable under Sections 66 (computer-related offenses), 66B (punishment for dishonestly receiving stolen computer resource or communication device), 66E (punishment for violation of privacy), and 66F (punishment for cyberterrorism) of the IT Act, punishable with imprisonment and/or fine.
The right to privacy has been enshrined as a prime fundamental right under article 21 of our constitution. Various precedents have been set up by the judiciary in cases like KS puttaswamy and ANR vs. UOI 2018 where the court elaborated that the infringement of the right to privacy can be made by both states as well non-state actors. An articulation of the test of proportionality was also made by the supreme court in OM Kumar vs. UOI 2000 where the courts directed to the further use of the doctrine which was in place since 1950, to balance and test the reasonability of the restrictions posed by administrative actions on the people. Various rules like personal data protection bills of 2018 and 2019 have also been formulated in this regard.

The use of Pegasus has also curbed the right to freedom of speech and expression of various journalists and activists. At a stage when the security of whistleblowers in the country is already at stake with no proper act in place, such activities have led to further degradation in the democratic process that forms the roots of a country like India. In the case Anuradha Bhasin vs. UOI 2020, the honorable court stated that the livelihood of man overlaps with the use of the internet, so the right to free internet is to be covered under part three of the constitution and forms a basic element of fundamental rights. The right to the internet has been linked with various other rights such as the right to education A21(a) and the right to trade and freedom of profession A19(1)(g) p provided in the constitution.  

Conclusion

  Considering the gross violations of the basic human rights that the spyware makes, it’s unethical illegal, and unconstitutional to use technologies like this to intercept the lives of people. The furthermore challenge of anonymity that the malware poses makes it difficult to trace the actual users of Pegasus. The spyware also poses a challenge to overhaul the shaky surveillance security in the country so that the state and non-state actors are not able to misuse technology under the veil of targeted electronic surveillance which has been provided a legal sanction in India. The regulating mechanisms in the country should be restrictive and in a tiered mechanism so that adequate checks can be carried out and no malicious activities are conducted by merely taking the defense of national security or public order.