Background

The recent controversy surrounding the Pegasus Project is one of the most serious threats to the privacy, freedom and dignity of humans across the world. The news created massive chaos in India when the names of some of the potential targets such as journalists, government officials, opposition politicians, activists etc. were revealed to be under the radar of a military grade spyware on their devices1.

The revelations were based on the investigations of France-based media non-profit organisation (Forbidden Stories) and the rights group (Amnesty International), and the report was published by The Wire in collaboration with various international publications including The Washington Post, The Guardian etc. The investigations revealed that the Pegasus spyware [developed by the NSO Group of Israel ("NSO")] infiltrates the target's mobile phone to gain access to device's messages, emails, media, microphone, camera, calls and contacts and then transfers such data to a master server in an unauthorised manner. 

The spyware was first developed in 2016 and since then it has been under the radar of privacy violations around the world. WhatsApp had also sued the NSO group in 2019 alleging usage of an exploit detected in WhatsApp's code to hack around 1400 devices2. However, reports claim that the 2021 avatar of this spyware is more severe with an ability to infect the device with 'zero-click attack', i.e., the spyware does not require any human action to infiltrate any device, even a WhatsApp call can do the trick.

The NSO Group denied the reports of Amnesty International claiming it to be false, uncorroborated, and misleading and stated that the spyware is strictly for the sole use of vetted and approved state administered intelligence and law enforcement agencies only for the purpose of tracking organised criminals and terrorists for prevention of crime and terror3.

The above controversy has raised several legal, privacy and ethical issues and this write-up assesses the right of the regulatory authorities to intercept and monitor devices under Indian laws, alleged use of the Pegasus spyware in India and its validity under Indian legislations.

Applicable Legislations

The Indian Telegraph Act, 1885 ("Telegraph Act") and the Information Technology Act, 2000 ("IT Act") along with the rules framed thereunder are the governing legislations which regulate the interception and monitoring of messages and/or information. We briefly discuss herein the relevant provisions under the aforesaid legislations.

I. Telegraph Act

In terms of Section 5(2) of the Telegraph Act, in the case of occurrence of any public emergency or in the interest of the public safety, the Central Government or the State Government or any officer specially authorized in this behalf by the Central Government or the State Government may inter alia direct the interception of any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph4.

It is pertinent to note that such interception, amongst other things, can be directed by the Central Government or the State Government if it is satisfied that it is necessary or expedient so to do in the interests of (i) the sovereignty and integrity of India; (ii) the security of the State; (iii) friendly relations with foreign states; or (iv) public order; or (v) for preventing incitement to the commission of an offence.

The Indian Telegraph Rules, 1951 ("Telegraph Rules") require that the directions to intercept should be issued only when it is not possible to acquire the information by any other reasonable means. The maximum period of interception to remain in force, unless revoked earlier, should not be beyond a total period of one hundred and eighty days.

II. IT Act

In terms of Section 69 of the IT Act, the Central Government or the State Government or any officer specially authorized in this behalf by the Central Government or State Government may direct any agency of the appropriate Government to inter alia intercept, monitor or cause to be intercepted or monitored any information5 generated, transmitted, received or stored in any computer resource6,7.

Yet again, it is pertinent to note that the aforesaid power to direct inter alia interception and monitoring by the appropriate Government will be exercised if it is satisfied that it is necessary or expedient so to do in the interests of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.

Furthermore, Section 43 of the IT Act provides inter alia for payment of damages in case of any person without permission of the owner or any other person who is in charge, of a computer, computer system or computer network inter alia (i) accesses or secures access to such computer, computer system or computer network or computer resource; (ii) downloads, copies or extracts any data, computer data base or information from such computer, computer system8 or computer network9 including information or data held or stored in any removable storage medium; and (ii) introduces or causes to be introduced any computer contaminant10 or computer virus into any computer, computer system or computer network. If the above acts and omission were undertaken by the person, dishonestly or fraudulently, then such person will also be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Authorizations Required

The Telegraph Rules framed under the Telegraph Act requires that any direction for interception of messages under Section 5(2) of the Telegraph Act would need an order to be passed by the Secretary, Ministry of Home Affairs in the case of the Central Government and by the Secretary in-charge of the Home Department in the case of a State Government, except in certain cases where an order may be passed by Joint Secretary to the Central Government or the State Home Secretary, and/or in an emergency situation by certain other officers provided the interception and monitoring is reported to the competent authority with three days and a post-facto approval is sought for such interception, failing which the interception needs to be ceased.

Similarly, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 ("IT Rules 2009") also prescribe the requirement for an order to be issued by the Secretary, Ministry of Home Affairs in the case of the Central Government and by the Secretary in-charge of the Home Department in the case of a State Government or Union Territory for any direction inter alia for interception or monitoring under Section 69 of the IT Act.

Implementation of Pegasus in India and Breach of Privacy

It is evident from the above discussion that interception, monitoring and decryption of information and data under Indian laws is considered a serious matter and can be undertaken only in specific situations with prior approval of the applicable regulatory authorities. However, neither the Telegraph Act nor the IT Act allows installation of spyware on devices for the purposes of hacking and therefore, no consents can be granted by regulatory authorities for such installation on devises. The unauthorised nature of infiltration of Pegasus spyware in devices, without the consent and knowledge of the target constitutes violation of Section 66 and Section 43 of the IT Act and renders the person indulging in such illegal activities liable to prosecution. In a nutshell, while an interception of any electronic information in any computer resource is permitted if it is undertaken through authorised means discussed above, installation of spyware on systems for hacking cannot be authorised in India.

The IT Act was not drafted to cover the nuances of surveillance by the Government through spyware, however with increased usage of this spyware by governments of various countries for secret acts and its international disclosure, has brought the issue of privacy violation of unsuspecting citizens to the forefront. In India, where the right to privacy is a fundamental right, the implementation of Pegasus spyware outside the parameters of applicable laws and due process appears to be a serious violation. In the matter of People's Union for Civil Liberties (PUCL) vs. The Union of India and Another, the Hon'ble Supreme Court affirmed that telephone tapping infringed the fundamental right to privacy. It also laid down several guidelines for interception which has been incorporated in Rule 419A in the Telegraph Rules and later in the IT Rules 2009. Similarly, the Hon'ble Supreme Court in the matter of KS Puttuswamy v. Union of India has stated that any instance of surveillance must be legitimate, proportionate and necessary.

In the present scenario, since some of the targets of the spyware were reported to be Indian government officials, lawyers, businessmen, activists, journalist etc., they prima facie did not fall under the valid category of interception under Section 69 of the IT Act nor there seemed to be any legitimate and necessary reason to intercept the devices of these targets. Additionally, this matter goes beyond interception/monitoring and relates to installation of a spyware on devices for accessing their stored information and data which is not even authorised under applicable laws. Consequently, the issue has raised serious privacy concerns and breach of constitutional rights in India, protests by opposition parties and stalling of the entire monsoon session of the Indian Parliament. Petitions have also been filed before the Supreme Court seeking a probe into the Pegasus scandal and establishment of an independent expert investigation. The matter is sub-judice and the Hon'ble Supreme Court has issued notice before admission to the Central Government on the issue.

The gravity of the issue and the worldwide rage on the breach of privacy of an individual is understandable. Many governments have initiated probes on this issue. But the silence of the Indian Government on the ground of national security (other than a statement that no interception has been undertaken unauthorisedly) and its refusal to discuss the issue openly during the monsoon session of the Parliament has raised concerns and questions on the involvement of the Government in the 'spygate scandal'. With every new report of updated list of targets in India, there is a genuine concern of severe privacy violation and its ramification on the freedom of Indian citizens and therefore, all eyes are on the ongoing matter before the Hon'ble Supreme Court.

Footnotes

1 Pegasus Project: 155 Names Revealed By The Wire On Snoop List So Far

2 NSO's Pegasus spyware: here's what we know - The Verge

3 Response from NSO Group to the Pegasus Project - The Washington Post

4 The Telegraph Act defines the term 'Telegraph' as "any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means". other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means".

5 Under the IT Act, the term 'information' includes "data, message, text, images, sound, voice, codes, computer programmes, software and data bases or micro film or computer generated micro fiche".

6 Under the IT Act, the term 'computer resource' means "computer, computer system, computer network, data, computer database or software".

7 Under the IT Act, the term 'computer' means "any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or related to the computer in a computer system or computer network".

8 Under the IT Act, the term 'computer system' means "a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions".

9 Under the IT Act, the term 'computer network' means the inter-connection of one or more computers or computer systems through:

(i) the use of satellite, microwave, terrestrial line, wireless or other communication media; and

(ii) terminals or a complex consisting of two or more interconnected computers or communicated device whether or not the inter-connection is continuously maintained

10 For the purpose of Section 43 of the IT Act, the term 'computer contaminant' means "any set of computer instructions that are designed:

(a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or

(b) by any means to usurp the normal operation of the computer, computer system, or computer network".

Disclaimer: LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is not intended to constitute, and should not be taken as, legal advice, or a communication intended to solicit or establish any attorney-client relationship between LexCounsel and the reader(s). LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s) consequent to any information contained in this e-newsletter. The readers are advised to consult competent professionals in their own judgment before acting on the basis of any information provided hereby.