Opposition politicians, rights groups and others have erupted in outrage over allegations that the ruling BJP government has used Israeli-developed spyware to hack into the phones of hundreds of Indian politicians, government officials, military officers, human rights activists, lawyers and journalists around the world.
The government has been left scrambling after it came to light that Pegasus spyware, manufactured by Israeli cyber arms firm NSO, has been deployed to snoop on select targets. They exploited a bug in the call function of the popular WhatsApp freeware to make its way into the phones of select users, giving it potential access to sensitive information.
What makes the breach murkier still is that NSO Group's customers include governments in West Asia with a dubious reputation for killings and mayhem including against anti-establishment human rights defenders.
The privacy intrusion, including the WhatsApp data-protection failure and privacy breach, has created a public furor triggering debate over data security and is called a chilling reminder of the dangers to privacy and freedom in an increasingly digital society.
In a pathbreaking 2017 ruling, the Indian Supreme Court declared privacy to be intrinsic to life and liberty and therefore a fundamental right. It is thus extremely important for the government to come clean on its level of involvement in the Pegasus program to help safeguard the privacy of US-owned Whatsapp users in India, currently estimated to be over 400 million.
WhatsApp has confirmed that Indian human rights activists and journalists were among those targeted and that the government asked the company to explain the breach, which targeted Indians among others.
However, the government’s response to the controversy has been far from innocent. In separate statements, Information Technology Minister Ravi Shankar Prasad and the Ministry of Home Affairs have expressed concern about privacy breaches while hinting that this issue is being “politicized” and an attempt is being made to “malign the government.”
The government also declined a direct reply to MP Dayanidhi Maran’s query in the Lok Sabha, the lower house of Parliament, on whether the Centre had used Israeli spy software to access people’s phones by exploiting WhatsApp’s vulnerability. It has also denied purchasing Pegasus software from the Israeli company even though the latter has stated that it sells malware only to registered government entities.
So on whose directions were the journalists and human rights activists spied upon? It is no secret that Indian intelligence agencies have traditionally been misused for political spying by all governments. The late Prime Minister Indira Gandhi’s abuse of the Intelligence Bureau, and a slew of wiretap scandals that roiled Manmohan Singh's government besmirched the leading opposition party Congress’s reputation in the past.
However, the ramifications of the Pegasus scandal will reverberate far further, analysts say. It is the first major snooping scandal to hit India that might have global political and diplomatic fallout.
As Pavithran Rajan writes in DailyO, “No nation can function in a cohesive manner after handing over its communication infrastructure to powers beyond its legal writ. In the present instance, state security agencies of the state are now dependent on two foreign entities: WhatsApp and NSO, as well as the US and Israeli security agencies to cover their backs. These agencies will definitely extract a price for the same. India should use this fiasco and address the long-pending privacy debate.”
In India, all surveillance of citizens is carried out by the Indian Telegraph Act, 1885 which as many legal eagles have pointed out is archaic and not in touch with technological advancements of the current digital era. Worse, despite India’s technological advancements, its agencies lack the technical knowledge and wherewithal to legally monitor encrypted chat services like WhatsApp. This vacuum has been exploited by firms like NSO to peddle spyware like Pegasus.
“India’s lawless national security architecture encourages politicians to misuse the covert services, and the intelligence leadership to collude with politicians. The inexorable consequence has been a toxic institutional culture, characterized by mediocrity and the absence of accountability...In not one case, however, has accountability ever been determined, and wrong-doing punished,” wrote Praveen Swami in Firstpost.
A good template to follow to prevent future Pegasus-like misadventures, experts say, is to hew to the EU General Data Protection Regulation which came into force in May 2018. The regulation has established a global template in personal data protection. And India would do well to emulate this example as it seeks to establish a regulatory authority of its own.
The government says it plans to take up the issue of data protection during the current winter session of Parliament. This was reiterated by Information Technology Minister Ravi Shankar Prasad. The bill seeks to regulate the processing of personal data of individuals by government and private entities incorporated in India and abroad. Processing is allowed only if the individual gives consent, or in a medical emergency, or by the state for providing benefits.
However, when the draft bill was released last year, it met with vehement opposition from several global technology companies. Their contention was that it would affect their business in the country apart from the driving cost of operations. This put the bill on the backburner.
However, the measure’s fate hangs in balance as the opposition has boycotted Parliament’s ongoing Winter Session over what it charges are constitutional violations by the NDA government during the recently-concluded Maharashtra state elections.
This is unfortunate given the fact that any infringement of fundamental rights can have serious repercussions on the country’s democratic process and legal justice system.
A vibrant privacy and data protection law in an increasingly digitized society, say analysts, is a desperate need. Coupled with legislative measures to make security agencies function within the purview of rigorous laws and professional ethics it forms the bedrock of a strong society. This is all the more imperative in a country like India where data protection is at a nascent stage and risks exploitation by ruling powers for vested interests.
The government’s defense – that it is well within its legal rights to snoop on suspicious individuals thus lacks credibility and seems like a loser’s response to an issue that needs immediate redressal. Such surveillance is meant to track potential terrorists or hardcore criminals, not ordinary citizens. Violating an individual’s fundamental right to privacy through foul means, that too in the world’s largest democracy, is thus tantamount to Constitutional impropriety.
Neeta Lal is a Delhi-based editor & journalist and longtime contributor to Asia Sentinel