Israel based technology firm NSO Group has produced the spyware ‘Pegasus’, named after the mythical creature – a horse with wings. Symbolically contrasting with the common Trojan Horse malware, Pegasus’ name represents two things – one, the ability of its transmission ‘through the air’, and two, the magnitude of its intrusion. The NSO Group officially states that Pegasus, graded as a cyberweapon, is exclusively sold to Government intelligence and law enforcement agencies to fight terror and crime.
A recent investigation called the ‘Pegasus Project’ by Forbidden Stories and Amnesty International, and the subsequent technical analysis by the Citizen Lab has confirmed the presence of Pegasus in the devices of various suspected targets around the world. A collaborative investigation carried out by international news organisations, along with the Indian news agency The Wire, reported the same on July 18, 2021. The list of potential Indian targets includes not only journalists and academicians, but also figures of authority at the highest echelons – including bureaucrats, ministers, and a supreme court judge. Updating revelations regarding potential and confirmed targets can be found here.
The fact that Pegasus is officially sold exclusively to government intelligence agencies has raised concerns of a foreign government being involved, making it a national security issue. Moreover, it has also resulted in scrutiny of the central government, given that the potential and confirmed targets consist mainly of anti-establishment journalists and political rivals, making it a privacy issue since installation of malware amounts to hacking which is illegal under the Information Technology Act, 2000. The Central Government’s response and the Minister of Electronics and Information Technology’s statement in the parliament denied these allegations by mentioning the established procedure for authorized surveillance. The developments on the government’s response can be found here.
This post collates a Reading List to provide readers with informative links which can provide a holistic perspective to the issue, including the factual context to Pegasus Project, and its implications on surveillance and privacy jurisprudence in India.
What is Pegasus?
David Pegg and Sam Cutler, What is Pegasus spyware and how does it hack phones? The Guardian (18 July 2021): This article discusses the details of the origins of the spyware, how it attacks targets and the level of its intrusion.
Dana Priest, Craig Tinberg and Souad Mekhenet, Private Israeli spyware used to hack cell phones of journalists, activists worldwide, Washington Post (18 July 2021): This article provides an overview of the Pegasus Project, and addresses its impact on a more global scale.
Amnesty International, Forensic Methodology Report: How to catch NSO Group’s Pegasus (July 18, 2021): This report explains the detailed forensic methodology of how traces of the Pegasus spyware was confirmed on devices.
The Citizen Lab, Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware (July 18, 2021): This review independently analyses the forensic report released by Amnesty International and confirms its findings.
The Citizen Lab, Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit (December 20, 2020): This report breaks down how the Pegasus software is used to attack the iOS software and confirms the presence of Pegasus in various international journalists’ devices.
NSO Group, Pegasus Product Manual: This marketing template gives the product description of the Pegasus spyware. It explains the data collection and transmission methodology as well as system set-up, maintenance etc.
Global Freedom of Expression (Columbia University), WhatsApp Inc. v. NSO Group Technologies Ltd (July 16, 2020): The United States District Court for the Northern District of California held that the lawsuit filed by WhatsApp and its parent company Facebook for alleged breach in over 1500 devices using the Pegasus spyware, may proceed against the NSO Group. The latest developments in this case can be found here.
Pegasus in India
Pegasus Project: How Phones of Journalists, Ministers, Activists May Have Been Used to Spy on Them, The Wire (18 July 2021) : This article highlights the Pegasus controversy in the Indian context. Updating developments regarding potential Indian targets and allegations against the government for misuse of surveillance apparatuses can be found here and here.
Vrinda Bhandari, Interview: ‘Facebook cannot arrest me. That’s why Pegasus is much more dangerous than Big Tech’, Scroll.in (July 22, 2021): In this Interview, Vrinda Bhandari talks about the Pegasus controversy in light of the distinction between authorized surveillance and hacking.
Shruti Dhapola, Explained: What is Israeli spyware Pegasus, which carried out surveillance via WhatsApp?, The Indian Express (November 1, 2019) : This explainer elaborates on the Pegasus controversy, and alleged targeting using WhatsApp in 2019, before the 2021 Pegasus Project leaks.
Nihalsingh Rathod, Indian Activists, Lawyers Were ‘Targeted’ Using Israeli Software Pegasus, The Wire (October 31, 2019) : This article discusses the involvement of the spyware in the Bhima Koregaon Case.
Vrinda Bhandari, The Pegasus Case Must be Used to Press for Change in Surveillance Laws, The India Forum (August 6, 2021): In this piece, the author argues why the Personal Data Protection Bill is inadequate to address state surveillance and locates the need for adequate legislation to address the same with reference to the Pegasus controversy in India.
Surveillance, Laws and Privacy Jurisprudence.
Neil M. Richards, The Dangers of Surveillance, Harvard Law Review (2013): This scholarly article elaborates upon the various effects of surveillance on citizens, questions the legitimacy of secret or total surveillance and the (in)acceptability of unauthorised data collection by the Government.
Apar Gupta, Balancing Online Privacy in India, The Indian Journal of Law and Technology (2010): This paper focuses on interception and monitoring of data under the Information Technology Act and identifies the institutional limitations of the privacy regime still relevant to our present context.
Communications Surveillance in India, SLFC.in (2014): This report is a compendium of the various legal and procedural frameworks regarding surveillance in India. It also elaborates upon the procedure of procuring and reviewing a lawful order for authorised surveillance.
Gautam Bhatia, State Surveillance and The Right to Privacy in India: A Constitutional Biography, National Law School of India Review (2014): In this piece, Gautam Bhatia traces the history of Judgements regarding privacy and evolving jurisprudence in India. He locates the right to privacy within Article 21 of the constitution and extensively analyzes the compelling state interest doctrine.
Chaitanya Ramachandran, PUCL v. Union of India revisited: why India’s surveillance law must be redesigned for the digital age, NUJS Law Review (2014): This paper explores the jurisprudence of PUCL Judgement and accounts for various other mass surveillance programmes used by the Indian government.
Chinmayi Arun, Paper Thin Safeguards and the Right to Privacy in India, National Law School of India Review (2014): This piece traces the evolution of the Right to Privacy jurisprudence in India, discusses the inadequacy of the same and argues for effective safeguards dealing with mass surveillance by the state.
Bhairav Acharya, The Four Parts of Privacy in India, Economic and Political Weekly (2015): This piece identifies the theoretical foundations of the Right to Privacy, and distinguishes between different variants of the right, namely privacy necessary for press freedom, privacy from state surveillance, privacy as decisional autonomy and informational privacy, which were 2 years later recognised as part of the Right to Privacy under Article 21 in the KS Puttaswamy v. Union of India Judgement.
Vrinda Bhandari and Renuka Sane, Towards a privacy framework for India in the age of the Internet, SSRN (November 3, 2016): This working paper provides conceptual arguments for enacting an overarching privacy law applicable to both state and private entities, and argues for utilising the privacy principles of the Justice Shah Report as a foundation for such legislation.
Anirudh Burman, Will India’s Proposed Data Protection Law Protect Privacy and Promote Growth, Carnegie India (March 2020): This working paper extensively analyses the features of the Personal Data Protection Bill, compares these features with the General Data Protection Regulation and addresses the inadequacy of the same in protecting privacy interests of the citizens by government agencies.
Ministry of Electronics and Information Technology, The Information Technology Act, 2000: Section 43 and 66 read together provide for hacking, while Section 69 provides for interception.
Ministry of Electronics and Information Technology, Personal Data Protection Bill 2019: The Bill is India’s first all-encompassing cross-sectoral data protection law, and is currently under review by a Parliamentary Committee.
Ministry of Electronics and Information Technology, White Paper of the Committee of Experts on a Data Protection Framework for India : In context of Right to Privacy as expounded in the case of Justice K. S. Puttaswamy vs Union Of India, this paper studies various issues relating to data protection in India and makes specific suggestions on principles underlying a data protection bill.
Ministry of Electronics and Information Technology, Justice BN Krishna Committee Report on Draft Personal Data Protection Bill, 2018: This paper gives recommendations to strengthen a free and fair digital economy, protecting privacy and empowering citizens.
National Security Concerns
Harriet Moynihan, The Application of International Law to State Cyberattacks, Chatham House (December 2, 2019): This multi-chapter piece identifies sovereignty in the arena of cyberspace and addresses the issue of espionage within international law.
David Kaye, Surveillance and Human Rights, Report of the Special Rapporteur (May 28, 2019): This document addresses the ‘transaction’ aspect of the issue, among various other things, argues for moratorium on the export of targeted surveillance technologies and explores the obligations of Governments using the same.
Mahima Balaji, Business as Usual: The Rise of Private Military Companies and the Laws of War, Jindal Forum for International and Economic Laws (September 20, 2020): This piece elaborates upon the increasing influence of transnational corporations operating in the cyber-sphere and how the international humanitarian law’s conception of territoriality makes it inadequate to address the issue.
Sharngan Aravindakshan, The Pegasus Hack: A Hark Back to the Wassenaar Arrangement, Centre for Communication Governance (December 4, 2019): This piece locates the broader issue of Government acquisition of cyberweapon technologies from private entities in context of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (1996).
Michelle Bachelet, Statement by UN High Commissioner for Human Rights (July 19, 2021): This statement from the United National Office of the High Commissioner for Human Rights, given by Michelle Bachelet, the High Commissioner, urges Governments to cease use of surveillance technologies in a manner that violates human rights.