The revelations of the so-called ‘The Pegasus Project’ – a co-operative investigative report by a network of international organisations into organised, systematic state surveillance against prominent anti-establishment journalists, Opposition leaders including Rahul Gandhi, activists and other members of civil society in India – marks the most serious encroachment yet into the privacy of individuals by state actors.
According to a report by The Wire, the phones of at least 40 prominent individuals, including human rights activists and lawyers and even a couple of ministers, have been hacked by a spyware called Pegasus, developed by an Israeli firm, NSO. This came to light through a single leaked database, which contained thousands of telephone numbers listed by government clients of the NSO.
The NSO itself has claimed that it sells its spying software only to ‘verified’ government clients. It has further asserted that the leaked list may not be phone numbers targeted by the government but part of a list used by government agencies for other purposes. Nevertheless, as per The Wire’s investigation, the phones of 10 people on the list – including the founding editors of the The Wire – when forensically examined, were found to have been infected with the spyware.
The Centre has, of course, denied the allegations, claiming that there has been no ‘illegal’ surveillance. Home Minister Amit Shah has gone so far as to claim that the leak, timed for a day before the monsoon session of Parliament was scheduled to begin, was an attempt to defame India and disrupt the democratic process. This is pretty much what the government said in 2019 as well, when Pegasus first hit the headlines in India. The revelation that the phone details of 1,400 people, including Congress scion Priyanka Gandhi and a long list of civil society members and journalists critical of the ruling dispensation had been leaked, created a stir.
Messaging platform WhatsApp had twice informed the government, as well as hundreds of users in India, of a potential security breach. At that time too, the government had not denied surveillance but had only asserted that there had been no ‘unauthorised’ taps. That quasi-denial raises more questions than it answers, since India has no data privacy laws and the process of state-sanctioned spying on citizens is both opaque and has been prone to misuse. While the process calls for a senior bureaucrat to sanction the surveillance, experience has shown that the reason for such spying is not questioned rigorously and sanctions are given as a matter of routine. The process is neither sanctioned by a judicial authority or court, nor is it subject to judicial review.
While virtually every government in the world has massively upped surveillance of its citizens in the post 9/11 world in the name of national security and combatting terrorism, the kind of technology made available by companies like NSO – Pegasus can access calls, chats and messages, (even on end-to-end-encrypted platforms like WhatsApp), contacts, passwords, browsing history, as well as the microphone and camera which can be operated remotely – makes the need for due process and rigorous checks and balances even more urgent.
The Centre must come clean on whether it has either directly acquired, or authorised one of its agencies to acquire, the software. NSO has consistently claimed that it only sells to ‘vetted’ governments and military customers. The sheer cost – each licence costs millions and is for only 50 numbers, while it can cost up to $100,000 (over Rs 74 lakh) per active target – points to either the state or an entity with very deep pockets indeed. NSO has also said that the leaked dataset of 50,000 numbers globally may be for other purposes, perhaps a list of potential targets. However, the list does show a pattern of those who are critical of the current establishment being targeted.
Even without sophisticated software like Pegasus, the Indian state has used digital surveillance and phone taps routinely to keep tabs on persons of interest to it. An RTI query in 2013 had revealed that the government ordered 7,500 to 9,000 orders a month for wiretaps. There is no evidence to show that this has come down in any way. If anything, the ruling dispensation has made no secret of its distrust of the media and has repeatedly sought to control media narratives. It is therefore, not surprising that a significant number of persons figuring in the Pegasus leaks happen to be journalists.
All such surveillance intrudes on the right to privacy, the right to freedom of speech and personal liberty guaranteed under Articles 19 and 21 of the Constitution. The existing laws offer little protection to those whose privacy is invaded and offers no right of redressal. By vesting the process entirely with the executive arm of the government, without any judicial sanction or review, it also over-empowers the executive. Our current laws on surveillance, the Telegraph Act and the IT Act need to be modified to cover surveillance, state sanctioned or otherwise.