Pegasus: Respond, remedy and reform
In his interviews with David Frost after he was forced out of office due to the Watergate scandal, Richard Nixon famously said, in the context of revelations regarding spying on domestic critics, “... when the president does it, that means that it is not illegal”.
This mindset around the executive branch being beyond the law or any form of ethical reproach is now what the Indian Republic has to grapple with and confront in our pervasively digital present.
There have now been multiple rounds of revelations regarding the widespread use of the foreign spyware firm NSO Technologies’ Pegasus hacking suite in India — from initial disturbing information around its possible use to target lawyers, activists, journalists and dissenters to those holding public office in all branches of our government, bureaucrats, Opposition leaders, scientists, whistleblowers and horrifically, their families and loved ones.
The range of those who have been sought to be targeted or actively pursued using the Pegasus spyware suite’s hacking capabilities is shocking. The breadth of this in itself constitutes a surveillance scandal shaking our democracy to its core.
There is now, without question, a crisis of complete impunity with regard to surveillance and digital intrusion in India. These recent spyware revelations should not be read in isolation. There is a wider digital authoritarian trend in our country. This is demonstrated by the massive number of secret censorship and surveillance orders directed to tech firms during the farmers’ protests and, later, during criticism of the government during the second wave of Covid-19. It is also demonstrated by the issuance of the information technology (IT) Rules, with its Orwellian mandates requiring the retention of personal data and undermining of encrypted messaging.
The Indian government’s possible and suspected use of NSO’s Pegasus spyware paints a picture of lawlessness and State-commissioned cyber destabilisation. Indian law is clear; the deliberate intrusion into digital systems with harmful intent constitutes the crime of hacking under the IT Act. There is no “carve-out” provided to the executive branch under the law. All hacking, including government hacking, is a crime in India.
Private firms that aid government actors in India in hacking have no shield from prosecution or legal liability. NSO has repeatedly stressed that it sells its hack-for-hire services only to governments. And lest we doubt the importance of NSO’s stated words, we need to look no further than the government’s own words in Parliament.
In his remarks this week, newly appointed Union minister for electronics and IT, Ashwini Vaishnaw (himself now revealed to have been a potential target for Pegasus use) relied extensively on the public relations statements and corporate documents of NSO to justify the government’s evasive position.
In his Independence Day address in 2020, Prime Minister Narendra Modi spoke of the importance of protecting Digital India’s information, communication and technology systems and promised that the government would publish and implement a new national cybersecurity strategy to better secure all Indians online. It has nearly been a year. And not only is there no sign of this cybersecurity strategy, we instead see our Union government possibly relying on a global spyware industry that relies on the exploitation of digital security vulnerabilities, putting all digital users at risk, and defending the actions of a hack-for-hire company. And if they have had no dealings, let there be a clear denial — which, strikingly, has been missing.
The people of India now need three things addressed expeditiously — responsibility, remedy and reform.
There needs to be a clear, honest government statement on what interactions Indian government agencies have had with NSO and a disclosure of the officials responsible for that. The government and ruling party should not seek to frustrate the enquiries of Parliament’s Standing Committee on IT or other bodies investigating this issue.
Those directly victimised by NSO malware on their devices or otherwise subjected to being on these targeting lists must receive justice. Officials and NSO representatives must be prosecuted. As investigation and legal proceedings kick off, officials must not be shielded using colonial era sanction-for-prosecution powers. Judgments and relief must be made in favour of these victims, and the data hacked from them must be destroyed after proper accounting.
Crucially, this must never happen again. India has far too often catapulted from one surveillance scandal to another, without fixing the larger problem. Rather than a watered down, government-friendly data protection bill, as currently before Parliament, what we deserve is a strong privacy code that includes meaningful reform and controls over surveillance. Indian citizens deserve the same protections and redressal mechanisms that their counterparts in other major democracies enjoy.
All surveillance and data access operations must be sanctioned through independent judicial approval, not by compliant bureaucrats. There must be a robust mechanism to review such intrusive measures, and the ability to challenge them. Government hacking should be presumptively prohibited. An office — whether as part of a privacy commission or separately — must exist that collates all such orders, independently scrutinises the government’s overall measures, and reports on this in an accountable way to Members of Parliament.
We need change, not spin or outright denial of India’s surveillance problem.