Dear Standing Committee, We Have Some Questions on Pegasus

We wrote to the Standing Committee on IT with questions for the MHA, MeitY and MoC related to the Pegasus revelations.

23 July, 2021
6 min read

tl;dr

On July 28, 2021, the Standing Committee on Information Technology will be having its sitting on the subject ‘Citizens’ data security and privacy’. In light of the revelations related to the Pegasus spyware that have been made since July 18, 2021, we wrote to the Standing Committee with specific questions for the Ministries of Home Affairs (MHA), Electronics & Information Technology (MeitY) and Communications (MoC).

The Pegasus revelations

On July 18, 2021, The Wire, as part of an international collaborative investigation titled “Pegasus Project”, revealed that the Israeli spyware firm NSO targeted “over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others” through their spyware, Pegasus. The revelation was made on the basis of a leaked database accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International, which contains the list of numbers believed to have been targeted by NSO. NSO, according to its own website, sells exclusively to vetted government clients.

Subsequent reporting by the Wire and the Washington Post revealed that forensic analysis conducted by Amnesty International's Security Lab definitively showed that the Pegasus spyware had been used to target 37 phones, of which 10 belonged to Indians. While the leaked database contained the phone numbers of over 40 Indian journalists, the Security Lab was able to confirm that the Pegasus spyware was used to compromise the phones of former Indian Express journalist Sushant Singh, former EPW editor Paranjoy Guha Thakurta, former Outlook journalist S.N.M. Abdi and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu. The NSO Group asserted that the leaked database did not represent any list of numbers that were targeted by governments using Pegasus, and alluded that such a database may be accessed by its customers for ‘other purposes’.

Use of the Pegasus spyware was first reported in India in 2019, however even after repeated requests to investigate its use in India, we did not gain any further insight into this issue. The way the spyware worked in 2019 is by its installation through a missed call on Whatsapp after which complete access to the smartphone could be gained. However, since then, NSO has been able to advance Pegasus’ developments to the extent that now Pegasus spyware infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. Once Pegasus has been installed in the mobile device, it can harvest SMS messages, address books, call history, calendars, emails and internet browsing histories as well as gain access to and extract any files on the device.

What did the government say?

In response to these allegations, the Hon’ble Minister for Electronics & IT Ashwini Vaishnaw, in a statement made before the Lok Sabha, said that, “In India, there is a well established procedure through which lawful interception of electronic communication is carried out…” and “the time tested processes in our country are well-established to ensure that unauthorised surveillance does not occur.” (Read his entire statement here and our line by line verification of the statement here)

However, the Minister has not explicitly denied whether the Government of India has acquired Pegasus and whether its use was authorised by the Government itself. Here it is important to note that no such power to hack the phones of Indian citizens exists under Indian law, and the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices. Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under S.66 of the Information Technology Act, 2000.

The Ministry of Home Affairs (MHA) is tasked with the maintenance of internal security. The current surveillance provisions allow the Central Government to temporarily intercept calls and/or messages in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public orderor for preventing incitement to the commission of any cognizable offence. However, if such tools have indeed been deployed, the burden of providing evidence to show that such thresholds are met lies with the government. If such aggressive and powerful tools for hacking have been deployed by the Government of India, then a question arises as to the legal framework under which these tools are being deployed. However, if such tools have been deployed by an external actor, then this too is a matter of grave concern. Important public figures are reported to have been affected by this attack, including current Cabinet Ministers and opposition politicians, and so this would constitute a grave assault on the privacy of the citizens of India as well as the digital safety.

Similarly, the Ministry of Electronics & Information Technology (MeitY) is responsible for ensuring a safe and secure cyberspace for India. The Ministry of Communications (MoC) is responsible for ensuring secure telecommunications facilities to all the citizens of India. If the alleged attack has indeed taken place, this would constitute a significant lapse of duty.

Section 69 of the Information Technology Act, 2000 allows the government to intercept, monitor or decrypt information. However, certain limitations are imposed on the exercise of such powers. These powers may be only exercised in case it is expedient to do so in the interest of the sovereignty or integrity of India and it is incumbent upon the government to provide the evidence to demonstrate that such a situation does indeed persist. Additionally, requests for interception can only take place on the basis of an order from the competent authority, which must then be reviewed by an appropriately constituted Review Committee. Orders for interception must also specify a specific timeframe (up to sixty days) for which such orders may be extended, but the total period for which the order for interception may be in force cannot exceed 180 days. The intermediary hosting the information in question must also be notified, and must send an acknowledgement of the receipt of the  order to intercept information.

In case the alleged attack was conducted by an external actor, it must be questioned why such a heinous attack on the cyber security of India citizens was allowed to take place. The matter must be investigated by the Indian Computer Emergency Response Team (CERT-IN) with extreme prejudice.

We sent our questions for the Government to the Standing Committee in Information Technology

The Standing Committee on Information Technology will be having a sitting on the subject of “Citizens’ data security and privacy” on July 28, 2021. This is an extremely timely intervention into the entire Pegasus revelations and mindful of the importance of this sitting, we have sent a letter to the Committee with certain questions for the MHA and MeitY & MoC.

Therefore, we pose the following questions for the MHA:

  1. Has the MHA or any agency under the Ministry procured the Pegasus software? What were the financial considerations?
  2. Has the MHA deployed the Pegasus tool? Since hacking is a criminal offense as per Indian law, how is the use of Pegasus being authorised in India?
  3. If such tools have indeed been used, were these surveillance requests issued and reviewed by competent authorities?
  4. If orders for interception and monitoring have been issued, what is the time period for such orders were in force? To which intermediaries have such orders been sent?
  5. Is the MHA contemplating conducting an investigation into possible origins of the alleged attack?
  6. What are the steps that are being taken to ensure that such violations of the fundamental rights of an Indian citizen are not repeated and that the digital safety & security of Indian citizens are not compromised?
  7. Has the MHA sent any questionnaire to the NSO Group and sought specific disclosure from them?

Additionally, we posed the following questions for the MeitY and the MoC:

  1. Were the MeitY and/or MoC or any agency under the ministries involved in the procurement of Pegasus by the MHA and/or any other agency/authority of the Government of India?
  2. Has the MeitY and/or MoC deployed the Pegasus tool? Since hacking is a criminal offense as per Indian law, how is the use of Pegasus being authorised in India?
  3. If such tools have indeed been used, were these surveillance requests issued and reviewed by competent authorities?
  4. If orders for interception and monitoring have been issued, what is the time period for which such orders were in force? To which intermediaries have such orders been sent?
  5. Is the CERT-IN contemplating conducting an investigation into possible origins of the alleged attack?
  6. What are the steps that are being taken to ensure that such violations of the fundamental rights of an Indian citizen are not repeated and that the digital safety & security of Indian citizens are not compromised?
  7. Has the MHA sent any questionnaire to the NSO Group and sought specific disclosure from them?

IFF will continue to fight for your privacy!

The Pegasus revelations have shocked the country by demonstrating how developments in technology are failing to keep up with the democratic ideals of the past. In our initial statement on the issue, we asked the Government to stand by democratic commitments and reject the use of spyware in their pursuit of social objectives of policing and security as well as to introduce legislative measures in Parliament to uphold the Right to Privacy decision of the Supreme Court of India recognising privacy as a fundamental right.  We will continue to fight for your rights and keep you updated on the further developments on this issue.

Important Documents

  1. Letter to IT Standing Committee on Pegasus Attacks dated July 22, 2021 (link)
  2. IFF’s Statement on Hacking Revelations made by the Pegasus Project dated July 19, 2021 (link)




Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
No place for tech: How digital interventions in NREGA are undermining rural social security

Mandatory digital ‘solutions’ introduced in the NREGA scheme by union and state governments, like Aadhaar-based payments, mobile monitoring apps, facial authentication and surveillance tools, are impinging on workers’ statutory rights and poking holes in the rural social security net.

8 min read

2
Into IT Standing Committee’s review of action taken by MeitY following its recommendations on citizen data security and privacy

This post breaks down the 55th report of the Standing Committee on Communications and IT, in which the Committee assesses the extent to which its recommendations on citizen data security and privacy were accepted and acted upon by the Ministry of Electronics and IT.

11 min read

3
Statement: Reportedly, IT Ministry looks to block Proton Mail on request of Tamil Nadu

Reportedly, the E2EE email service Proton Mail has received communication from MeitY regarding a potential block under S.69-A IT Act, at the request of the TN police over a hoax bomb threat sent to private schools in Chennai. 

1 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!