IFF’s Statement on Hacking Revelations made by the Pegasus Project

On July 18, 2021, The Wire, as part of an international collaborative investigation titled “Pegasus Project”, revealed that the Israeli spyware firm NSO targeted “over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others” through their spyware, Pegasus. The revelation was made on the basis of a leaked database accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International, which contains the list of numbers believed to have been targeted by NSO. NSO, according to its own website, sells exclusively to vetted government clients.

Subsequent reporting by the Wire and the Washington Post revealed that forensic analysis conducted by Amnesty International's Security Lab definitively showed that the Pegasus spyware had been used to target 37 phones, of which 10 belonged to Indians. While the leaked database contained the phone numbers of over 40 Indian journalists, the Security Lab was able to confirm that the Pegasus spyware was used to compromise the phones of former Indian Express journalist Sushant Singh, former EPW editor Paranjoy Guha Thakurta, former Outlook journalist S.N.M. Abdi and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu. The NSO Group asserted that the leaked database did not represent any list of numbers that were targeted by governments using Pegasus, and alluded that such a database may be accessed by its customers for ‘other purposes’.

According to ANI, the Government of India, in response to a questionnaire sent by the Pegasus Project stated that, “the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever”. The response also mentioned that in India there is a well established procedure for lawful interception of electronic communications under S.5(2) of the Indian Telegraph Act, 1885 and S.69 of the Information Technology Act, 2000 which ensures any interception, monitoring or decryption carried out is done as per the due process of law. Read the GOI’s full response here.

Here, we would like to emphasise that this response by the Government is insufficient and fails to respond conclusively to the detailed reporting by the Pegasus Project. Further, no such power to hack the phones of Indian citizens exists under Indian law, and the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices. Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under the Information Technology Act, 2000 and it is only through such hacking that the Pegasus spyware can be used against a person.

This revelation reveals a need for urgent surveillance reform to protect citizens against the use of such invasive technologies which hamper their fundamental right to privacy and threatens the democratic ideals of our country. Use of such surveillance technology on journalists leads to a chilling effect as it precludes them from working and reporting on sensitive matters, some of which may also be against the ruling government, without jeopardising themselves and the personal safety of their sources. It also stops human rights defenders from working with vulnerable people, some of whom may have been victimised by their own government, without opening them up to further abuse.

We call on the Government to stand by democratic commitments and reject the use of spyware in their pursuit of social objectives of policing and security. Legislative measures must be introduced in Parliament to uphold the Right to Privacy decision of the Supreme Court of India recognising privacy as a fundamental right. The use of legal or technical means to access data and intercept communications in India must be authorised only in emergency situations, under judicial control and oversight, and with other protections to safeguard our citizens.

Over the next few weeks, we at IFF will attempt to reach out to any victims of illegal surveillance in India and we will make every attempt to ensure that they can access the legal system to seek redress. We will also examine avenues for further engagement with all branches of government - legislative, executive and judicial- to advance our ongoing work on surveillance reform. This would also involve furthering our work on data protection legislation, including advocating for comprehensive data protection frameworks such as a private member’s bill by Dr. Ravikumar titled the Personal Data and Information Privacy Code Bill, 2019, which if enacted may help prevent such a recurrence, as well as our surveillance reform PIL which was filed in the Hon’ble Supreme Court in 2019. Further, in December 2020, IFF, along with eight other civil society organisations had also filed an amici brief before the ninth Circuit Federal Court of Appeals in California to oppose the NSO Group’s attempt to evade responsibility for the Pegasus Hack. In addition to seeking transparency through full disclosure under the Right to Information Act as well as other avenues, we hope to work towards solutions to ensure that something like this never happens again.

Important Documents

  1. Personal Data and Information Privacy Code Bill, 2019 introduced in Parliament (link)
  2. IFF’s Surveillance Reform PIL (W.P. Civil No. 44 of 2019) (link)
  3. “Read: NSO Group's Response to the Pegasus Project and Our Take” published in The Wire dated July 18, 2021 (link)