Our Response to the SC’s Technical Committee on Pegasus #SaveOurPrivacy

tl;dr

The Technical Committee constituted by the Hon’ble Supreme Court of India to investigate the Pegasus revelations made in July 2021 reached out to IFF’s Executive Director, Mr. Apar Gupta with a questionnaire on the legality of surveillance in India. On March 17, 2022, we shared our responses with a detailed analysis that focussed on the need for comprehensive, legislative reforms. The first step to it is fixing accountability for Pegasus.

Why should you care?

On July 18, 2021, The Wire, as part of an international collaborative investigation titled “Pegasus Project”, revealed that the Israeli spyware firm NSO targeted “over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others” through their spyware, Pegasus (Link to The Wire report dated July 18, 2021). These revelations demonstrated a need for urgent surveillance reform to protect citizens against the use of such invasive technologies which hamper their fundamental right to privacy and threatens the democratic ideals of our country. Use of such surveillance technology on journalists has a chilling effect as it precludes them from working and reporting on sensitive matters, some of which may also be against the ruling government, without jeopardising themselves and the personal safety of their sources. It also stops human rights defenders from working with vulnerable people, some of whom may have been victimised by their own government, without opening them up to further abuse.

Background on the Technical Committee

Several victims of the Pegasus hack (Link to The Wire report dated August 4, 2021) have approached the Supreme Court seeking a declaration that the use of Pegasus is illegal and seeking an investigation into its alleged use (Link to Mr. Singh and Ms. Shatakshi’s petition to whom IFF has provided assistance). On October 27, 2021, the Supreme Court issues an interim order in the matter (Link to order). Considering the importance of protection of journalistic sources for press freedom, and the potential chilling effect snooping techniques may have, the Court constituted a committee of technical experts (“Technical Committee”) to examine the allegations of unauthorised surveillance using the Pegasus Spyware. The Technical Committee consists of Dr. Naveen Kumar Chaudhary, Dr. Prabaharan P., and Dr. Ashwin Anil Gumaste. The committee’s functioning will be overseen by Justice R. V. Raveendran (retd.), former Judge, Supreme Court of India. Mr. Alok Joshi, former IPS officer, and Dr. Sandeep Oberoi, Chairman, International Organisation of Standardisation and the International Electro­-Technical Commission, have been tasked with assisting the overseeing judge.

Amongst other things, the Court has directed the Technical Committee to enquire, investigate, and determine whether Pegasus was acquired by the Union Government or any State Government, and whether the spyware was used on phones or other devices of the citizens of India to access stored data, eavesdrop on conversation, intercept information and/or any other purpose. The Committee has also been asked to make recommendations regarding enactment or amendment to existing law around surveillance to secure the right to privacy as well as regarding establishment of a mechanism for citizens to raise grievances on suspicion of illegal surveillance of orders. In order to achieve these ends, the Committee has been authorised to devise its own procedure, conduct investigation as it deems fit, take statements of any person in connection with the enquiry, and crucially ‘call for records of any authority or individual’.

Technical Committee reaches out on legality of surveillance

On March 9, 2022, the Technical Committee approached several policy experts and legal practitioners including Mr. Apar Gupta, IFF’s Executive Director, to share his views in response to a list of questions shared by them. Below, we have summarised the responses sent to certain questions (Link to Mr. Gupta’s complete response).

Sr. No.

Question

Summary of responses by Mr. Gupta

1. 

Whether the current surveillance laws and regulations in India (collectively referred to as “Surveillance Framework”) were sufficiently defined and understood?

No, the existing boundaries of state surveillance are not understood or practised within a rule of law framework. 

2. 

Whether the existing safeguards in the Surveillance Framework are sufficient and if not, how can they be strengthened? Whether the existing Surveillance Framework allows for unwarranted and excessive use?

No, the existing procedures under the Telegraph Act, 1885 and Information Technology Act, 2000 and rules are inadequate and deficient. They do not constitute any reasonable or practicable safeguards against, unwarranted or excessive use; misuse; abuse of State Surveillance even when carried out under grounds mentioned therein.

3. 

Which fresh safeguards are needed to sufficiently balance citizen rights against state interests? How can existing procedures be strengthened? 

In the absence of comprehensive, legislative reforms existing acts of State Surveillance are illegal after the pronouncement of K.S. Puttaswamy vs Union of India [(2017) 10 SCC 1]. In the absence of a comprehensive legislative framework, existing surveillance practices fail to meet constitutional touchstones and hence are illegal. It is essential that judicial and parliamentary oversight over surveillance practices is established to protect against misuse. 

4. 

What should be the redressal mechanisms available to a person targeted illegally through the use of surveillance technology? 

At present no grievance redressal mechanism exists for a person whose data is subjected to targeted surveillance technologies by the State due to the lack of disclosure of the surveillance after the activity has ceased. This renders any remedy illusionary. This is a core design fault in the existing legal framework.

5.

Whether certain categories of persons should be awarded special safeguards against State surveillance?

While Mr. Gupta does not have an informed opinion on this query, he highlighted that survelliance disproportionately impacts members who lack social and economic power in Indian society and have historically faced discrimination on grounds of gender, caste and sexuality. 

6. 

Whether state immunity extends to instances of illegal hacking?

No, sovereign/State immunity is inapplicable in the present context since illegal and criminal actions of hacking against citizens is a violation of fundamental rights guaranteed under the Constitution of India.

7. 

Whether the State should disclose details related to acquisition, development and deployment of surveillance technologies and to whom? 

Yes, Union and State Governments as much as Intelligence Agencies should be obliged to record or disclose surveillance technology/access that is procured by it, available with it or used by it for the purposes of national security or defence of India. Since disclosures regarding procurement of military hardware for the purposes of defence have been made historically, surveillance technology/access should not be treated differentially. These disclosures should be made to the Parliamentary Standing Committee on Home Affairs and the Parliamentary Standing Committee on Defence. These disclosures should also be made available under the Right to Information Act, 2005, in order to uphold the act’s aim of promoting transparency and accountability in the working of every public authority.

8.

Whether the suggestions being made by Mr. Gupta would be feasible to implement in India’s federal structure? 

Yes. These suggestions are feasible to implement under the Indian federal constitutional framework. In order to implement these suggestions, the Parliament will have to enact a comprehensive law to regulate surveillance which may be applicable to both, Centre and States. The Parliament will also have to amend the Telegraph Act and IT Act which also apply to both, Centre and States. The Legislative Assemblies will have to amend such laws in their state which enable surveillance such as the Maharashtra Control of Organised Crime Act, 1999. 

9. 

What steps can be taken to improve and increase the cyber security of the Nation and its assets?

As data breach and security vulnerabilities increase at a rapid pace, robust measures will be needed to ensure that the online security of India citizens is secured. This would involve comprehensive programmes across three core areas: the existing legal framework, the cyber security policy, and the lack of data protection legislation.

10. 

What laws and safeguards should be put in place by the State to protect its citizens from targeted surveillance by non-State/private entities and foreign agencies?

To protect its citizens from targeted surveillance by non-State/private entities and foreign agencies, it is essential that effective remedy is made available to each affected citizen. Any remedy, to be effective, would include the State taking swift action against any illegal targeted surveillance activity when it becomes aware of the existence of such illegality. To protect citizens against private actors, the State must adopt and enforce legislation that would require private actors to comply with human rights and implement human rights due diligence measures as prescribed by the UN Guiding Principles on Business and Human Rights.

11.

Whether there are any other suggestions or comments relating to the Terms of Reference?

Mr. Gupta’s three main suggestions are to focus on the use of Pegasus and fix accountability, expeditious disposal of the ongoing inquiry, and to invite inputs and suggestions may be queried from the public, particularly activists, academics, technologists and scholars in fields of surveillance, national security and constitutional law.

What next?

All surveillance activities, whether under the existing Surveillance Framework or outside of it, are violative of the right to privacy decision of the Supreme Court in K.S. Puttaswamy vs Union of India (Link to complete order). However, while civil society members have been warning against the misuse of  existing surveillance laws in India, these warnings have fallen on deaf ears (Link to our blogpost on the urgent need for surveillance reform). Thus, when the Pegasus revelations laid bare the rot in the existing Surveillance Framework in India, they shocked the entire country. This makes it essential that accountability for the Pegasus hack is apportioned. Here, it is essential that the Technical Committee fixes accountability on the relevant actor for the Pegasus hack, especially if it has been carried out by a government authority. Such a finding would create the much needed incentive for legislative reform of the Surveillance Framework. Further, a comprehensive law on informational privacy and surveillance is the need of the hour. Previously, private members' bills by Dr. Shashi Tharoor (link to bill) and Dr. Ravi Kumar (link to bill) have tried to respond to the existing lacuna in our privacy and surveillance frameworks. The use of legal or technical means to access data and intercept communications in India must be authorised only in emergency situations, under judicial control and oversight, and with other protections to safeguard our citizens.

Important documents

  1. Response by IFF’s Executive Director Mr. Apar Gupta submitted to the Technical Committee constituted by Supreme Court for inquiry into the Pegasus revelations dated March 17, 2022 (link)
  2. Ministry of Home Affairs' “‘Standard Operating Procedure’ for Interception, Handling, Sharing, Copying, Storage, and Destruction of Messages/Telephones” dated May 19, 2011 (link)
  3. IFF’s Statement on the Supreme Court Pegasus Committee dated November 10, 2021 (link)
  4. SC appoints a committee to examine the use of Pegasus Spyware in India dated October 27, 2021 (link)
  5. IFF’s Statement on Hacking Revelations made by the Pegasus Project dated July 19, 2021 (link)