Pegasus Scandal: it's been two months with no investigation! #SaveOurPrivacy

tl;dr

In light of the revelations related to NSO Group’s Pegasus spyware made in July 2021, the Government of West Bengal has instituted a Commission of Inquiry to investigate the issue. Responding to the Public Notice calling for statements, we have sent across a submission to the Commission.

Pegasus: 2 months on, still no investigation…

On July 18, 2021, The Wire, as part of an international collaborative investigation titled “Pegasus Project”, revealed that the Israeli spyware firm NSO targeted “over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others” through their spyware, Pegasus. The revelation was made on the basis of a leaked database accessed by Paris-based media nonprofit Forbidden Stories and Amnesty International, which contains the list of numbers believed to have been targeted by NSO.

According to ANI, the Union Government, in response to a questionnaire sent by the Pegasus Project stated that, “the allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever”. On July 19, 2021, the Minister of Electronics and Information Technology, Ashwini Vaishnaw, presented his statement in response to the Pegasus Project revelations in the Lok Sabha, which was also presented in Rajya Sabha. The statement failed to quell any of the questions raised as the Minister only quoted provisions of the existing surveillance architecture in India and stated that all electronic interception follows due process. On July 28, 2021, the Standing Committee on Information Technology was to have its sitting on the subject ‘Citizens’ data security and privacy’ however the sitting had to be called off due to a lack of quorum.

While there are multiple petitions pending on the issue currently, there is still a lack of investigation on the issue from the Union Government. On August 17, the Supreme Court had issued notice to the Centre in the pleas after the Union submitted that it was willing to give details regarding the controversy to an expert committee, but not make it public before the Court for fear of national security implications.

However, on July 26, 2021, the Government of West Bengal had set up a two member Commission of Inquiry to investigate the issue. Under The Commissions of Inquiry Act, 1952, a Commission set up by the government shall have the powers of a civil court, while trying a suit under the Code of Civil Procedure, 1908. This means that the Commission will have the powers to summon and enforce the attendance of any person from any part of India and examine her on oath, and receive evidence, and it can order requisition of any public record or copy from any court or office. On August 3, 2021, the Commission issued a public notice calling for statements on the Pegasus revelations.

However, consequently, on August 25, 2021, the Government of West Bengal told the Supreme Court that the two-member Commission of Inquiry, headed by retired Supreme Court Judge Justice Madan B Lokur, will not proceed until the apex court hears petitions seeking a probe into the alleged surveillance scandal as well as those challenging the state government’s decision to appoint the commission.

Our submission to the WB Commission

However, despite the indication that the Commission will not proceed till the Supreme Court is hearing related petitions, we have sent our submission as per the deadline indicated to ensure that when the inquiry does take place eventually, there is no delay. In our submissions, we have highlighted that it is imperative that the Commission asks the relevant government stakeholders specific questions to ensure that they have a clear and correct understanding of the issue. Please read our entire submission here.

A. Ministry of Home Affairs (MHA)

  • Has the MHA or any agency under the Ministry procured the Pegasus software? What were the financial considerations?
  • Please provide a detailed report of the MHA’s budget, specifically with regard to any expenditure incurred on the acquisition of spyware technology such as Pegasus.
  • Has the MHA deployed the Pegasus tool? Since hacking is a criminal offense as per Indian law, how is the use of Pegasus being authorised in India?
  • If MHA has not used Pegasus, or Pegasus-like tools, is it aware of any other ministry, department, branch or agency of the Union or any State government having used Pegasus or Pegasus-like tools?
  • If such tools have indeed been used, were these surveillance requests issued and reviewed by competent authorities?
  • If such tools have been used, what is the extent of the information that has been collected, how is it being stored and how is it being used further?
  • If orders for interception and monitoring have been issued, what is the time period for which such orders were in force? To which intermediaries have such orders been sent?
  • Is the MHA contemplating conducting an investigation into possible origins of the alleged attack?
  • What are the steps that are being taken to ensure that such violations of the fundamental rights of an Indian citizen are not repeated and that the digital safety & security of Indian citizens are not compromised?
  • Has the MHA sent any questionnaire to the NSO Group and sought specific disclosure from them?

B. Prime Minister’s Office (PMO)

  • Has the PMO or any agency under the PMO procured the Pegasus software? What were the financial considerations?
  • Please provide a detailed report of the PMO’s budget, specifically with regard to any expenditure incurred on the acquisition of spyware technology such as Pegasus.
  • Has any agency under the PMO deployed the Pegasus tool? Since hacking is a criminal offense as per Indian law, how is the use of Pegasus being authorised in India?
  • If the PMO, or any agency under the PMO, has not used Pegasus, or Pegasus-like tools, is it aware of any other ministry, department, branch or agency of the Union or any State government having used Pegasus or Pegasus-like tools?
  • If such tools have indeed been used, were these surveillance requests issued and reviewed by competent authorities?
  • If such tools have been used, what is the extent of the information that has been collected, how is it being stored and how is it being used further?
  • If orders for interception and monitoring have been issued, what is the time period for which such orders were in force? To which intermediaries have such orders been sent?
  • Is any agency under the PMO contemplating conducting an investigation into possible origins of the alleged attack?
  • What are the steps that are being taken to ensure that such violations of the fundamental rights of an Indian citizen are not repeated and that the digital safety & security of Indian citizens are not compromised?
  • Has the PMO sent any questionnaire to the NSO Group and sought specific disclosure from them?

C. Ministry of Electronics & Information Technology (MeitY) & Ministry of Communications (MoC)

  • Was the MeitY and/or MoC or any agency under the ministries involved in the procurement of Pegasus by the MHA and/or any other agency/authority of the Government of India?
  • Has the MeitY and/or MoC deployed the Pegasus tool? Since hacking is a criminal offense as per Indian law, how is the use of Pegasus being authorised in India?
  • If MeitY and/or MoC have not used Pegasus, or Pegasus-like tools, are they aware of any other ministry, department, branch or agency of the Union or any State government having used Pegasus or Pegasus-like tools?
  • If such tools have indeed been used, were these surveillance requests issued and reviewed by competent authorities?
  • If orders for interception and monitoring have been issued, what is the time period for which such orders were in force? To which intermediaries have such orders been sent?
  • Is the CERT-IN contemplating conducting an investigation into possible origins of the alleged attack?
  • What are the steps that are being taken to ensure that such violations of the fundamental rights of an Indian citizen are not repeated and that the digital safety & security of Indian citizens are not compromised?
  • Has the MeitY sent any questionnaire to the NSO Group and sought specific disclosure from them?

D. Ministry of Law and Justice (“MoJ”)

  • Did the MoJ seek or receive any legal opinion or legal advice regarding surveillance of the mobile phone devices of Indian citizens using spyware, such as Pegasus?
  • Was the MoJ consulted for a legal opinion or legal advice regarding the use of spyware such as Pegasus for surveillance?
  • If so, did the MoJ provide any legal opinion or legal advice regarding surveillance of the mobile phone devices of Indian citizens using spyware, such as Pegasus?
  • Is the MoJ aware of any other ministry, department, branch or agency of the Union or any State government having used Pegasus or Pegasus-like tools?

Important documents

  1. IFF’s submission to the WB Commission on Pegasus dated September 4, 2021 (link)
  2. Pegasus: Rupesh Kumar Singh and Ipsa Shatakshi and other journalists approach SC dated August 5, 2021 (link)
  3. IFF’s previous work on #Pegasus (link)