Pegasus Investigation Report to remain in sealed cover despite containing evidence that 5 phones had malware

tl;dr

The committee of experts (‘Committee’) constituted by the Supreme Court to investigate the use of Pegasus spyware on Indian citizens recently submitted its report with the Supreme Court in a sealed envelope (‘Report’). This Report was opened for the first time by the Bench comprising Chief Justice NV Ramana (‘CJI’), Justice Surya Kant and Justice Hima Kohli in open court. The CJI read some parts of the Report, and revealed that the Report states that malware was found in 5 out of 29 phones, but that the Report couldn’t say if the malware was Pegasus. However, despite this shocking revelation, the Report will be kept in the sealed envelope, in the custody of the Supreme Court’s General Secretary, even when the CJI stated during the court proceedings, that parts of the Report will be public.

Why should you care?

Pegasus spyware has been revealed to be used to snoop on Indian ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others. Use of such invasive technologies destroys the fundamental right to privacy and threatens the democratic ideals of our country. It also has a chilling effect on the freedom of press as it prevents journalists from reporting on sensitive matters, some of which may also be against the ruling government, without jeopardising themselves and the personal safety of their sources. This is a matter where transparency is of utmost importance, but the recent trend of submitting documents in sealed envelopes is undermining transparency efforts, including in this case.

Background

On July 18, 2021, The Wire, as part of an international collaborative investigation titled “Pegasus Project”, revealed that the Israeli spyware firm NSO targeted “over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others” through their spyware, Pegasus.

Subsequent reporting revealed that forensic analysis conducted by Amnesty International's Security Lab showed that the Pegasus spyware had been used to target 37 phones, of which 10 belonged to Indians. The Security Lab was able to confirm that the Pegasus spyware was used to compromise the phones of former Indian Express journalist Sushant Singh, former EPW editor Paranjoy Guha Thakurta, former Outlook journalist S.N.M. Abdi and The Wire’s two founding editors Siddharth Varadarajan and M.K. Venu.

IFF provided legal assistance to Ipsa Shatakshi, Paranjoy Guha Thakurta, Prem Shankar Jha, Rupesh Kumar Singh and S.N.M. Abdi in challenging the use of Pegasus on their phones before the Supreme Court of India, which culminated in the appointment of a committee of experts overseen by Justice (Retd.) Raveendran RV to investigate and enquire into the use of Pegasus on Indians. The Committee recently submitted its report before the Supreme Court in a sealed cover.

The Report shows Malware, but can’t confirm Pegasus

IFF Lawyers Tanmay Singh and Anandita Mishra were present in Court on August 25, 2022, and IFF Of Counsel Vrinda Bhandari was following live virtual proceedings. The Court opened the sealed cover file containing the Report, and its copy was not made available to the parties in the matter. The CJI read out portions of the Report and stated that it comprises 3 parts. Parts I and II are submitted by the technical committee and Part III records the observations from the overseeing judge - Justice (Retd.) RV Raveendran. Part I and II relate to the terms of reference under the order dated October 27, 2021.

The CJI stated that malware was found in 5 out of 29 phones submitted to it, but this “did not mean that it was Pegasus.” This is a shocking revelation, because evidence from Amnesty International and CitizenLab could be used by other technical experts to corroborate the findings of the SC-appointed Committee. For this to happen, parts of the Report need to be made publically available.

The Report itself requests confidentiality

The CJI indicated that the Bench will examine the Report in detail and then decide whether the Report can be made publicly available, and if so, which parts thereof. The CJI also stated that Part III of the Report, which contains observations by Justice (Retd.) R.V. Raveendran, may be published. However, disappointingly, the Order as published on the SC website does not record any of these statements, and only states that the Report shall stay in the sealed cover, and kept with the Secretary General of the Supreme Court, until required by the judges.

The CJI stated during court proceedings that the Committee, in its Report, has expressed concerns about publishing the Report, claiming that it contains information that may create security problems, including the development of new and worse malware. The CJI further remarked that certain persons who submitted their phones for investigation requested that the Report (or the contents thereof which relates to them) not be made public.  

Counsel for Petitioners, including Senior Counsel Mr. Rakesh Dwivedi appearing on behalf on journalist victims of Pegasus to whom IFF has provided legal support, submitted that the parts of the Report (if not the entire report) that relate to the phones of the Petitioners must be made available to them, since the Report has found that at least 5 phones did indeed show evidence of some malware, and such Petitioners are entitled to know the results of such investigation.

The CJI also remarked that it appeared the Union Government did not cooperate in the proceedings before the Committee, and took the same stand before that Committee as it did before the Court. It is not clear what the Report says in this regard.  

The Committee made extensive recommendations

While it has not been recorded in the Order, the Hon’ble CJI read out the following recommendations made in the Report:

  1. Amend existing surveillance law to incorporate the Right to Privacy;
  2. Enhance cybersecurity law;
  3. Ensure Indians aren’t spied upon & privacy is respected;
  4. Establish a mechanism for citizens to raise complaints against illegal surveillance;
  5. Set up an independent agency to investigate cyber-attacks; and
  6. Any other ad hoc measure that the Supreme Court may take.

This was noted down by IFF lawyers present at the court proceedings, and numerous news sources that were simultaneously following the proceedings. It may be noted that if the entire Report remains in the sealed envelope, these recommendations, and the basis on which they were made, will not even be available to the Government of India, rendering them practically ineffective.

We also thank Senior Advocate, Mr. Rakesh Dwivedi for leading on Mr. SNM Abdi’s and Mr. Prem Shankar Jha’s petition, and advocate Eklavya Dwivedi for providing valuable legal assistance on the matter. We also thank Senior Advocate, Mr. Dinesh Dwivedi for leading on Mr. Paranjoy Guha Thakurta’s petition. The Senior Advocates were briefed by the legal team comprising AOR Prateek Chadha, Advocates Vrinda Bhandari, Tanmay Singh, Anandita Mishra, Krishnesh Bapat and Ayushi Rajput.

The matters are scheduled to be listed for hearing 4 weeks from now where the Court will decide how to proceed further with the case.

Important Documents

  1. Supreme Court order dated 25.08.2022 (link)
  2. Supreme Court order dated 27.10.2021 (link)
  3. Previous post titled ‘SC appoints a committee to examine the use of Pegasus Spyware in India’ dated 27.10.2021 (link)