On July 18, 2021, we came to know about the widespread use of NSO Group’s Pegasus spyware against Indian citizens. However, this is not the first time. In 2019, similar reports came out which detailed how activists and lawyers in Maharashtra & Chhattisgarh were targeted through the spyware. Cognisant of the legal injuries as well as the violations of fundamental rights that have occurred, we wrote to the state governments of Maharashtra & Chhattisgarh to institute investigations into the use of spyware against citizens.
What happened in 2019?
In 2019, it was reported that Pegasus, developed by an Israeli firm known as the NSO Group, was used to target the WhatsApp applications of 121 Indian citizens out of which 20 were successfully hacked. Out of the 20 Indian citizens who were successfully targeted through the spying software, a significant number were mainly residing in the states of Maharashtra & Chhattisgarh. The Pegasus hack was first brought to light by Citizen Lab which is an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, Canada which was conducting research on the use of spyware supplied to government vendors and intelligence agencies by the NSO Group.
India’s involvement in this enormous breach was first found in the report put out by Citizen Lab on September 18, 2019. This explainer report demonstrated the various countries affected by the Pegasus software and also explained its functioning. In India, the report shows that a distinct Pegasus system was used to target various Internet Service Providers in India including Bharti Airtel and MTNL among others. On May 14, 2019, an article published in the Financial Times for the first time reported that WhatsApp, “discovered that attackers were able to install surveillance software on both iPhones and Android phones by ringing up targets using the app’s phone call function.” As per a statement by WhatsApp, this vulnerability was patched and closed. On October 30, 2019, Indian Express published a report containing statements made by WhatsApp which confirmed that the victims of the hack were mostly Indian journalists and human rights activists.
Following these revelations, we had written to the respective state governments in April 2020 as well asking them to institute investigations. However, our requests were not heard.
The Pegasus saga continues in 2021
It was reported in The Wire dated July 18, 2021 that “a leaked database of thousands of telephone numbers believed to have been listed by multiple government clients of an Israeli surveillance technology firm includes over 300 verified Indian mobile telephone numbers, including those used by ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others”.
The report also detailed that since 2019, NSO has been able to advance Pegasus’ developments to the extent that now Pegasus spyware infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. Once Pegasus has been installed in the mobile device, it can harvest SMS messages, address books, call history, calendars, emails and internet browsing histories as well as gain access to and extract any files on the device.
As we have said in our statement regarding the Pegasus revelations, no such power to hack the phones of Indian citizens exists under Indian law, and the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices. Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under the Information Technology Act, 2000 and it is only through such hacking that the Pegasus spyware can be used against a person.
Surveillance such as this which was carried out by NSO through its Pegasus software puts the personal privacy of citizens at risk. The risk is especially to informational privacy which was one of the major focuses of the landmark decision in Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1 which affirms the fundamental right to privacy. The Hon’ble Justice Chandrachud in this decision focuses on the informational aspect of privacy and its connection with human dignity and autonomy. The decision recognizes informational privacy which reflects an interest in preventing information about the self from being disseminated, and controlling the extent of access to information as one of the facets of the right to privacy.
We wrote to the state governments asking them to do their duty to protect their citizens
- We recommended that the state governments of Maharashtra & Chhattisgarh should establish an investigation committee to look into the hack committed in their state.
- The Committee should have a fixed timeline in which to complete its investigation and submit its report to the state government.
- The Committee should allow for the victims (or legal counsel on their behalf) of the hack to testify before it.
- The Committee should allow experts in the field of data privacy to testify before it.
- The Committee should facilitate the registration of open FIRs and encourage that investigations are commenced immediately.
- The Committee should operate in a transparent manner.
This issue does not exist as only a matter of legality; a serious crime has been committed against the Indian citizens that requires immediate action. IFF will continue to fight for transparency, accountability, and justice on this issue!
- Representation to Maharashtra Govt. seeking Investigation of the Pegasus hack dated July 27, 2021 (link)
- Representation to Chhattisgarh Govt. seeking Investigation of the Pegasus hack dated July 27, 2021 (link)
- IFF’s Statement on Hacking Revelations made by the Pegasus Project dated July 19, 2021 (link)
- IFF’s work relating to NSO Group’s spyware Pegasus (link)