Statement: Scary disclosures on use of NSO spyware in India signal a need for urgent reform

Today, the Indian Express broke a story about how spyware developed by an Israeli cyber-intelligence firm, NSO Group was used on dalit activists, journalists and lawyers in India. The spyware, “Pegasus” would be installed through a missed call on Whatsapp after which an attacker would gain complete access to a smartphone. As per the NSO Group, “Pegasus” was only sold to government clients. Subsequent reports by Huffington Post and News Laundry have revealed that the targets include lawyers in the Bhima Koregaon case, Bela Bhatia and Anand Teltumbde. This raises some extremely disturbing questions about likely illegal hacking by unknown government agencies- or other actors operating in India- and suggests flagrant disregard for the rule of law and contempt for our fundamental right to privacy.

There is an urgent need for official disclosure on whether and how this spyware was used in India to hack our citizens. The Government of India must issue an official public statement providing complete information. The Government must also clarify which law empowers it to install such spyware. To the best of our understanding and knowledge, no such power exists under Indian law, and the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices. Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under the Information Technology Act, 2000.

This expose signals a need for urgent surveillance reform to protect citizens against the use of malware, spyware and creation of vulnerabilities in technologies which offer privacy protection by design. We call on the Government to stand by democratic commitments and reject the use of spyware in their pursuit of social objectives of policing and security. Legislative measures must be introduced in Parliament to uphold the 9 judge bench decision of the Supreme Court of India recognizing privacy as a fundamental right. The use of legal or technical means to access data and intercept communications in India must be authorised only in emergency situations, under judicial control and oversight, and with other protections to safeguard our citizens.

Over the next few weeks, we at IFF will attempt to reach out to any victims of illegal surveillance in India and we will make every attempt to ensure that they can access the legal system to seek redress. We will also examine avenues for further engagement with all branches of government - legislative, executive and judicial- to advance our ongoing work on surveillance reform.  

In addition to seeking transparency through full disclosure, we hope to work towards solutions to ensure that something like this never happens again. We will continue our public advocacy through the SaveOurPrivacy Campaign which seeks to put forth a model draft law that provides for judicial oversight and parliamentary controls in the surveillance process. In July, a revised version of this model draft law was introduced in Parliament as a private member’s bill by Dr. Ravikumar as the Personal Data and Information Privacy Code Bill, 2019 which if enacted may help prevent such a recurrence.

If you have been affected by this breach, we are here to help and please feel free to reach out to us at [email protected].

Important Documents:

  1. Personal Data and Information Privacy Code Bill, 2019 introduced in Parliament (link)
  2. IFF’s Surveillance Reform PIL (W.P. Civil No. 44 of 2019) (link)
  3. Save Our Privacy Campaign (link)