The second problem, experts said, is that there is a severe lack of qualified surveillance and monitoring capacities with the government right now. Add to that is the fact that there is “absolutely no judicial intervention at any stage of the surveillance process” available to Indian citizens whose devices have been compromised, said Mishi Choudhary, technology lawyer and managing partner at Mishi Choudhary & Associates.
“No provision of law talks about judicial oversight in any capacity. There currently exists no provision of law whereby users are notified when their communications are subjected to surveillance,” she said.
Though as a general rule, online surveillance by the state is allowed, subject to compliance with a defined process which mandates prior authorisation by an order issued by a competent authority, it can only be put in place with prior approval or in emergent cases with subsequent approval within three days from the commencement of surveillance.
The said surveillance can last up to a maximum of 180 days, said Ameet Datta, partner at Saikrishna & Associates.
Further, what makes this particular case complicated is: though WhatsApp, functioning in India as a social media intermediary, is bound to follow the laws of the land, it is unclear as to how Israel-based NSO Group -- the owner of the spyware -- will be held accountable.
The court case filed by WhatsApp against NSO in the California court shows that NSI intercepted content by installing the Pegasus ‘remote access trojan’ program on individual devices, using WhatsApp resources. NSO recurved this material on servers set up and maintained by NSO which was subsequently provided to its clients, noted Datta.
“The onus will be on the Indian government to clarify that any surveillance of Indian citizens, if conducted at the behest of the Indian government, complied with the requirements of Section 69 of the IT Act and its rule,” he said.
This episode also highlights that the country’s surveillance systems are not robust enough to ward off and prevent such attacks in the future, experts said.
“Upcoming surveillance systems, such as the CMS and NETRA, are demonstrably among the most invasive in the world,” Choudhary said.
Even under the current laws, the committee which authorises interception must review its decision every two months and the surveillance permission needs to be renewed. Non-renewal of such permission is an offence, said Na Vijayashankar, founder of cyber laws portal, Naavi and cyber law expert.