Reports that many Indians have been targeted by the Pegasus spyware are disturbing but not surprising. Installing spyware on a phone is illegal if it is carried out by a private entity but India has no data protection laws, and has an opaque and arbitrary mechanism for authorising surveillance. A list of persons allegedly targeted by Pegasus was released by a multi-organisational investigation involving news organisations, cybersecurity specialists, and Amnesty International. The list includes over 1,000 Indians, including at least 40 journalists, several members of Parliament, including membe.....
Reports that many Indians have been targeted by the Pegasus spyware are disturbing but not surprising. Installing spyware on a phone is illegal if it is carried out by a private entity but India has no data protection laws, and has an opaque and arbitrary mechanism for authorising surveillance.
A list of persons allegedly targeted by Pegasus was released by a multi-organisational investigation involving news organisations, cybersecurity specialists, and Amnesty International. The list includes over 1,000 Indians, including at least 40 journalists, several members of Parliament, including members of the ruling party, ministers and the Opposition, senior judges
and civil servants, Dalit activists arrested in the Bhima-Koregaon affair, and industrialists. So far, cybersecurity experts have confirmed that seven of the targets, who consented to having their phones examined, were infected.
The government has issued a statement of denial. But that raises even more disturbing questions. The maker of the spyware, the Israeli firm NSO, claims to sell it only to verified government agencies (NSO claims to have 60 customers across law enforcement, intelligence and the military in 40 countries). NSO sells licences for Pegasus (each licence allows multiple installations), and does the installation (which means it aids in the hacking of the target device), sets up the physical infrastructure to collect and process data, and trains the customer in data collection. All this makes Pegasus an expensive package. Going by NSO’s rack rates, it costs close to $100,000 in capital expenditure to infect a single target and there are overheads to maintaining surveillance.
It also requires the setting up of extensive physical infrastructure for monitoring, and involves extended interactions between NSO and the customer.
If the customer in this case wasn’t the government of India, it means some entity with a lot of resources and a large physical footprint has brazenly established an expensive surveillance
operation on multiple Indian targets, and carried it out for an extended period — from 2018 to last week. This is a terrifying alternative possibility. Thus, the government must come clean on the issue. This also highlights the need for a strong data protection law that protects the individual right to privacy, including protection from surveillance and unauthorised data collection by government agencies. It also calls for a more transparent mechanism for the authorisation and oversight of digital surveillance, by means of phone taps, spyware installation, requests for personal identifying data from service providers, or anything else.
In India, a senior bureaucrat must authorise a request for surveillance. This is usually under the catch-all umbrella of “national security”. It is a warrantless process and, in practice, there is no compulsion to justify such a request or authorisation, even retrospectively. Indeed, nobody knows outside of the home ministry how many such requests are made, who is targeted, and who exactly has made a request, the reasons, and how many such requests were authorised. In most democratic nations, requests for digital surveillance must be logged and, often, justified at committee level, which means that they are debated in the minutes of meetings (which may be secret). If politicians, bureaucrats, or sitting judges
are targets, such requests may have to be justified to a joint parliamentary committee, which has oversight of the whole surveillance process and is capable of considering questions like breach of parliamentary privilege. This incident indicates the urgent need to create such institutional safeguards.
Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.
As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.
Support quality journalism and subscribe to Business Standard.