advertisement
Over the last two days, we have seen news reports of the WhatsApp accounts of human rights defenders, Dalit journalists, academics, and even politicians being targeted and subjected to “surveillance” through the use of Israeli software, Pegasus.
I use the term surveillance in air quotes, because the attack seems to have been in the nature of illegal hacking, rather than legally sanctioned surveillance.
The Indian Information Technology Act, 2000 distinguishes between acts of surveillance and hacking. Surveillance comprises of acts of interception, monitoring, or decryption and is permitted, and regulated, under Section 69 of the Act.
On the fulfilment of certain pre-conditions, the government (and only the government) can place certain individuals under targeted surveillance. Both under the Telegraph Act, 1882 and the IT Act, 2000, private actors are prohibited from conducting surveillance operations.
Conversely, hacking is completely prohibited under the IT Act. Under Section 43 read with Section 66, the unauthorised intrusion into a person’s computer system/resource/network, whether by the government or private entity, is a criminal offence.
There is then, no national security (“security of the State”) justification for hacking.
The NSO Group has reportedly stated that it only sells the Pegasus spyware to government agencies, although the Indian government has denied any responsibility for the security breach. Instead, it has asked WhatsApp to respond and explain the breach by 4 November.
It is unlikely that we will ever know the entire picture. Regardless of that, however, the WhatsApp-Pegasus story raises a lot of important questions.
First and foremost, if it is true that the government has (mis)used this spy software to track the activities of its biggest critics, it is a blatant violation of the IT Act, amounting to illegal surveillance and/or hacking, and a complete disregard for the Puttaswamy nine judge bench’s ringing endorsement for the right to privacy.
Second, it highlights the need for a data protection law, with a separate chapter on surveillance. The current Data Protection Draft Bill that was released by the Justice Srikrishna Committee, unfortunately, fails to engage with the contested issue of surveillance reform.
Under the current surveillance regime, mere executive authorisation with executive oversight is sufficient to engage in targeted surveillance, if it is, among other things “in the interest of …security of the State”.
The manner in which the victims of this attack have been targeted raises concerns about empowering the state to use its legal and financial resources to place dissidents/critics/activists/human rights defenders under surveillance, without any independent oversight and accountability.
India’s premier agencies such as the IB, R&AW, CBI have not been formed pursuant to any law, and are not subject to any parliamentary oversight. The activities of their agents thus remain in the realm of shadows.
In fact, had the victims of the Pegasus attack not been informed about the vulnerabilities in their phone by WhatsApp, in all likelihood, they would have remained unaware about the same. This secretive nature of surveillance thus places real limits on the kind of relief most targets of surveillance can seek; and makes the requirement for judicial oversight even more compelling.
Puttaswamy gave judicial recognition to the right to privacy, but left its contours and the contentious issue of balancing privacy and security concerns undecided.
Finally, the WhatsApp-Pegasus saga also relates to the ongoing debate about traceability and the government view that WhatsApp and other intermediaries should not be permitted to run end to end encryption, without providing the government with a de-encryption key whenever required.
The draft IT Intermediaries Guidelines (Amendment) Rules, 2018 requires the “Intermediary shall enable tracing out of such originator of information on its platform as may be required by government agencies who are legally authorised.”
These guidelines raise serious concerns about potential privacy violations, the sceptre of misuse, and the fact that once a backdoor is created in these hitherto secure technologies, it can be exploited by bad actors. These issues will now be examined by the Supreme Court in January 2020.
The Supreme Court is already hearing the constitutionality of the surveillance regime, and a challenge to the Intermediary Guidelines, when they are notified is almost certain.
Either way though, unless swift action is not taken, this will be just another chapter in the continuing trampling of fundamental rights of citizens by successive governments.
(Vrinda Bhandari is an Advocate in Delhi. She is also a volunteer with SaveOurPrivacy.in and helped in drafting the model India Privacy Code, 2018. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Published: 02 Nov 2019,04:08 PM IST