Pegasus is spyware developed by an Israeli company, NSO group. The company is named after its three founders. Pegasus is an enormously sophisticated military-grade software. The company claims that this spyware is developed to prevent crime and terrorism and is only sold to ‘vetted governments’.
This is not the first time that Pegasus has made it to the headlines, in 2018 a US-based journalist, Jamal Khashoggi who was an open critic of the Saudi crown and wrote in the Washington Post was mysteriously murdered in the Saudi consulate in Istanbul, and reports suggest that the Saudi used the Pegasus to track his movements.
Mexican government admitted that it used Pegasus to track a dreaded criminal El Chapo also known as the Druglord. There are allegations that the Mexican government also used Pegasus to spy on a Mexican journalist who reported extensively on corruption cams in Mexico and later the journalist was murdered.
Facebook and the Pegasus in 2019
In 2019, Facebook had filed a complaint against NSO in the Federal Court of the United States that the Pegasus had infiltrated WhatsApp and data of more than 1400 people had been spied upon spread across 20 countries. These claims were denied by the NSO. In the list of these 1400 people who were allegedly spied included, 17-18 people belonged to India, this included advocates, civil rights activists like Anand Teltumbde who is in jail under the draconian UAPA from the more than two years, Advocate Shalini Ghera who represents Sudha Bhardwaj, also in jail under UAPA. Ministry of Home Affairs had denied all allegations back then.
The Project Pegasus: 2021 Expose
This expose was carried out by a France-based nonprofit Forbidden Stories with technical support from Amnesty International got their hands on a leaked database from NSO which had fifty thousand ‘Potential targets’. They collaborated with more than 17 news organizations like Washington Post, The Guardian, Reuters, and The Wire from India. The list contained details of more than 80 journalists across majorly from 10 countries including India. Amnesty International has publicly revealed the methodology they used. This methodology was independently reviewed by a Canadian-based, Citizen Lab and it responded affirmatively.
However, the presence of someone’s details in the list does not necessarily mean that they were spied upon but were either attempted to be spied or was successfully spied or was a potential target for Pegasus.
There are 300 Indians in the 50,000 list released which includes some of the most high profile people of the country from opposition leaders to political strategists to members of constitutional authorities.
The list includes Rahul Gandhi of the Congress Party and two of his close associates, Political Strategist Prashant Kishore, Abhishek Banerjee (nephew of Mamta Banerjee), Praveen Togadia who is in a rift with Mr. Modi since the Gujarat politics.
Apart from the political class, the list also included high-profile bureaucrats who have some history with the ruling party. Ashok Lavasa who once was a member of the three-man Election Commission and also the person who found Prime Minister Narendra Modi and Home Minister Amit Shah in violation of the Model Code of Conduct in the 2019 general elections. Alok Verma and Rakesh Asthana also appeared on the list.
The list also included journalists like Rohini Singh who did a story on the skyrocketing profits of Jay Shah’s company (son of Home Minister Amit Shah), Swati Chaturvedi who is an author of ‘I am a Troll’ which is based on the BJP IT Cell, Sushant Singh who is an editor at the Indian Express, he did multiple stories on the Rafale Deal. Vigata Singh who works for The Hindu, did an interesting story in 2017 which indicated that the budget for the National Security Council Secretariat (NSCS) was increased tenfold from 33 crores to 333 crores that year, Prashant Bhushan, an advocate, and a social activist alleged that this budget was used to buy Pegasus by the government.
All these names belong to different professions, have different backgrounds but what all these names have in common is that they are not in the good books of the ruling government if not in the bad ones.
Surprisingly, the list also includes some members of the government like Prahlad Patel was massively surveilled who was the Minister of Culture with independent charge. Also, Ashwini Vaishnav with a dual portfolio with IT Ministry as well as Railways.
The alleged link between Pegasus and PM Modi’s visit to Israel
In 2017, Narendra Modi became the first Prime Minister to visit Israel. Michael Safi of The Guardian tweeted an interesting connection between Prime Minister Modi and former Israeli PM Netanyahu in 2017, it was just in the week of his visit, and the first list of names to be surveilled in India was selected.
Surveillance Laws and Pegasus
Surveillance majorly takes place under two laws – Telegraph Act, 1885 , and the Information technology Act, 2000. Telegraph Act deals with the interception of calls and messages and the IT Act deals with the interception of all electronic communication.
Telegraph Act, 1885
Unser Section 5(2) of the Act, the government can interception of calls or phone tapping only in the following situations:
- Interests in the sovereignty and integrity of India,
- Security of the state,
- Friendly relations with foreign states or public order,
- Preventing incitement to the commission of an offense.
The grounds upon which a person is selected for surveillance have to be recorded in writing. Furthermore, a proviso in Section 5(2) states that even the lawful interception cannot take place against journalists unless their transmission has been prohibited under this section.
The constitutionality of Section 5(2) was challenged in People’s Union for Civil Liberties v. Union of India, 1996, the Supreme Court upheld the Act but was subject to certain safeguards. The Supreme Court observed that:
“Tapping is a serious invasion of an individual’s privacy.”
“It is no doubt correct that every Government exercises some degree of surveillance operation as a part of its intelligence outfit but at the same time citizen’s right to privacy has to be protected.”
These observations were made by the Supreme Court back when the Right to Privacy was not a Fundamental Right. These observations were later codified in the Rule 419A of the Telegraph Rules, 2007 which states that a Secretary to the Government of India (not below the rank of a Joint Secretary) in the Ministry of Home Affairs can pass orders of interception in the case of Centre, and similar provisions exist at the state level.
The PUCL judgment was upheld by the Supreme Court of India in the KS Puttaswamy and Anr. v. Union of India that held the Right to Privacy to be a fundamental right. The court premised the ruling on the principle that, “Privacy is the ultimate expression of the sanctity of the individual”. Furthermore, the court observed that any restriction on the right to privacy must satisfy the “principle of proportionality and legitimacy,”
One can argue that since Section 5(2) of the Act permits the government to intercept calls and messages, the government has followed the due process if it used Pegasus for surveillance but this argument is ignorant of the fact that by no means is Pegasus a mere tool for interception of calls and messages, it constantly surveilled a person including all the media files which are stored in the device and not communicated or transmitted yet.
Information Technology Act
Section 69 of the IT Act and the Information Technology (Procedure for Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009, were enacted to enhance the legal framework from electronic surveillance.
However, the scope of Section 69 of the IT Act is very broader and vague as the only prerequisite condition for engaging in electronic surveillance is for the “investigation of an offense”.
There has been a lot of discussion upon the term ‘interception’, but what is the scope of this interception. The answer lies in Rule 2(l) of the Information Technology (Procedure for Safeguards for Interception, Monitoring, and Decryption of Information) Rules, 2009. Interception is defined as an acquisition of the contents of the information to make the information available to any person other than the sender and recipient of the communication. This clearly implies that the term ‘interception’ can only be done of the contents of the information transmitted with is part of some ‘communication’. Definition of interception does not include the acquisition of information that happens near a device.
In conclusion, under the Telegraph Act and the Information Technology Act, the interception of calls, messages, and information is limited to the ‘communication’ made through the computer resource or telegraph which differs significantly from what Pegasus has to offer. Thus the usage of one’s device as a camera or microphone to surveille a person and his/her surroundings is neither permitted by Section 69 of the IT Act nor by Section 5(2) of the Telegraph Act.
The distinction between intercepting information communicated over calls or messages through electronic devices and electronic devices being used as a camera or microphone to monitor one’s actions that were not communicated over calls or messages is critical to the illegality of usage of Pegasus by the government.
Pegasus spyware is a ‘weapon system’ the Israeli government treats it as a weapon system that is subject to export controls. So when an application is made to the NSO group, it cannot grant without the prior approval of the Israeli government. The Pegasus is a Dual-Use Technology which refers to the technology that can be used for both good and evil purposes. This Dual-Use Technology is controlled by more than 40 countries and comes under the Wassenaar Agreement, which monitors and controls the export of arms and dual-use technologies by global powers. The arrangement was set up to regulate the transfer of weapons technologies between nations. It aims at establishing an order for regional and international security through a transparent process of conventional arms transfer. It aims that the technologies do not fall into the arms of non-state actors or irresponsible nations.
All participating nations must ensure that items that can be used for destructive purposes are transferred only after due scrutiny so that they do not fall into the wrong hands. This agreement has listed with reference to the tool’s sensitivity, the Pegasus would fall in the ‘most sensitive’ category. This would subject this to the many checks and controls and also to the End User Monitoring Agreement (EUMA) which means that country selling this to another country would be able to monitor its use. This means that for the NSO group to claim that they just sell and are not aware as to what their client uses it for has barely any standing.
There were a bunch of petitions in the Supreme Court seeking an SIT Probe. The opposition demanded a Joint Parliamentary Committee (JPC) into the matter. The government has “unequivocally” denied all allegations with “no substance” in the reports and is ready to set up an expert committee to look into the issue. As it may be, there is a crucial need for a Data Protection Bill, 2019 to be enacted so that the law can be tested against the cornerstone of fundamental rights and growth of the digital economy and the security of the country can be balanced.
 The Telegraph Act, 1885.
 The Information Technology Act, 2000.
 AIR 1997 SC 568
 (2019) 1 SCC 1