Israeli Spyware: Ask Not What Pegasus Does, But How Powerful Actors Operate in India

The status quo cannot be allowed to continue – the recent revelations are an attack on our claim of being a progressive democracy. 

The usage of Pegasus spyware by powerful agents to spy on Indian activists was not a surprise to many of the country’s human rights defenders and members of civil society.  

The only surprise, for some, was in finding out who was targeted and who wasn’t. 

In a country which has consistently dragged its feet over the need for a privacy law and surveillance reforms, those interested in how technology is adversely impacting our fundamental rights find ourselves questioning the government ad nauseum, with no answers in sight.   

Recent statements from the Ministry of Home Affairs and Ravi Shankar Prasad, the minister for electronics and information technology, clearly show us they are not interested in getting to the bottom of this matter, let alone more broadly informing the public of how the state and its agents operate in India. 

In Puttaswamy vs Union of India, the Supreme Court made clear the need for a law that deals with targeted and mass surveillance, and asserted that our fundamental rights can’t be taken away in the name of national security. Yet, that is the sole reason which is provided when one asks how the security establishment is tapping our phones or blocking our tweets. 

With failing institutions and no data protection law, who should we look to for answers regarding Pegasus and WhatsApp? 

Also read | Israeli Spyware: India Turns to WhatsApp For Answers, But What Should We Really Be Asking?

In the current framework of things, there are hard limits on how much we will ever know about this entire fiasco. WhatsApp might have warned the broader Indian public and the individuals that were subjected to potential surveillance, but it does not know what information was collected and for what purposes. The Israel-based NSO Group, which supplied the spyware, deserves to investigated under Indian law but the limits of geography and New Delhi’s relationship with Tel Aviv will pose a problem. 

Closer home, we can count ourselves lucky if India’s courts hear the matter and ordered an investigation. 

Inside parliament, the Standing Committee on Information Technology is one of the forums that should be seeking accountability and examining how the privacy of our citizens was violated. But if past history is anything to go by, the committee’s pending reports on net neutrality, Cambridge Analytica and Aadhaar tell us that their closed-door discussions will not be enough. Even if members of the parliamentary committee demand that WhatsApp, the NSO Group, MeITY and MHA  depose before them, anything useful will likely be declared a secret under the aegis of national security and result in no tangible outcomes. 

All surveillance enterprises operate in secret and until the veils of secrecy are lifted, it will be hard to make them accountable to the public. Any future law that aims to regulate mass or targeted surveillance cannot work or be implemented effectively until we know the methods of snooping that are being carried out. The main issue therefore is not how the NSO Group’s spyware operates, but rather how powerful actors within and outside India procure and use these systems.

It is the intent behind the surveillance and the processes that are deployed that is far more important. 

Information about the surveillance practices of governments and other powerful actors have largely only come through leaks, the most famous of them was from Edward Snowden on the US’s Prism programme. 

Also read | Citizen Lab Lists Measures You Can Take to Protect Your Accounts From Spyware

The ‘Hacking Team’ emails, documents archived on Wikileaks’ website, do provide insights on some of the practices and needs of Government of India and other state governments. It was the Indian government which first wrote to ‘Hacking Team’ in 2006, asking for a meeting and enquiring about their tools of intrusion. 

The leaked emails show it wasn’t just the central government, but other state police departments were in touch with them to procure surveillance technologies. The emails show Andhra Pradesh Police Intelligence wanted to procure telephone interception tools right after Chandrababu Naidu’s phone calls were leaked to the press in July 2015. 

In the past few months, there have been media reports of the Andhra Pradesh police procuring tools from Israel to break WhatsApp encryption right before the recent Lok Sabha elections. The elections in Andhra Pradesh also have shown that political parties are using state surveillance to gain ground over the Opposition and have even been using resources like Aadhaar for voter profiling. 

In a way, the Pegasus affair makes clear something that many who work in the public sphere often joke about – that what they say or do is being monitored by people and organisations who don’t have their best interests at heart. WhatsApp’s lawsuit against the NSO Group has added a much-needed dose of reality to these discussions.

Indeed, it has made clear that the status quo cannot be ignored and cannot be allowed to continue – the recent revelations are an attack on our claim of being a progressive democracy. 

Srinivas Kodali is an independent researcher working on data and the internet.