Analysis The NSO Group’s Pegasus spyware for governments continues to make headlines with revelations such as its use against the Spanish Prime Minister and senior British officials. But there’s one country where outrage over Pegasus has been steady for nearly a year and shows little sign of abating: India.

A quick recap: Pegasus was created by the Israeli company NSO Group, which marketed the product as “prevention of crime and terrorist acts” and promised that it would only sell the software to governments it approved, and for approved purposes like shooting down terrorists or targeting criminals. who abuse children.

These promises are significant because Pegasus is very powerful: targets are tricked into a “zero click” installation of the software, after which their smartphones are an open book.

In July 2021, Amnesty International and French journalism advocacy organization Forbidden Stories claimed that Pegasus had been used well beyond its intended purpose and claimed to have accessed a list of over 50,000 phone numbers that customers of the ONS had targeted for surveillance.

Many were politicians, activists, diplomats or entrepreneurs – jobs that simply aren’t the kind of role NSO said it would let governments target with Pegasus.

More than 300 Indian residents were on the list, including opposition politicians, activists and officers of the Tibetan government in exile.

NSO offered no explanation or theory for how its promises turned to dust.

The New York Times reported that Prime Minister Narendra Modi bought Pegasus in 2017 as part of a comprehensive arms deal worth around $2 billion, but Indian politicians have resisted admitting its acquisition or use.

The mere implication that the Indian government had turned Pegasus against political opponents was dynamite and complaints poured in from those who felt targeted.

These complaints have been heard: in October 2021, the Supreme Court of India established a technical committee to investigate whether the national government had used Pegasus to target citizens illegitimately.

The Committee came into existence after the government offered to investigate itself. The Court rejected this proposal and called the Pegasus deployment allegations an “Orwellian concern”. [PDF]. She was concerned about the violation of privacy and free speech rights and was also interested in whether a foreign entity had been involved in unlawful domestic surveillance.

Political opponents have accused Indian Prime Minister Narendra Modi of treason and compromising national security, while supporters have cited “lawful interception” as justification for using the spyware.

Investigations are ongoing to find out whether state governments have also acquired Pegasus, and the software is also part of a larger data privacy debate.

“I think the conversation continues because there’s a case going on. Every time something happens in the case, the conversation picks up,” said Anushka Jain, a lawyer for the New York-based digital freedoms organization. Delhi, Internet Freedom Foundation. The Reg. His group provides legal representation to two journalists targeted by the Pegasus spyware.

Jain explained:

Logically, if NSO only sells Pegasus to governments, the malware must have either been used by the Indian government or against Indian citizens by a foreign government – ​​a point noted by politicians, think tanks and organizations at nonprofit like the Internet Freedom Foundation. Either way, they argue, the government has a responsibility to act.

As Subramanian Swamy, Member of Parliament from Rajya Sabha and member of the Bharatiya Janata Party (BJP), tweeted:

The Indian Supreme Court declared privacy as a fundamental right in 2017 based on Article 21 of the Indian Constitution. However, the bench clarified that a person’s fundamental right to privacy could be overridden by competing state and individual interests, or in other words, by lawful interception.

“The judgment was hailed as the cornerstone of privacy jurisprudence in India. It was also hailed as an opportune moment to bolster the privacy of Indian citizens at a time when digital India was accelerating “, said the Software Freedom Law Center, India. (SFLC-In) on social media.

The organization, which describes itself as “the defenders of your digital freedom”, believes that unfortunately little has changed “in terms of protecting the privacy of Indian citizens and protecting them from unfettered internet surveillance. State” since the 2017 decision.

“The fight for stronger digital rights continues and has taken a sharper turn in the wake of the Pegasus scandal, the lack of proper stakeholder consultations and the circumvention of legislative review to introduce unfettered technical solutions,” wrote SFLC-In in a Facebook post.

The laws that deal with lawful interception in more detail, the Indian Telegraph Act and the Information Technology Act, were written before spyware was even conceivable – as the mention of telegraphs.

These laws allow interception (in Section 69), but not to the point of hijacking and weaponizing a phone in the way that Pegasus makes possible.

Meanwhile, Articles 43 and 66 of the same law criminalize cybercrime and stolen computer resources.

“The Information Technology Act says hacking is illegal, and Pegasus is basically a hack because it takes over the entire phone and collects all the information on the phone, not just specific communications,” Jain clarified.

“However, this is a very broad interpretation of this provision, as it describes the hacking of a computer system, and [Indian law doesn’t have] all the provisions for a technology such as Pegasus.”

But India is debating such a bill – the Personal Data Protection Bill, 2019. The bill was harshly criticized at home and abroad and failed to pass.

Jain explained that one of the reasons for the opposition to the bill is that it provides many exemptions.

She says:

A catalyst

Jain said The register that without a strong data protection law or civil liability system, the only way for Indian citizens to go is to go to the Constitutional Court and claim that their rights have been violated.

The SFLC-In agrees that the courts are an integral part of change, which is why it also supports spyware victims in litigation.

As the organization wrote on its website:

Requesting rectification through the court system could establish the necessary laws on data protection, piracy and digital rights, creating a historic change. Of course, the laws also might not pass — or pass with inadequate protection — leaving the likes of Jain and the SFLC-In looking for the next opportunity to work for change.

As these groups continue to push for change, a new actor has also taken aim at the bill: in its annual review [PDF] of intellectual property law around the world, the U.S. Trade Representative said it could “undermine important intellectual property protections in India.” The trade representative said the bill’s flaws “are particularly acute given India’s outdated and insufficient legal framework for protecting trade secrets.”

“On this and other potential legislation affecting intellectual property, the United States encourages India to undertake a transparent process that provides stakeholders with ample opportunity to comment.”

The positions of these stakeholders are not difficult to find. Nor is there outrage at how the lack of a strong data law provides the Indian government with a loophole that could allow it to use Pegasus to target opponents.

The Indian government’s policy calls for the country’s tech companies to take on a greater role in the global industry and make extensive use of digital government services. With its proposed legislation stalled and key business partners advocating its review, both goals will be harder to achieve. ®