- Pegasus, codename for Q suite, is a spyware, developed by an Israel based cyber security firm named as NSO Group.
- It aims at assisting its clients in keeping track of any person suspected to be involved in terrorist or any other criminal activities, which is or can be a threat to the security of the State.
- It gets installed in the mobile phones of the targets without their knowledge and turns the device into a surveillance mechanism.
- It is the duty of the State to develop an impenetrable cyber environment which can prevent such massive spyware attacks as done by the Pegasus spyware and punish those who attempt to do so.
- As members of the legal fraternity, it is pertinent that we know about this spyware attack and the impact it has on our rights and the remedies that can be sought in this regard.
In the past few days, a news item has taken the nation by storm: a leaked report which claims that various phone numbers across the world were hacked by a spyware codenamed as Pegasus, and out of those numbers, some numbers are related to various high-profile Indians, be it ministers, opposition leaders, bureaucrats, journalists etc. This leak has caused a massive upheaval in the political system, with the opposition leaders disrupting the Parliamentary proceedings, causing the Presiding officer to adjourn it as soon as it starts, with some opposition party members going to the extent of seeking immediate resignation of the Minister of Home and Internal Affairs and an independent probe into the role of the Prime Minister in this snooping incident.
WHAT IS PEGASUS
Pegasus, codename for Q suite, is a spyware, developed by an Israel based cyber security firm named as NSO Group, which aims at assisting its clients in keeping track of any person suspected to be involved in terrorist or any other criminal activities, which is or can be a threat to the security of the State. While the company maintains that it is a software which is capable of secretly unlocking the contents of a target’s mobile phone and transforms it into a listening device, it is used only for the purposes of ensuring protection of the State. However, there have been various reports alleging that this spyware has been used to spy on various people and read their personal information including their calls, texts, video chats and so on. It gets installed in the mobile phones of the targets without their knowledge and turns the device into a surveillance mechanism, allowing the attacker to gain complete access to the device’s messages, emails, media, microphone, camera, calls and contacts, to the extent of turning on the microphone or the camera anytime they want. It can get installed with something as simple as a missed WhatsApp call, or a text message laced with a malicious link which can download and replicate itself into the device without any human intervention. According to Amnesty International, which carried out a technical and forensic analysis of many infected phones, they have observed instances of Pegasus infecting devices with a ‘zero-click’ operation, meaning that the victim does not need to interact with the malicious link.
THE PEGASUS CONTROVERSY
As stated above, contrary to the official stance of its developer organization on the use of the spyware, there have been various incidents where the spyware was used to spy on various persons who were unfavourable to the establishment like prominent journalists, seasoned bureaucrats etc. So a Pegasus Project was formed to look into the matter, which was a collaboration of more than 80 journalists from 17 media organizations in 10 countries coordinated byForbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, who conductedcutting- edge forensic testson mobile phones to identify traces of the spyware. It analysed a leaked database which consisted of more than 50,000 contact numbers and made some startling discoveries, one of which was the use of the spyware in the case of the murder of the Saudi journalist, Jamal Khashoggi, in which it was found that his family members were spied upon before and even after his death in 2018.
Another discovery made by the Pegasus Project was the presence of various Indian contact numbers in the list of people potentially hacked by the use of the software. Various politicians like Rahul Gandhi, Ashwani Vaishnav, former Election Commissioner of India, Mr. Ashok Lavassa, along with various prominent journalists, including senior editors of the Wire, which was one of the collaborators in the Pegasus Project and declared critics of the current regime.
This breaking news has shaken the nation, with not only the political dog fight between the ruling party and the opposition it has led to, but also due to some serious issues raised in its wake, relating to State sponsored intrusion into the private life of the people and has also raised the question as to what extent can a government be allowed to use such measures in the name of ensuring national security?
The question of state sponsored intrusion arises from the fact that, as stated by the NSO Group, its products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror. So if the Pegasus spyware can be purchased only by the government of a State, by analogy, it means that it can be used only by the government officials or other law enforcement agencies under the control of the government. This spyware is used to spy on the people which means that either the government itself has done it, or that it was an accomplice to it in one way or the other. The direct implication of such an act would be the infringement of the Fundamental Right to Privacy, which is an integral part of Article 21 of the Constitution of India, and such infringement occurring due to an act of the State, which is responsible to provide the right, does indeed give birth to a constitutional crisis. Not only is the right to life and personal liberty infringed by such acts, the freedom of movement, as provided under Article 19(1)(d), also stands infringed.
According to Justice Subba Rao in the case of Kharak Singh v. State of Uttar Pradesh (AIR 1963 SC1295), surveillance, if intrusive and seriously encroaches on the privacy of citizen, can infringe the freedom of movement, guaranteed by Articles 19(1)(d) and 21. Though it was a minority opinion in that particular case, this judgement has paved way for a plethora of future judgements, culminating into declaring the right to privacy as an inherent part of Article 21 of the Constitution of India.
This means that any surveillance which negatively intrudes in the lives of the people should be unconstitutional. But the general opinion of considering individual privacy to be subservient to ensuring security of State has given the government a leverage to not abandon such activities and rather relentlessly pursue them to achieve their sinister goals.
Further, there is also a notion that not all surveillance or hacking (a general term) can be termed as illegal. There is a difference between hacking as a national security obligation and hacking to achieve some illegitimate ends. A hacker generally means any person who secures illegitimate access to the computer of other person to gather data etc. But with the evolution of White-Collar Hacking, or Ethical Hacking as it is commonly called, which relates to securing such illegitimate access to achieve some lawful purpose, the concept of hacking has gone through some changes. Section 43 of the Information Technology Act, 2000 seeks to define the offence of hacking. It earlier used the word ‘Hacker’, but after the 2008 Amendment, the language of the section was altered in accordance with the evolved meaning of the word. Sec. 43 says that ‘If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network, secures access, downloads copies of data, alters the data. etc., would be liable to pay damages to the aggrieved.
It must be noted here that the offence mentioned under Section 43 can lead to two kinds of liabilities:
• A Civil liability i.e. by way of damages to be paid as compensation to the aggrieved party as mentioned under Section 43 itself. In case of a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, fails to protect the data from any malpractice, it shall be liable to pay damages by way of compensation to the aggrieved party under Section 43A of the Act.
• A Criminal liability i.e. imprisonment of maximum 3 years or with fine which may extend to five lakh rupees or with both under Section 66 of the IT Act 2000.
But, for a criminal liability to arise under Section 66, it must be proven that the acts mentioned under Section 43 were done dishonestly or fraudulently, meaning that while the civil liability can be imposed on any hacking in general, criminal liability can be imposed only if the act is done with a malafide intention.
In addition to this, there are various penal provisions which can be applied in case anyone tries to gain access to our computer system and the data in it for unlawful purposes, as it was held by the Supreme Court in Jagjit Singh v. The State of Punjab (Special Leave to Appeal Crl. No(s). 3583/2021) that apart from being liable under the provisions of the Information Technology Act, 2000, a person shall also be liable under the provisions of the Indian Penal Code, 1860.
• Section 378 of the Indian Penal Code, 1860, which deals with theft of movable property, as the data in a computer system can be considered to be the property of the person (if the ambit of the term movable property as under Section 22 is enlarged to include incorporeal property like intangible data). It can lead to 3 years imprisonment or fine or both.
• Section 424, which deal with dishonest or fraudulent removal of property. Conviction under this can lead to 2 years imprisonment or fine or both.
• Section 425, which deals with mischief (causing wrongful loss or damage to a person). It can lead to 3 months imprisonment or fine or both.
• Section 441, which deals with criminal trespass, as a computer system can be considered as the property of the person in whose possession the computer system is or who shall be aggrieved if any damage is done to the data in a computer system as a result of hacking activities.
Apart from the above-mentioned provisions, there are various other provisions, both under IPC and IT Act which can lead to punishment of a hacker. Therefore, it can be said that there are some safeguards against individual hacking, or a hacking at a smaller level. But as things stand, there is no robust mechanism to deal with a massive intrusion like that done by Pegasus spyware, especially if it takes place with the support of the government.
On the basis of the facts and statutes considered, we can come to the conclusion that it should be the pressing priority of the administration to frame such laws and develop an impenetrable cyber environment which can prevent such massive spyware attacks as done by the Pegasus spyware and punish those who attempt to do so. Even though the level of intrusion that actually took place, is still uncertain, but and the role of the government in this entire scandal raises some serious questions, because if the government was an accomplice to this intrusion, it not only defrauded the people of the country, but have also maligned the spirit of Constitutionalism as practiced in our country. While even if it was not a part of this scandal, still the attack took place, and this highlights the incompetence of the administration, as securing the State from such attacks to its sovereignty was meant to be the fundamental duty of the government. It is high time that the Hon’ble Supreme Court takes some serious steps in this regard and punishes all those who were involved in this scandal. As for the people of the country, who may or may not have suffered due to this attack, we need to make sure that we take all feasible measures to protect our data because in this digital age, nothing is actually secure, because at some point or the other, we all have to divulge some of our information on the internet which may fall into wrong hands, spelling our doom. For the sake of our country, let us hope that our government was not involved in this scandal, because otherwise, it has given birth to its own 21st Century version of the infamous Watergate Scandal.