Pegasus and laws of surveillance in India

The re-emergence of Pegasus has brought us back to the drawing table, forcing us to understand what the laws have to say about it. Alleged reports of Pegasus being used came to light a few months back, raising privacy concerns once again.

NSO Group has repeatedly denied these allegations, saying it only sells the software to government entities. In fact, selling spyware like Pegasus requires the buyer to obtain an export license from the Israeli Ministry of Defense.

What the laws state

As per the law, communication surveillance in India functions under two laws; the archaic Telegraph Act, 1885 and the Information Technology Act, 2000. Out of these two, the IT Act, 2000 purposefully deals with acts of surveillance done through electronic communication, after the Supreme Court had intervened in 1996. The SC verdict also mentioned the government can only tap phones in case of “public emergencies.” Apart from this, the country's legislation has yet to frame concrete laws that govern the deeper aspects of modern surveillance, like Pegasus.

We all have a definite idea about the potential of spyware like Pegasus, which was developed to monitor anomalies and threat vectors. Using Pegasus, agencies can allegedly infiltrate any mobile device, take over a person's phone, all without the target's knowledge. There are several stringent frameworks and laws against such misuse of surveillance.

For starters, installing spyware like Pegasus goes against the surveillance or IT laws that are functioning in the country. It's illegal as per Section 69 of the IT Act, 2000 which says, hacking of any kind (physical or through computer virus) is prohibited, and a criminal offence. All this leads to only one conclusion, hacking via Pegasus spyware is not only unconstitutional but illegal as well. All these are strong grounds for a court hearing, but it is a lengthy process, and it could take a significant time before there is clarity on how things will be handled from there.

Need for wholesale changes

It goes without saying that the definition of surveillance has to be reworked to meet the current challenges. Where technological advancements have allowed surveillance to become invasive, change in laws is imperative to help people trust the judiciary and their fundamental rights, which includes Right to Privacy, among others.

Privacy under the scanner

The Personal Data Protection Bill, 2019 (PDP) would have been the perfect legal redressal for those affected by spyware like Pegasus if it had made its way to the public without any revisions. But as things stand, the bill is yet to clear the house, and even then the provisions made in the bill give law enforcement agencies a clean chit to investigate and process personal data without any consequences. The purpose of the bill is to protect citizens from future surveillance or data mishaps.

Pegasus has opened the dialogue around surveillance once again. The alleged use of spyware clearly highlights the need to update the laws, and structure them pertaining to the needs and trends of the current era. IT laws in India still limit their jurisdiction to legacy mediums, and interceptions/hacking via spyware needs to become a core part of the subject matter.

In addition to that, laws need to clearly amend that any data accessed forcefully or illegally will not be admissible in the court because it is imperative that an individual has a legitimate chance to contest their persecution under the purview of the law. Such measures will enforce the belief that law enforcement agencies are aware of the consequences for their actions.

This article has been written by Kunal Bajaj, Chief Business Officer, eSec Forte Technologies