Pegasus In The Room: Law Of Surveillance And National Security’s Alibi – Analysis
By Observer Research Foundation
By Nishant Sirohi
“Surveillance is not new, but technology has permitted surveillance in ways that are unimaginable,” noted Justice Sanjay Kishan Kaul, in his conclusion in the Puttaswamy judgement that declared a fundamental right to privacy.
Pegasus, a modern surveillance tool developed by Israel’s NSO group, can tap phones, listen to encrypted audio streams, and read encrypted messages. Data released by the Pegasus Project consortium confirms Pegasus spyware targeted hundreds of verified phone numbers of Indian journalists, political leaders, constitutional heads, dissidents, activists and private individuals. The Pegasus scandal has shaken the very foundations of Indian democracy and raised questions about the extent to which national security can be used as a defence by the State for surveillance of its citizens. The answers to these questions will shape individual rights, democratic and constitutional establishments, and the Indian polity in the years to come.
The law of surveillance in India is nascent when it concerns advanced surveillance technologies like Pegasus. However, the current legal framework provides some safeguards to the fundamental right to privacy, allowing proportionate derogation only in national, not in private, interest. This piece argues that the national security alibi is infructuous in the Pegasus scandal. The government should adhere to international democratic norms governing surveillance technology.
Law and Rules of Surveillance in India
Israel’s NSO Group, the cyber-arm firm which created Pegasus, in its statement maintained that they sell the snooping malware only to vetted governments and intelligence agencies. On being questioned, the Union Government has not admitted to dealing with the NSO group or using the Pegasus spyware. However, the Union Minister for Information Technology, Ashwini Vaishnav, stated in the Parliament that, “there are established procedures and protocols through which lawful interception of electronic communication is carried out for national safety and security”.
He referred to Section 5 (2) of the Indian Telegraph Act, 1885 (IT Act, 1885), Section 69 of the Information Technology Act, 2000 (IT Act, 2000) and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (IT Rules, 2009) as established procedures for lawful interception by the competent authorities.
- Section 5 (2)
The right to privacy in the context of surveillance was first argued in 1996 in People’s Union for Civil Liberties (PUCL) v Union of India. PUCL filed a Public Interest Litigation challenging the constitutional validity of Section 5(2) of the IT Act, 1885, which allows interception by authorised agencies. The Supreme Court declined to strike down the provision as unconstitutional; however, the court, shielding the right to privacy, stressed that any interception by a public authority should satisfy two statutory preconditions, i.e., ‘public emergency’ and ‘interest of public safety’.
In 2017, the PUCL judgement was upheld by a nine-judge bench of the Supreme Court of India in Justice K S Puttaswamy (Retd) and Anr. v Union of India and Ors that declared the Right to Privacy to be fundamental right. The court premised the ruling on the principle that, “Privacy is the ultimate expression of the sanctity of the individual”. Furthermore, the court observed that any restriction on the right to privacy must satisfy the “principle of proportionality and legitimacy,” i.e., the restriction must be backed by law for a legitimate state aim and be proportionate.
The Bombay High Court scrutinised the applicability of the right to privacy for protection against surveillance in 2019 in Vinit Kumar v Central Bureau of Investigation and Ors. The High Court reiterated the necessity of fulfilling the threshold of ‘public emergency’ and ‘interest of public safety’ for interception under Section 5(2) of IT Act, 1885 and ruled that any evidence procured in violation of law will not be admissible in court.
- Section 69
Section 69 of the IT Act, 2000 empowers competent authorities, with reasons for interception recorded, to place an interception device, provided, “it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence”. However, Section 69 does not authorise any agency to install spyware to hack a mobile device for this. In fact, Section 66, read with Section 43 of the IT Act, 2000, criminalises the hacking of a device.
- IT Rules
The government revised the IT Rules in December 2018 on the pretext of improving transparency and accountability and tackling crime and terrorism. Through a Statutory Order, the government designated 10 central agencies as “security and intelligence agencies” and authorised them to intercept, monitor and decrypt “any information generated, transmitted, received or stored in any computer”. The rules also define the terms ‘intercept’, ‘monitor’ and ‘decrypt’.
The State draw rules to decide how a specific provision in the primary statute will be operated. These rules become the delegated legislation created by the State. The government used this inherent power to tweak the IT Rules, 2009; downgraded the safeguards for individual’s privacy; crafted all-encompassing definitions authorising the use of hacking tools like Pegasus and gave blanket surveillance powers to agencies that are not even responsible for national security, e.g., the Delhi Police and the Directorate of Revenue Intelligence. These agencies now collect data without legislative or judicial oversight under the powers conferred in Section 69 (1) of the IT Act, 2000, read with Rule 4 of the IT Rules, 2009.
The government changed the purpose and objective of the law in the statute book and the context in which it is implemented and now using these revised rules as a legal backup for surveillance of citizens through hacking tools like Pegasus.
In the Name of Security
The Union Minister in Parliament reasoned national safety and security for lawful surveillance and referred to the Ministry of Home Affairs’ response to a 2019 RTI as a “sufficient” basis to deny claims of any “association” between the Government of India and Pegasus. However, the Home Ministry’s 2019 response neither confirmed nor denied the use of Pegasus.
Transparency and accountability being foundations of a democratic government, it is essential to balance national security with democratic freedoms and constitutional rights, i.e., the right to privacy, the right to information, and press freedom. The Right to Information Act, 2005 (RTI Act, 2005) should achieve this goal, but in the past couple of years, public authorities have denied more information than shared on pertinent issues citing the justification of ‘national security’. Section 8(1) of the RTI Act, 2005 lays down the proviso related to national security, albeit indirectly. Public authorities are required under Section 8 (2) and (3) to furnish all information that is for larger public interest and is not restricted by the Official Secrets Act, 1923.
None of the central legislation defines the term ‘national security’, including the National Security Act, 1980. The government, without defining the term, is continuing to expand the concept to include internal matters. In Venkatesh Nayak v Ministry of Home Affairs, the government said, “National Security covers not only the matters concerning defence and foreign relations but also political and economic stability as well as public order”. Now the government invokes the alibi of national security regularly to deny access to information and shut down dissenters, using it to violate accountability and transparency.
For a democracy to function well, citizens need access to information. However, what happens when the government and its agencies curtail the freedom and rights of the citizens in the garb of national security by deploying spyware for widespread mass surveillance of prominent Indians? To remove arbitrariness, the functioning of public agencies should be made more transparent and accountable, as without legislative or judicial oversight, the disproportionate use of powers would destroy constitutional freedoms and guarantees.
As a democracy, we should comply with the democratic norms and values on which global systems rest, even if not legally enforceable. On surveillance, national security, and access to information, two international instruments could be helpful: International Principles on the Application of Human Rights to Communication Surveillance, 2013, and Tshwane Principles on National Security and the Right to Information, 2013.
The 2013 Principles on Communication Surveillance articulate what international human rights law requires of governments in the digital age, and provide a mechanism to evaluate and change domestic laws to ensure a human rights-based approach and safeguard against surveillance by law enforcement agencies. The 2013 Tshwane Principles provide detailed recommendations on balancing national security and public access to information. The Principles reverse the onus of proof, of why the information should be released or withheld, from an individual to the government.
Parting note
The government is accountable for protecting constitutionally guaranteed rights; therefore, cybersecurity breaches need an independent inquiry. India immediately needs to enact a data protection law that upholds the constitutional right to privacy. The current surveillance laws already provide conditions under which surveillance is permissible; however, the IT Rules that misconstrue the law’s objectives need to be revoked. Surveillance technologies that are invasive beyond reasonable limits, like Pegasus, should be banned. Reforms are also required to ensure judicial oversight over public agencies.
The views expressed above belong to the author(s).
