On October 27, the Supreme Court of India appointed an independent committee to inquire into charges that the Union government had used the mobile phone spyware Pegasus to invade, access, and snoop into devices used by India’s citizens.
Objective
The court has also asked the committee to make recommendations on a legal and policy framework on cyber security to ensure the right to privacy of citizens is protected.
These range from determining who procured Pegasus and whether the petitioners in the case were indeed targeted by use of the software, to what laws justify the use of such spyware against citizens.
Why a Committee:
The case involves technical questions, and requires extensive fact-finding for the court to determine whether fundamental rights were violated, and to pass suitable orders.
The Centre’s refusal to file an additional affidavit means the court will require more assistance from the committee.
Challenges with the court direction:
There is no guarantee that a government that chose to remain silent before the Court will now somehow come clean before an external panel. The question then is this: should the Government fail to cooperate, how must the Court respond?
The cases also posed another hurdle: a contest over facts. The petitioners were asserting the occurrence of illegal surveillance. The Government was offering no explicit response to their claims. How then was the Court to unravel the truth?
Ad hoc committees — sterling as their members might be — cannot be the solution. Far too many cases are consigned to the back burner on the appointment of external panels, and, in the process, civil liberties are compromised.
Criteria for Surveillance in India:
the judges hold, “indiscriminate spying on individuals cannot be allowed except with sufficient statutory safeguards, by following the procedure established by law under the Constitution.”
first, the action must be supported by legislation;
second, the state must show the Court that the restriction made is aimed at a legitimate governmental end;
third, the state must demonstrate that there are no less intrusive means available to it to achieve the same objective;
finally, the state must establish that there is a rational nexus between the limitation imposed and the aims underlying the measure.
About Pegasus:
It is a very sophisticated spyware, which can remotely infect a very wide range of devices, without any action on the target's part.
Most mobile spyware is installed by getting hold of the physical device or via phishing.
For instance a text message/WhatsApp/e-mail with a malicious link is sent, and the target gets infected when he or she clicks on that link. Pegasus can be transmitted this way.
More importantly, Pegasus can infect mobiles by sending malicious WhatsApp messages, without any actions being necessary on the target's part.
NSO has, in fact, been sued by WhatsApp for exploiting this vulnerability.
Pegasus can also be spiked into the target's phone from a nearby base transceiver station (BTS). BTS is standard equipment used by telecom service companies to route and re-route signals.