What we know so far is that the technology that allowed such forces to snoop in on individuals that were considered problematic by the state, was a spyware programme called Pegasus, supplied by the Israeli NSO Group. As many as 50,000 phone numbers were part of this list, which was analysed by a global consortium of news organisations, called the Pegasus Project. The list also reportedly contains the phone numbers of over 40 Indian journalists, activists, Opposition leaders, two union ministers, former Congress chief Rahul Gandhi, election strategist Prashant Kishore and even former election commissioner Ashok Lavasa.
The modus operandi employed by the spyware software involves hacking into an individual’s phone to access messages, photos, emails as well as record telephone conversations and turn on the phone’s microphones covertly. The Indian government has sought to downplay the allegations thrown up by the Project, invoking the Personal Data Protection Bill, 2019 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. The government’s note regarding the use of Pegasus for surveillance revisited the previous claims that alluded to the Centre’s role in snooping in on WhatsApp chats of activists and reporters. The NSO group clarified that the Indian phone numbers reportedly targeted for surveillance by the government with its software was decided by the government and not them. This brings up an even more troubling issue – that the government does not seem to differentiate between surveillance and hacking.
As per the rules governed by Section 5(2) of the Indian Telegraph Act, 1885 and Sec 69 of the IT (Amendment Act) 2000, a request for a lawful interception of electronic communication can be made by the state or the Centre for national security reasons i.e. in the event of a public emergency or in the case of public safety requirements. The Union Home Secretary in turn has to approve each instance of interception, monitoring and decrypting. In the state governments, these powers are vested with a competent authority as per IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009. However, nowhere does illegally planting software that can invade one’s phone and even operate the camera function feature in these rules. And while there seems to be a plethora of rules and regulations in place to authorise surveillance in India, there are none that allow individuals to challenge it.
In addition to matters of privacy, the use of public funds, possible misuse of government agencies and the criteria used to declare someone as being a threat to national security need to be questioned. Above all, when the government launches a stealth attack of this nature on all four pillars of democracy, it’s time to move beyond questions, and get some answers.