Date : 02/11/2023

Relevance: GS Paper3- Internal Security - Cyber Security

Keywords:Pegasus, Right to Privacy, Cyber Attack, CERT-IN, IT Act 2000

Context-

Apple has warned at least 20 prominent Indians, including opposition politicians and journalists, that they were the target of state-sponsored cyberattacks, in a development that has revived allegations that the government is using electronic surveillance against its domestic political rivals and critics.It highlights the urgent need for comprehensive surveillance reform to safeguard the fundamental right to privacy.

The Pegasus Project Disclosures

• The Pegasus Project, which came to light in July 2021, exposed the significant threats to India's democracy posed by invasive surveillance technology. This revelation uncovered the use of Pegasus, a spyware developed by the Israel-based NSO Group, to compromise the digital devices of hundreds of Indians, including cabinet ministers, opposition leaders, journalists, judges, and human rights defenders.
• Awareness of Pegasus in India dates back to October 30, 2019, when WhatsApp confirmed that the spyware had been used to exploit vulnerabilities in its platform, targeting activists, academics, journalists, and lawyers in India. Since then, the technology behind Pegasus has evolved to the point where it can infect devices without any action on the user's part, further raising concerns about unauthorized surveillance.
• Despite mounting evidence and concerns, the response from various branches of the Indian state has been marked by apathy, opaqueness, and a lack of accountability.

Response from the Executive

• The executive branch, represented by the Ministry of Electronics and Information Technology, has been reluctant to address the Pegasus Project's claims.
• However, a report by The New York Times in January 2022 contradicted these statements, revealing that India had purchased Pegasus in 2017 as part of a $2-billion defense package. This official apathy has undermined the public's trust in the government's commitment to protecting citizens' privacy.
• The nodal agency responsible for addressing cybersecurity threats in India, CERT-IN (Indian Computer Emergency Response Team), has remained silent in the face of the Pegasus revelations. While it did issue notices to NSO and WhatsApp in 2019, there have been no updates on the progress of these inquiries. This lack of transparency further erodes public confidence.

Response from the Legislature

1. In India's constitutional scheme, the legislature is tasked with holding the executive accountable. However, the practice has not aligned with this principle.
2. When the IT Committee sought to question officials from the IT Ministry and the Home Ministry about Pegasus, news reports indicated that ruling party members abstained en masse, preventing a quorum and effectively stalling the inquiry.
3. The IT Committee had previously discussed the issue in November 2019 but provided no updates on its findings. Despite repeated demands from the opposition for a discussion and a probe in each parliamentary session, these calls have gone unanswered.

Response from the Judiciary

1. When the executive and legislative branches failed to provide answers, the victims of Pegasus turned to the judiciary for redress.
2. On August 5, 2021, they approached the Supreme Court of India, presenting forensic evidence of their compromised devices. On October 27, 2021, the Supreme Court established a technical committee to investigate the use of spyware on Indian citizens
3. However, eight months have passed, and the committee has yet to present its findings. During this time, the committee has been examining the victims' phones and soliciting public input on surveillance reform.
4. An interim report was submitted on May 20, 2022, with the final report expected in late July 2022. Despite the ongoing court proceedings, the Supreme Court restrained a Commission of Inquiry, established by the Government of West Bengal, from investigating the use of spyware on residents of West Bengal on December 16, 2021.

The Lack of Accountability

1. While some have dubbed the Pegasus Project India's 'Watergate Moment,' the response in India has been far from the swift accountability witnessed in the United States during the Watergate scandal.
2. The Watergate scandal was a political controversy from 1972 to 1974, involving illegal activities by President Richard Nixon's administration. In June 1972, five burglars were arrested for breaking into the Democratic Party's national headquarters at the Watergate Hotel complex in Washington, D.C.
3. In the U.S., all branches of government acted to check the abuse of power. However, in India, the prevailing narrative is one of official stonewalling, with little accountability in sight.

International Responses

1. In contrast to India's response, other countries have taken action in the wake of the Pegasus disclosures.
2. Israel established a senior inter-ministerial team to investigate, and its Foreign Minister, Yair Lapid, pledged to prevent Pegasus from falling into the wrong hands.
3. France initiated investigations, with its cybersecurity agency confirming the use of the spyware on French citizens.
4. The United States added NSO to its 'Entity List for Malicious Cyber Activities,' imposing restrictions on U.S. companies' dealings with NSO.
5. The United Kingdom compelled the spyware company to make changes to prevent targeting U.K. numbers following revelations of its misuse.

Growing Threat of Surveillance for Hire

• The lack of accountability and regulatory oversight has led to the growth of the 'surveillance for hire' industry in India. These firms offer their services to anyone willing to pay, enabling them to spy on specified targets by hacking their devices.
• A Reuters report from June 2022 referred to these entities as "Indian cyber mercenaries" used by litigants worldwide to influence legal battles.
• One such company, BellTroX, was involved in surveillance-for-hire activities and was identified and removed from Facebook's platforms in December 2021.
• Unfortunately, there has been no official response to these revelations, much like the case with the Pegasus Project.

The Need for Surveillance Reform

1. The Pegasus Project disclosures and the Apple phone hacking case highlight the urgent need for comprehensive surveillance reform in India.
2. The existing legal framework, encompassing the Information Technology Act, of 2000, and the Indian Telegraph Act, of 1885, concentrates surveillance powers in the hands of the executive, lacking independent oversight provisions from the judiciary or the legislature.
3. These laws were established before the development of spyware like Pegasus and are inadequate in addressing modern surveillance challenges.
4. Regrettably, there are no legislative proposals from the Union Government that address surveillance reform. Even the proposed data protection law fails to tackle these concerns adequately, as it provides broad exemptions to the government, potentially shielding intelligence and law enforcement agencies.
5. The absence of robust surveillance reform measures has severely undermined India's democratic ideals and the right to privacy.

Endangered Right to Privacy

• The past year has demonstrated the pressing need for comprehensive surveillance reform. India's status in the Freedom House 'Freedom in the World' report has shifted from 'free' to 'partly free' in 2021, citing the alleged use of Pegasus as a contributing factor.
• The surveillance industry is increasingly accessible, with intrusive surveillance being employed for both civil and political purposes and commercial benefits.
• The surveillance industry is increasingly accessible, with intrusive surveillance being employed for both civil and political purposes and commercial benefits.
• Without immediate and far-reaching surveillance reform, individuals' right to privacy could become obsolete.

Recent Cybersecurity Initiatives in India:

• Cyber Surakshit Bharat Initiative (2018): Launched to raise awareness about cybercrime and enhance the cybersecurity capabilities of Chief Information Security Officers (CISOs) and frontline IT personnel in government departments
• National Cyber Security Coordination Centre (NCCC - 2017): Developed to monitor internet traffic and communication metadata in real-time to detect cyber threats.
• Cyber Swachhta Kendra (2017): An online platform for users to clean their devices from viruses and malware.
• Indian Cyber Crime Coordination Centre (I4C): Recently inaugurated by the government to strengthen cybercrime response.
• National Cyber Crime Reporting Portal: Launched nationwide for reporting cybercrimes.
• Computer Emergency Response Team - India (CERT-IN): The key agency for handling cybersecurity threats such as hacking and phishing.

International Engagement:

1. International Telecommunication Union (ITU): An agency within the United Nations focused on telecommunications and cybersecurity standards.
2. Budapest Convention on Cybercrime: An international treaty to combat cybercrime by harmonizing laws, improving investigative techniques, and promoting global cooperation.
   India is not a signatory to this convention.

Conclusion

The aftermath of the Pegasus Project disclosures in India has revealed a concerning lack of accountability and transparency. While the international community has taken steps to address the issue, India has lagged behind in responding to the serious threats posed by invasive surveillance technology. The urgent need for comprehensive surveillance reform, including updating outdated laws and establishing robust oversight mechanisms, cannot be overstated. It is imperative to protect the fundamental right to privacy and uphold India's democratic ideals in the face of evolving surveillance challenges.

Source - The Hindu