‘Pegasus’ spyware and Data security

• Messaging platform WhatsApp had been sued by the Israel-based NSO Group, for alleged usage of the ‘Pegasus’ spyware on thousands of its (WhatsApp) users in the lead-up to the general elections.
• WhatsApp had accused the NSO Group of misusing their platform to send Pegasus for surveillance purposes to nearly 1,400 devices and mobile phones worldwide.
• The Israel-based NSO claims that they only sell the software to governments, but the Indian government had denied purchasing the spyware and had asked WhatsApp to describe the security breach.
• Phones of several dozens of Indian lawyers, journalists, and human rights activists had been compromised using invasive Israeli-developed malware known as Pegasus.
• About 121 people had been targeted in India alone.

Pegasus

• Pegasus is spyware that was developed by the NSO Group & Israeli cyber arms firm.
• Pegasus can be installed on devices running certain versions of Apple and iOS mobile operating systems.
• Pegasus spyware is competent enough of reading text messages, collecting passwords, tracking calls, tracking the location of the phone, accessing the target device’s microphone(s) and video camera(s).
• Apple had released a new version of its iOS software to fix the vulnerabilities of such spyware.
• As the news of the Pegasus spyware got significant media attention, the spyware was termed as the “most sophisticated” Smartphone attack ever.

Surveillance laws in India

• Indian Telegraph Act of 1885 deals with the interception of calls in India.
• The Information Technology (IT) Act of 2000, deals with the interception of data. 
• Under both the Indian Telegraph and Information Technology laws, only the government of India under certain circumstances is allowed to conduct surveillance and not private actors.
• Hacking is strictly prohibited under the IT Act of 2000.
• IT Act covers the civil and criminal offenses of hacking and data theft.
• Punishment for illegally receiving the stolen communication or computer resource would attract imprisonment for a term which might also extend to three years.

Judgments:

• The Supreme Court of India in 1996 had highlighted an important point that there was a lack of procedural safeguards in the Indian Telegraph Act. Supreme Court of India had also laid down some important guidelines that were later codified into rules in the year 2007. This encompasses a specific rule that orders on the interceptions of communication should be issued only by the Secretary in the Ministry of Home Affairs.
• Under the IT Act of 2000, only the competent authority has the right to issue an order for the interception, monitoring, or decryption of any information received, generated, stored or transmitted, in any computer resource (mobile phones would count).
• The Central government in 2018 had created an uproar when it authorized around 10 Central agencies to conduct surveillance. This particular move of the Union government has been challenged in the Supreme Court of India.

Privacy

• The Supreme Court of India’s landmark decision in the year 2017 unanimously upheld the Right to Privacy as a Fundamental Right under Articles 14, 19, and 21 of the Indian Constitution. 
• Data Protection Committee that is under the retired Justice B.N. Srikrishna had held public hearings across India, and it had submitted a draft data protection law-draft law that does not deal sufficiently with the surveillance reform.

• Electronic surveillance is regarded as a search under the Fourth Amendment that safeguards individuals from unreasonable search and seizure. Thus the government of India has to obtain a warrant from a court in each case, and it has to crucially establish a likely cause to believe that such a search is justified.
• After the 9/11 attacks in the year 2001, the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept & Obstruct Terrorism) Act was passed. 
• Concerning certain provisions in this Act, the government of the USA had used phone companies to gather data of millions of citizens, and these were part of the revelations were made by the whistleblower Edward Snowden in the year 2013.

Report

• In the year 2019, the U.K.-based security survey, which had already been conducted in 47 countries, had found that only five countries had adequate safeguards, and many countries are actively conducting surveillance on their citizens, and they are sharing data about them with third parties. China and Russia were featured as the top two worst offenders on this list. 
• India is in 3rd position because of its data protection bill, and it is yet to take any effect. In India, there is no data protection authority in place.