Listen to this article:
New Delhi: The Supreme Court on October 27 ordered that a committee of technical experts be set up to look into the use of Pegasus spyware against activists, journalists, opposition politicians and others, as revealed in reports by an international media consortium, including The Wire.
In its 46-page judgment, the apex court noted that the petitioners in the case had brought allegations which had serious implications on privacy and the freedom of speech and of the media, which could not be brushed aside.
In the absence of a detailed affidavit by the Union government, which has cited national security concerns, the court ordered that the committee of three will look into the revelations and its functioning will be overseen by a retired Supreme Court judge, Justice R.V. Raveendran, who will be assisted by IPS officer Alok Joshi and cyber security expert Sundeep Oberoi.
The committee will have Naveen Kumar Chaudhary, Prabaharan P and Ashwin Anil Gumaste. All three are cyber security and computer science experts.
In its judgment, the Supreme Court delineated the task of the committee with two broad ‘terms of reference’. The court said that the committee will have two roles: to enquire, investigate and determine seven objectives, and also to make recommendations. The Wire breaks this down, along with information that is already in the public domain as a result of the Pegasus Project’s reporting.
What to enquire, investigate and determine
A look at the seven areas offers an idea of what the court wishes for the committee to offer insight into:
i. Whether the Pegasus suite of spyware was used on phones or other devices of the citizens of India to access stored data, eavesdrop on conversations, intercept information and/or for any other purposes not explicitly stated herein?
The Wire‘s reports as part of the Pegasus Project had highlighted how digital forensic analysis conducted by Amnesty International’s Security Lab found that the phones of a dozen people were either targeted or had been infected by Pegasus spyware, sold by Israel’s NSO Group.
These journalists and activists were part of hundreds whose numbers featured in a list of probable targets of the spyware.
While it is yet unclear as to what end the spyware was used, the following video attempts to offer an idea of the avenues in which it can work:
ii. The details of the victims and/or persons affected by such a spyware attack.
The Wire has revealed as many as 161 names of heads of state, political figures, activists, students, lawyers and journalists, among others, who could have been potentially affected by the spyware.
A small cross-section of these phones was forensically examined to find traces of Pegasus. These individuals include journalists from The Wire, Siddharth Varadarajan and M.K. Venu, poll strategist Prashant Kishor, other journalists like Sushant Singh, Paranjoy Guha Thakurta, and S.N.M. Abdi, DU professor S.A.R. Geelani, Kashmiri separatist leader Bilal Lone and lawyer Aljo P. Joseph.
iii. What steps/actions have been taken by the Respondent Union of India after reports were published in the year 2019 about hacking of WhatsApp accounts of Indian citizens, using the Pegasus suite of spyware.
This is a point highlighted by senior advocate Kapil Sibal, lead counsel for the petitioners, in the course of the current hearings as well.
Sibal had submitted that in 2019, when certain reports of Pegasus hacking WhatsApp came to light, the then law minister had acknowledged the reports of hacking in parliament, but the Union government did not indicate if and what actions were taken subsequently. This was information “they could have disclosed on affidavit,” Sibal has argued.
In the recent past, India has attempted to backpedal on acknowledging this attack at all, despite records noting the Union government’s admission of such an attack having taken place.
India’s current IT minister Ashwini Vaishnaw, meanwhile, claimed in parliament, “In the past, similar claims were made regarding the use of Pegasus on WhatsApp, those reports had no factual basis and has been denied by all parties…”
As The Wire has reported, this was a misleading claim, as his own ministry has provided replies to RTI queries and parliament questions in the past, acknowledging the 2019 attack.
iv. Whether any Pegasus suite of spyware was acquired by the Respondent Union of India, or any State Government, or any central or state agency for use against the citizens of India?
As the NSO Group, which sells Pegasus, has claimed that it only sells to “vetted government” clients, this is one of the chief questions surrounding the Pegasus Project reports.
Notably, the government has – much to the ire of the Supreme Court – desisted from offering details that could answer this question, citing national security.
The following areas, too, attempt to delve deeper into this aspect of citizens’ privacy and whether the government has interfered into it.
v. If any governmental agency has used the Pegasus suite of spyware on the citizens of this country, under what law, rule, guideline, protocol or lawful procedure was such deployment made?
vi. If any domestic entity/person has used the spyware on the citizens of this country, then is such a use authorised?
We don’t know what conclusion the committee will come to in regard to this question, but experts say that the use of Pegasus is most likely illegal as its sheer scale of enveloping all functions of an individual’s smart phone goes against the protections that Indian laws themselves offer citizens.
The Internet Freedom Foundation’s Apar Gupta, for one, has noted that protections under the Information Technology Act prohibit hacking and make it a criminal offence. These are clauses which the insertion of the spyware could contravene, if proven true.
vii. Any other matter or aspect which may be connected, ancillary or incidental to the above terms of reference, which the Committee may deem fit and proper to investigate.
What to recommend:
The Supreme Court has also equipped the committee to make recommendations in the following areas, quoted from the judgment:
i. Regarding enactment or amendment to existing law and procedures surrounding surveillance and for securing improved right to privacy.
ii. Regarding enhancing and improving the cyber security of the nation and its assets.
iii. To ensure prevention of invasion of citizens’ right to privacy, otherwise than in accordance with law, by State and/or nonState entities through such spywares.
iv. Regarding the establishment of a mechanism for citizens to raise grievances on suspicion of illegal surveillance of their devices.
v. Regarding the setting up of a well-equipped independent premier agency to investigate cyber security vulnerabilities, for threat assessment relating to cyberattacks and to investigate instances of cyberattacks in the country.
vi. Regarding any adhoc arrangement that may be made by this Court as an interim measure for the protection of citizen’s rights, pending filling up of lacunae by the Parliament.
vii. On any other ancillary matter that the Committee may deem fit and proper.
The procedure of the committee:
The apex court has also delineated in some detail the mode of functioning that the committee will have and the powers that it can employ.
The committee has been authorised by the court to devise its own procedure to effectively implement and answer the above 13 terms of reference, to hold any enquiry or investigation as it deems fit and to also take the statements of any person in connection with the enquiry. It can also call for the records of any authority or individual within the scope of its probe.
Justice Raveendran, as the overseeing judge, will be at liberty to take the assistance of any serving or retired officers, legal experts or technical experts in the discharge of his functions.
The court has also requested Justice Raveendran to fix the honorarium of the members of the committee in consultation with them. It has directed the Union government to pay this honorarium immediately.
The court has directed the Union and all state governments, along with all agencies and authorities under them, to extend their full facilities – including support with respect to infrastructure needs, manpower, finances, or any other matter as may be required by the committee or the overseeing former judge – “to effectively and expeditiously carry out the task assigned to them.”
The court directed Virendra Kumar Bansal, the officer of special duty/registrar of the Supreme Court, to coordinate between the committee, Justice Raveendran, the Union and state governments to ensure communication, smooth functioning, expeditious response to and implementation of the requests made by the committee, the overseer and those tasked with assisting him.