#1 What should the State be allowed to do when someone is pegged as "sus"?
The Pegasus spyware allegations highlight the importance of safeguards and accountability in data governance frameworks.
Background
The Pegasus spyware, developed by the Israeli NSO Group, made headlines after an exposé by multiple news organizations including The Washington Post suggested that a number of prominent Indian politicians, journalists, and other public figures had their mobile phones compromised by the software.
Besides the original articles in The Washington Post linked above, some of the coverage in the Indian media can be found can be found here (The Hindu, The Print, Republic World). The Print also provides some background about Pegasus here.
Surveillance and Scrutiny
In his book, Future Politics, Jamie Susskind warns that
In the future, being scrutinized will become the norm … [a]nd those who control the means of scrutiny … will enjoy a great increase in power over the rest of us
The first, and direct, effect of scrutiny Susskind considers is that it makes easier the gathering of information that can be used to subject others to power more effectively.
The second, and more subtle effect, is that the knowledge that a person has of being scrutinized itself makes the person behave in different ways. Vrinda Bhandari and Renuka Sane1 also talk about the “loss of breathing space” and the “chilling effect on free speech” that can result from inadequate privacy protections, and how that could leave citizens vulnerable to “modulation by powerful commercial and political interests”.
This leads us to the following questions:
Who controls the means of scrutiny (i.e. the Pegasus spyware, for the purposes of this article)?
Are there any safeguards in place to protect citizens? Are they adequate?
The rest of this article will aim to discuss these questions.
Who controls Pegasus?
As mentioned above, Pegasus has been developed by the NSO Group, an Israeli company that specializes in cyber-intelligence. However, they are at pains to state that
To be clear, we do not operate this technology. We license it only to the law enforcement and intelligence agencies of sovereign states. Nor do we have any knowledge of the individuals whom states might be investigating, nor the plots they are trying to disrupt … It is used with specific, pre-identified phone numbers, one at a time.
Since Pegasus is licensed solely to sovereign states and state agencies, it is these state customers that are in “control” of Pegasus.
The NSO Group limits the number of instances in which Pegasus can be used in order to “reduce the risk it will be used for reasons other than legitimate law enforcement”. However, NSO also admits that they do not have visibility into specific operational uses unless access is granted by the customer. Such access is required in the event of an investigation into misuse, as per the contract agreed upon between NSO and the customer.
But how effective is such a contract? And how is it enforced?
From the NSO Transparency and Responsibility Report, 2021, the contract essentially requires customers to comply with their local laws, respect human rights, and not target individuals in a discriminatory manner while using the system, and to use the system only to prevent terrorism and serious crimes.
If NSO receives notice of customer misuse, it investigates the allegation and takes remedial action which could include terminating access to the system, in which case the customer might be required to delete all (physical or electronic) copies of data obtained using the system.
However, it is not clear how it would be possible to enforce customer deletion of all data. NSO themselves mention that their customers’ confidentiality requirements cannot be breached even on identification of product misuse. This suggests that while NSO can remove access of the customer to the system, they cannot do much else. In such a scenario, the major deterrent to a state customer is just the loss of access to the system for future surveillance.
Are there safeguards against spyware?
There has been considerable outrage across the world in the wake of these allegations. The UN High Commissioner for Human Rights Michelle Bachelet released a statement expressing alarm at the violations of human rights through government use of surveillance technology, and pointed to the “need to better regulate the sale, transfer and use of surveillance technology and ensure strict oversight and authorization”.
Internet spyware and malware have been around for a while, and have always been on the shadier side of legality on the web. There are laws in different countries that crack down on unauthorized access to computers (such as the Computer Fraud and Abuse Act (CFAA) in the USA, the Computer Misuse Act in the UK, and the Information Technology Act in India). In fact, WhatsApp is suing the NSO Group in the California District Court for contravention of the CFAA, among other laws. The NSO’s defence in this case had largely centered on it having “foreign sovereign immunity” due to it simply licensing its software to States.
The game changes when it is the State which is performing surveillance. The State usually is given certain powers to surveil its citizens in the interests of national security, though often in conjunction with checks and balances. In the USA, for example, surveillance, electronic or otherwise, must be preceded by the obtainment of a warrant from a court and the establishment of probable cause. In India, however, both the Information Technology Act, 2000 and the recent Personal Data Protection Bill, 2019 have been flagged as giving a wide ambit to the State to obtain data on individuals without adequate safeguards to counter possible authoritarian leanings (See opinions here and here, for example). As things stand, there is a lot of grey area as to how far the government can go with surveillance. We must secure our footing before we start down the slippery slope towards a surveillance state.
Data is rarely constrained to national borders. It is getting easier for bad actors, including states, to gain access to sensitive and private information, and the Pegasus allegations serve to highlight this. It might be worth considering, along the lines of the UNHCHR, the establishment of international bodies to oversee and authorize the sales of such technology, and to sanction their misuse. At the same time, it is easy to see that maintaining the independence of such bodies, including keeping them free from the influence of the powers that be, will be no mean feat.
Domestically, as India moves towards the adoption of significant new data protection rules and updates its laws for the information age, it is important that we stay aware, and discuss proposed policy measures — from the benefits in the best-possible scenario, right up to the consequences we would face in the worst-possible one. We need to find a balance that can achieve national security while also securing citizens’ constitutional right to privacy.
Bhandari, Vrinda and Sane, Renuka, Towards a Privacy Framework for India in the Age of the Internet (November 2016), Section 3.3. Working Paper No. 179, NIPFP Working Paper Series, Available at SSRN: https://ssrn.com/abstract=2892368 or http://dx.doi.org/10.2139/ssrn.2892368