Skip links

India’s ongoing outrage over Pegasus malware tells a bigger story about privacy law problems

Analysis NSO Group’s Pegasus spyware-for-governments keeps returning to the headlines thanks to revelations such as its use against Spain’s prime minister and senior British officials. But there’s one nation where outrage about Pegasus has been constant for nearly a year and shows little sign of abating: India.

A quick recap: Pegasus was created by Israeli outfit NSO Group, which marketed the product as “preventing crime and terror acts” and promised it would only sell the software to governments it had vetted, and for approved purposes like taking down terrorists or targeting criminals who abuse children.

Those promises are important because Pegasus is very powerful: targets are fooled into a “zero click” install of the software, after which their smartphones are an open book.

In July 2021, Amnesty International and French journalism advocacy organisation Forbidden Stories claimed Pegasus had been used well beyond its intended purpose, and claimed to have accessed a list of over 50,000 phone numbers NSO clients had targeted for surveillance.

Many were politicans, activists, diplomats, or entrepreneurs – jobs that are just not the sort of role NSO said it would let governments target with Pegasus.

Over 300 Indian residents made that list – among them opposition politicians, activists, and officers of the Tibetan government in exile.

NSO has offered no explanation, or theory, for how its promises turned to dust.

The New York Times reported Prime Minister Narendra Modi purchased Pegasus in 2017 as part of an overall weapons deal worth roughly $2 billion, but Indian politicians have resisted admitting to its acquisition or use.

The mere implication that India’s government had turned Pegasus against political opponents was dynamite and complaints poured in from those who felt they had been targeted.

Those complaints were heeded: in October 2021, India’s Supreme Court established a Technical Committee to investigate whether the national government had used Pegasus to target citizens illegitimately.

The Committee emerged after the government offered to investigate itself. The Court rebuffed that proposal, and referred to allegations of Pegasus’s deployment as an “Orwellian concern” [PDF]. It expressed concern that rights to both privacy and free speech had been breached, and also took an interest in whether a foreign entity had been involved in illegal domestic surveillance.

Political opponents have accused Indian prime minister Narendra Modi of treason and compromising national security, while supporters have cited “lawful interception” as justification for the spyware’s use.

Probes are under way into whether State governments also acquired Pegasus, and the software has also become part of a wider debate about data privacy.

“I think the conversation is continuing because there is a court case ongoing. Anytime something happens in the case, the conversation restarts,” Anushka Jain, a lawyer for New Delhi-based digital liberties organization Internet Freedom Foundation told The Reg. Her group is providing legal representation to two journalists targeted by Pegasus spyware.

Jain explained:

Logically, if NSO only sells Pegasus to governments, the malware must have either been used by the Indian government or against Indian citizens by a foreign government – a point noted by politicians, think tanks and nonprofits like the Internet Freedom Foundation, alike. Either way, they argue, the government is responsible for taking action.

As Rajya Sabha Member of Parliament and Bharatiya Janata Party (BJP) member Subramanian Swamy tweeted:

The Indian Supreme Court declared privacy as a fundamental right in 2017 on the basis of Article 21 of the Indian Constitution. However, the bench clarified that a person’s fundamental right to privacy could be overridden by competing state and individual interests, or in other words, lawful interception.

“The judgment was hailed as a founding stone of privacy jurisprudence in India. It was also hailed as an opportune moment for stronger privacy of Indian citizens at a time when Digital India was gathering pace,” said Indian nonprofit The Software Freedom Law Center, India (SFLC-In) on social media.

The org, which describes itself as “Defenders of your Digital Freedom” believes that unfortunately not much has changed “in terms of actually safeguarding the privacy of Indian citizens and safeguarding them from unfettered state surveillance” since the 2017 ruling.

“The fight for stronger digital rights continues and has taken a sharper turn in the wake of the Pegasus scandal, lack of due stakeholder consultations, and bypassing legislative scrutiny to introduce unfettered technical solutions,” wrote SFLC-In in a Facebook post.

Laws that further address lawful interception, The Indian Telegraph Act and Information Technology Act, were written before spyware was even conceivable – as implied by the mention of Telegraphs.

Those laws allow for interception (in section 69) but not to the extent of hijacking and weaponizing a phone in the way Pegasus makes possible.

Meanwhile, Sections 43 and Section 66 of the same Act criminalize cybercrime and stolen computer resources.

“The Information Technology Act says that hacking is illegal, and Pegasus is essentially hacking because it takes over the entire phone and it collects all information that is on the phone, not just specific communication,” clarified Jain.

“However, that is a very broad interpretation of that provision, because that is describing hacking of a computer system, and [Indian law doesn’t have] any provisions for technology such as Pegasus.”

But India is debating such a bill – the Personal Data Protection Bill, 2019. The bill has been severely criticised at home and abroad and has not passed into law.

Jain explained that one reason for opposition to the bill is that it provides a lot of exemptions.

She said:

A catalyst

Jain told The Register that without a data protection law or a strong civil liability system, the only way forward for Indian citizens is to go to the constitutional court and claim their rights were violated.

The SFLC-In agrees that the courts are integral to change, which is why it is also supporting victims of the spyware in litigation.

As the organization wrote on their website:

Seeking rectification through the court system could establish the necessary data protection, hacking and digital rights laws, thereby creating a historical change. Of course, the laws could also not pass – or pass with inadequate protection – leaving folks like Jain and the SFLC-In looking for the next opportunity to work towards change.

While those groups continue to agitate for change, a new player has also taken aim at the Bill: in its annual assessment [PDF] of IP law around the world, The US Trade Representative rated it as likely to “undermine important IP protections in India”. The Trade Representative said the Bill’s flaws “are particularly acute given India’s outdated and insufficient legal framework for protecting trade secrets.”

“On this and other potential legislation affecting IP, the United States encourages India to undertake a transparent process that provides stakeholders with sufficient opportunity to comment.”

Those stakeholders’ positions are not hard to find. Nor is outrage about how the lack of a robust data law affords India’s government a loophole that could allow it to use Pegasus to target opponents.

Indian government policy calls for the nation’s tech firms to assume a greater role in global industry, and for wide use of digital government services. With its proposed law stalled, and key trade partners recommending its revision, both goals will be harder to achieve. ®