The past few days have once again provided extensive evidence of a cyberattack on Indian citizens. Barring the evasive statements issued by various ministers of the Government of India, we are yet to hear any substantive explanation of why phone numbers of several Indian politicians, including Rahul Gandhi, activists and lawyers were found to be amongst the 50,000 other phone numbers believed to be potential surveillance targets by governments around the world. It is correct that for a variety of reasons, forensic testing that might have revealed infection by NSO’s Pegasus was not possible in each of these cases. But the presence of these numbers does call for a thorough investigation, instead of another word salad being offered by the government. The French and Israeli governments have already ordered an investigation.
Most followers of this controversy will remember that this is not the first time the current government has been accused of snooping on civilians. In 2019, it was alleged that NSO’s software was used by GoI to exploit a vulnerability in WhatsApp to illegally spy on 24 citizens, and hack as many as121 Indians. All that resulted in was bombastic denials by ministers, and blocking of any action by the ruling party. The Parliamentary Standing Committee on Information Technology chaired by Shashi Tharoor had held some hearings but no substantive outcome resulted or at least no information was made public. Such inaction across board leaves us citizens to wonder whether the surveillance structure is one where all parties are complicit and the inaction is deliberate after some obligatory public outrage.
In 2019, WhatsApp, in order to avoid any conflict with GoI, decided to sue NSO in California. The documents filed in that lawsuit tell us that Pegasus could “remotely and covertly extract valuable intelligence from virtually any mobile device”. Pegasus was designed, in part, to intercept communications sent to and from a device, including communications over iMessage, Skype, Telegram, WeChat, Facebook Messenger, WhatsApp, and others. Pegasus was modular malware, which meant that it could be customised for different purposes, including to intercept communications, capture screenshots and exfiltrate browser history and contacts from the device. That case is now on the discovery stage, in which both sides can request documents and records that may reveal more.
This is only a part of the surveillance structure that operates unbridled in India. On March 11, the Indian government casually announced the adoption of facial recognition technology enabled surveillance. We were told that using photographic and other information from government “databases”, 1,100 individual participants in the Delhi riots had been identified. The number was later raised to 1,900. When other advanced democracies, including the European Union and several states in the US, have been slowing down or stopping use of facial recognition in the public sphere altogether, here in India, we seem to be not only traveling at top speed in the other direction, but the actions of the government indicate that rule of law is no more than a small bump on the way.
There are at least three other projects that are building a 360-degree surveillance mechanism by the government. These projects, namely CMS, NATGRID and NETRA, operate under complete secrecy without any publicly available information. CMS and NETRA are demonstrably among the most invasive in the world — all the more so, considering how a patchwork of broadly worded laws with questionable compliance rates allows them to tap into virtually any network, often without the knowledge of the service providers themselves. NATGRID was built with an intent to enable government agencies to get information such as bank account details and transaction details, in violation of the principles which were laid down in the Supreme Court’s Puttaswamy judgment.
There seems to be a concerted effort to create a surveillance state, monitor free flow of information and use technology to control instead of empowering citizens. Where the government reads every face, political dissent is under permanent intimidation. We cannot live our lives outside the range of others’ cameras anymore.
First, we should not allow this to be yet another scandal that captures our attention for a few weeks before some other thing erupts. We all must keep the pressure on.
Second, an independent inquiry commission must be set up. This commission should not be headed by one or two Supreme Court judges but by a panel consisting of members of judiciary, civil society and technical experts. We must also ensure that the matter is not sent to the CBI, who the Supreme Court itself has called a caged parrot.
Third, in the absence of an independent judicial inquiry ordered by the Supreme Court, states should order the kind of investigations the state of West Bengal headed by Mamata Banerjee has ordered.
Fourth, all the victims should approach courts, police and ask for their rights to be enforced. Courts should stop buying the catchall argument of national security and allow governments to use the market to create an infrastructure of surveillance. Government’s right to have continuous access to our data, without adequate safeguards, should also be held a violation of constitutional human rights.
Fifth, information about the three surveillance projects, namely CMS, NATGRID and NETRA, should be publicly available and they must be subject to the principles laid down in the Puttaswamy case.
Sixth, we must use this opportunity to force Parliament to make by statute a strong personal privacy charter protecting the right to be free from forms of behaviour collection and mass data analysis that are demonstrably harmful. Such an Act should not have any exceptions. It should subject all government surveillance — and government use of private surveillance technologies — to the rule of law.
Without the freedom to think freely, there are no rights that can be exercised by anyone. If we leave this discussion only to politicians and don’t hold them accountable this time, we are doomed to live through the death of freedom.
This column first appeared in the print edition on August 10, 2021 under the title ‘Government vs citizen’. The writer is Legal Director at Software Freedom Law Center