State Surveillance in the Context of Pegasus

Contributed by: Samvad Partners






Introduction

Instances of unauthorised accessing of personal data have been rising exponentially and players from across the spectrum – from hackers looking for illegal financial gains to governments with far more sinister motives – are willing invaders of privacy. Unfortunately, when the government hacks into a citizen’s electronic device, the ramifications for not just that citizen, but for the entire nation and democracy at large, are of much greater and dire significance than when a tech savvy racketeer steals someone’s bank account details to make a quick buck. The most recent in the series of incidents highlighting the use of spyware by governments across the world is the Pegasus incident which first came to light in 2016 and has recently regained notoriety over reports that the spyware was used by Indian authorities to track and monitor prominent Indian citizens, ranging from journalists to politicians and judges.


Pegasus is a software which was developed by the Israeli firm NSO Group and can be installed covertly on phones across the world to track and monitor activities on mobile phones and other electronic devices. The software can be installed by a process as simple as the user clicking a link on a message, which can be made to appear as if from a legitimate contact. Media reports have also indicated that the Pegasus spyware has been used across multiple countries by governments and regimes to conduct surveillance of political leaders, activists and journalists including those belonging to other countries.

The Indian media has reported that the current Indian government too used Pegasus to conduct surveillance of a number of Indian citizens. The list of persons whose privacy was so compromised, according to media reports, include Rahul Gandhi, a woman who had made claims of sexual harassment against a former Chief Justice of India and multiple persons accused in the Elgar Parishad case.


While every incidence of the government spying on its citizens elicits rightful indignation amongst such citizenry, the Pegasus incident is hardly unique. In fact, most democratic legal systems provide for certain instances where the rights of privacy of its citizens can be covertly subverted in the interests of national security, prevention of crime or within other specified parameters. India is no exception to this and permissible surveillance is a topic well explored under its legal system. Below we take a look at the scope, legality and parameters around surveillance in India.


There are two existing legislations which provides the legal framework under which government authorised surveillance may be conducted in India -the Telegraph Act, 1885 and the Information Technology Act, 2000. Also in the pipeline is the proposed Personal Data Protection Bill which, upon enactment, will supplement this framework.


The Telegraph Act, 1885 (Telegraph Act)

Surveillance of non-electronic telephone calls in India is covered under the Telegraph Act. Section 5(2) of the Telegraph Act provides that upon the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer so authorised in this behalf by the Central Government or a State Government may by order and for reasons to be recorded in writing, direct that any message(s) to or from any person(s), or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government or officer making such order, provided that it is necessary or expedient so to do either (i) in the interests of the sovereignty and integrity of India, (ii) the security of the State, (iii) friendly relations with foreign states, (iv) public order or (v) for preventing incitement to the commission of an offence.


The case of People’s Union of Civil Liberties (PUCL) vs. Union of India (1996), was a landmark judgement with respect to such interception of telegraphic message. As a result of reports of widespread wiretapping by the Central Government at the time, PUCL filed a petition in the Supreme Court challenging the constitutional validity of section 5(2) of the Telegraph Act. While the Supreme Court did not strike down Section 5(2) of the Telegraph Act as unconstitutional, or uphold the Right to Privacy as a fundamental right, it did notice the lack of procedural safeguards in the provisions of the Telegraph Act and laid down the following guidelines for interceptions under the Telegraph Act:

  1. An order for phone tapping can only be issued by the Home Secretary of the Central or State Government and such Home Secretaries also have the power to delegate such right to issue an order to an officer in the Home department of the Central or State Government not ranking below Joint Secretary, in an urgent case.

  2. A review of such orders must be conducted by a Review Committee consisting of Cabinet Secretary, Law Secretary and Secretary for Telephone Communication at the Central level and also a corresponding committee at the State level within two months of the date of such order to determine whether or not there has been a relevant order under Section 5(2) of the Telegraph Act and if the Review Committee determines that there has not been a relevant order then it may set aside the order and direct the destruction of any copies of the intercepted communications. An important point to consider whether there has been a relevant order or not is whether the information which is considered necessary to acquire could reasonably be acquired by other means.

  3. Any order under Section 5(2) of the Telegraph Act, unless renewed, will be valid for 2 months from the date of issue. The authority which issued the order may, before the end of the 2-month period, renew the order if it considers it is necessary to continue the order in terms of Section 5(2) of the Act, provided however that the total duration of the order may not exceed 6 months.

  4. Any intercepted material shall only be used to the minimum limit that is necessary in terms of Section 5(2) of the Telegraph Act and each copy made of any of the intercepted material shall be destroyed as soon as its retention is no longer necessary in terms of Section 5(2) of the Telegraph Act.

  5. The authority issuing the order must also maintain records of: (i) the intercepted communications; (ii) the extent to which material is disclosed; (iii) the number of persons to whom the material is disclosed and their identity; (iv) the extent to which the material is copied; and (v) the number of copies made (each of which must be destroyed as soon as its retention is no longer necessary).

The Supreme Court’s guidelines under the PUCL case formed the basis of Rule 419A of the Indian Telegraph (Amendment) Rules in 2007 (“Telegraph Rules”), which imposed further restrictions and safeguards around interception of phone calls and are similar to the rules prescribed under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“IT Rules”), which are explained below.


Subsequently, in the case of K.L.D Nagasree v. Government of India (2006), while referring to the ruling of the Court in the PUCL case, it was held by the High Court of Andhra Pradesh that to pass an order for interception of messages in the exercise of powers under Section 5(1) and (2) of the Telegraph Act, the happening of a public emergency or the existence of a public safety interest is mandatory. Hence, a public emergency or a requirement for public safety needs to first exist so as to justify an order allowing interception of messages.


Information Technology Act, 2000 (“IT Act”)

The IT Act covers surveillance of electronic communication. Section 69 of the IT Act authorises the Central Government, the State Government and their specially authorised officers to direct, for reasons recorded in writing, any agency of the appropriate government to intercept, monitor or decrypt or cause to be intercepted, monitored or decrypted, any information generated, transmitted, received or stored in any computer resource on being satisfied that it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to the above or for investigation of any offence.


The procedures and safeguards subject to which such monitoring or interception or decryption may be carried out are prescribed in the IT Rules.


Rule 3 of the IT Rules provides that no person may conduct any interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource except by an order issued by the competent authority; however, in certain unavoidable circumstances, such orders can be issued by an officer, not below the rank of Joint Secretary of the Government of India and who has been duly authorised by the competent authority (the ‘competent authority’ is either the secretary of the Ministry of Home Affairs in case of Central Government or the Secretary in charge of the Home Department in case of a State Government or a Union Territory).


This rule also takes into account certain emergencies which may arise and accordingly (i) in remote areas, or (ii) for operational reasons, where obtaining of prior directions for interception or monitoring or decryption of any information generated, transmitted, received or stored in any computer resource is not feasible, the interception or monitoring or decryption of any such can be carried out with the prior approval of the head or the second senior most officer of the security and law enforcement agency at the Central level and the officer authorised in this behalf, provided that such officer is not below the rank of the inspector General of Police or an officer of equivalent rank, at the State or Union territory level.


Additionally, the officer, who approves such interception or monitoring or decryption of information in case of emergency, is required to inform, in writing, to the competent authority about the emergency and of such interception or monitoring or decryption within 3 working days and obtain the approval of the competent authority within a period of 7 working days. If the approval of the competent authority is not obtained within the said period of 7 working days, such interception or monitoring or decryption shall cease and the information shall not be intercepted or monitored or decrypted thereafter without the prior approval of the competent authority.


Further, Rule 4 provides that the competent authority may authorise an agency of the Government to intercept, monitor or decrypt information generated, transmitted received or stored in any computer resource for the purpose specified in sub-section (1) of section 69 of the IT Act.


A few of the agencies so authorized by the Ministry of Home Affairs include: (i) Intelligence Bureau; (ii) Narcotics Control Bureau; (iii) Enforcement Directorate; (iv) Central Board of Direct Taxes; (v) Directorate of Revenue intelligence; (vi) Central Bureau of Investigation; (vii) National Investigation Agency; (viii) Cabinet Secretariat (RAW); and (x) Commissioner of Police, Delhi.


In addition to authorising Central and State Governments to intercept, decrypt or monitor information, Section 69 further goes on to impose an obligation on all subscribers, intermediaries (which includes within its definition telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes) and persons in charge of computer resources to, when called upon by the Central or Sate Government or any of the authority so authorised by the Central or Sate Government, extend all facilities and technical assistance to provide access to or secure access to the computer resource generating, transmitting, receiving or storing such information; intercept, monitor, or decrypt the information, as the case may be; or provide information stored in a computer resource. Failure to comply with such a request by the Central or State Government or any authorised agency, can result in imprisonment for up to 7 years and a fine. This is supplemented by Rule 14 of the IT Rules, which requires every intermediary to appoint personnel in charge of receiving any such requests from a competent authority and provide all cooperation to the competent authority.


Personal Data Protection Bill 2019 (“PDP Bill”)

While still not law, the proposed PDP Bill also has provisions which facilitate or provide scope for the government to undertake surveillance.


The proposed PDP Bill mandates procedures for any collection, processing, storing and transfer of personal information in India. While the PDP Bill itself brings about rules regarding governance of personal information of individuals in India for the first time, it is not without concerns.


In terms of surveillance, Clause 35 of the PDP Bill provides for exemption to the agencies of the government from the application of this bill for reasons of national security, integrity and sovereignty, public order, friendly relations with foreign states, and for preventing any cognizable offence relating to above and thereby giving broad authorisation to conduct surveillance. The nature and scope of this Clause is quite wide and it is no surprise that there has been concern from academicians, journalists and lawyers, who see this Clause as a free hand for the state to engage in active surveillance.


Right to Privacy

While there does exist a formalised legal process for surveillance of individuals under the IT Act, IT Rules, the Telegraph Act, Telegraph Rules and under the proposed PDP Bill, another important point to consider in the discussion on surveillance is the judgement of the Supreme Court in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors., which affirmed an individual’s fundamental Right to Privacy.


In the Puttuswamy judgement, apart from striking down the judgement in Kharak Singh v. State of U.P and M.P Sharma vs Satish Chandra (where it was held that Right to Privacy is not a fundamental right of the citizens under the Indian Constitution), the Supreme Court also dwelled on the need for control over surveillance. In analysing the same, Justice Chandrachud on behalf of three other judges and supported by Justice Kaul, held that the Right to Privacy of an individual could only be overridden by the State if the act overriding the Right to Privacy satisfied the following requirements:

a) legality, which postulates the existence of law;

b) need, defined in terms of a legitimate State aim; and

c) proportionality, which ensures a rational nexus between the objects and the means adopted to achieve them.


The Puttuswamy judgement for the first time asserts that the Right to Privacy is a fundamental right and since surveillance by its very nature is a violation of the Right to Privacy, the grounds for surveillance by an authority will now additionally need to satisfy the requirements laid down in the Puttuswamy judgement and establish the legality, need and proportionality of such surveillance.


Conclusion

In light of the Pegasus incident, the Government of West Bengal has constituted a two-member panel to investigate the use of the Pegasus software in India. The Finance Ministry however maintains that there has been no transaction with the NSO Group.


A few people allegedly affected by the Pegasus software have also petitioned the Supreme Court praying that either the Cabinet Secretary file an affidavit to explain the usage of the Pegasus software by the Government, or the Court itself form a committee led by a sitting judge to investigate the allegations regarding the use of Pegasus. Consequently, the Supreme Court had directed the Central Government to file an affidavit regarding its usage of Pegasus. The Central Government, however, has declined to file such an affidavit citing national security concerns.


It will be interesting to see what responses are given or actions taken by the Central Government in the wake of all questions surrounding use of the Pegasus software.


While it was a welcome change to have an established position with respect to what comprises infringement of an individual’s privacy and the procedure to be followed in cases of permissible infringement, the actual examination of whether an act of surveillance passes the test laid down in the Puttuswamy case, will vary on a case-to-case basis and depend on the specific act and/or overreach and a court’s determination of the same. However, it is important to note that being a matter of privacy, by the time a court determines the legality of an act of surveillance, it is likely that the damage for an individual may already be done.


Contributed by Samvad Partners


The above article has been authored by Ms. Juhi Mehta(Counsel) and Mr. Kevin Robin(Senior Associate)