The information from various news outlets, both national and international, till date has brought up that spyware called Pegasus, developed by an Israeli private company NSO, has been used to monitor politicians, government officials, military officers, human rights activists and journalists around the world and in India.
It is an open secret that Indian intelligence agencies have historically been misused for political spying by all governments. Most of the scandals in the past were contained as the actors were within India and the fallout could be managed.
The present scandal has different dimensions, as it is the first major snooping scandal to hit India post the Puttaswamy Judgment that made privacy a fundamental right for all citizens.
The fallout from this scandal might not be containable within Indian officialdom and could throw up details that can embarrass the Government of India and make its security officials vulnerable to foreign blackmail.
A lawsuit has been filed by WhatsApp in California, Ninth Circuit Court, against NSO for violating the US Computer Fraud and Abuse Act, as well as state-level charges including breach of contract and interfering with their property. The case rests on legally weak grounds and represents an attempt to use the CFAA in an unusual way, i.e. to punish not just hackers who breach a company's computers, but those who exploit its software to breach the computers of its users.
WhatsApp, a US company, has notified 1,400 users internationally in various nations. Multiple methods of legal recourse will be attempted by the victims in various legal jurisdictions including India, that will have global political and diplomatic repercussions. The Indian government has denied purchasing Pegasus software from NSO Group. The Israeli company has stated that it sells malware only to registered government entities.
From the list of public figures, including Indian Opposition leaders who claimed to have been targeted, it is obvious that these are mostly of interest to Indian security agencies.
Indian agencies lack the technical capability and cannot legally monitor encrypted chat services like WhatsApp. (Representational image: Reuters)
In matured democracies of the West, security agencies are subject to parliamentary oversight and are forced to operate within the confines of the law. Any infringement of fundamental rights has to be under judicial oversight. Not doing so can have serious repercussions on the democratic process and the legal justice system.
In India, all surveillance of citizens is carried out by bureaucratic oversight under the colonial Indian Telegraph Act, 1885. In the present instance, Indian agencies lack the technical capability and cannot legally monitor encrypted chat services like WhatsApp. Moreover, other legal remedies like mutual legal assistance treaty (MLAT) cannot be applied to the case since WhatsApp claims that its services are end-to-end encrypted and they do not have the data.
This opportunity has been filled by firms like NSO to peddle spyware like Pegasus. In the virtual world, it also leaves a trail that can be reconstructed by third parties, in the present instance it is the Citizen Lab, a Canada-based Internet research agency. WhatsApp has been accused before of creating backdoors to facilitate snooping and the parent company Facebook is also rumoured to have ties with the American deep state. The virtual domain is capable of quick and easy manipulation. NSO, the creator of Pegasus, and WhatsApp, the instant messaging platform, are in a capacity to understand who the security agencies of various nations are interested in monitoring.
They are also in a position to manipulate what the security agency can monitor. They can expose the whole operation and embarrass intelligence agencies of both friends and foes, as has happened here.
Govt must step up
Indeed, at a later date, if it comes about that both WhatsApp and NSO collaborated to create an exploitable backdoor and milked security organisations around the world for a few hundred of millions of dollars, while being in a position to materially affect the polity and destiny of nations, it would be the acme of a successful information operation.
The mistake here is strategic. No nation can function in a cohesive manner after handing over its communication infrastructure to powers beyond its legal writ. In the present instance, state security agencies of the state are now dependent on two foreign entities: WhatsApp and NSO, as well as the US and Israeli security agencies to cover their backs. These agencies will definitely extract a price for the same. India should use this fiasco and address the long-pending privacy debate.
A strong privacy and data protection law, which includes data localisation that will prevent such a security fiasco, is the need of the hour. Legislative measures to make the security agencies function under parliamentary oversight and professionalise their functioning can turn this fiasco into a success story.