The Supreme Court has said that its technical expert committee could not find Pegasus spyware in the 29 mobile phones of complainants, but detected malware in five of them.
What was the issue?
- A global collaborative investigative project has discovered that Israeli spyware Pegasus was used to target thousands of people across the world.
- The report claimed that, in India, at least 300 people were targeted. This included two serving Ministers in the current government, three Opposition leaders, one constitutional authority, several journalists and business persons.
- The Pegasus row also reached the Supreme Court when the Editors Guild of India filed a petition in the Supreme Court seeking direction for a probe by a special investigation team.
- In a judgment, the SC bench led by CJI NV Ramana stated that national security ground raised by the State cannot totally exclude judicial review. The SC emphasised the importance of free speech and press freedom and expressed concerns about unauthorised surveillance.
What is ‘Pegasus’?
- Pegasus is a malware/spyware developed by Israel’s NSO Group.
- Spyware is a type of malicious software/malware that is installed on a computing device without the end user’s knowledge. It invades the device, steals sensitive information.
- The spyware suite is designed to access any smartphone through zero-click vulnerabilities remotely.
- Once a phone is infiltrated, the spyware can access entire data on that particular phone.
- It also has real-time access to emails, texts, phone calls, as well as the camera and sound recording capabilities of the smartphone.
Committee to probe Pegasus charges –
- The Supreme Court constituted a technical committee under the oversight of Justice (retd) R.V. Raveendran to look into the allegations of snooping.
- The committee divided the court-appointed task into two areas —
- One is regarding the inquiry itself.
- Second is regarding recommendations about the enhancement of existing laws and procedures related to surveillance and securing rights including privacy, cyber security, etc.
- The committee has submitted its report to the three three-judge Bench led by Chief Justice of India N. V. Ramana.
What are the laws in India on snooping?
- Section 5(2) of The Indian Telegraph Act, 1885, states that the government can intercept a message or class of messages.
- This can be done only in the interests of the sovereignty and integrity of India, the security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of an offence.
- SC in its verdict in the People’s Union for Civil Liberties (PUCL) vs Union of India case said telephonic conversations are covered by the right to privacy. This can be breached only if there are established procedures.
- After that Government of India established a procedure for surveillance —
- Under Rule 419A of the Telegraph Rules, surveillance needs the sanction of the Home Secretary at the Central or State level.
- But in unavoidable circumstance can be cleared by a Joint Secretary or officers above, if they have the Home Secretary’s authorisation.
- In the S. Puttaswamy vs Union of India verdict of 2017, the Supreme Court further reiterated the need for oversight of surveillance. It stated that surveillance should be legally valid and serve a legitimate aim of the government.
- Section 69 of the Information Technology Act, 2000 also facilitates government interception of any information through any computer resource. The procedure for it is detailed in the Information Technology Rules, 2009.
Recommendations of the committee –
Justice Raveendran, who supervised the committee also made six recommendations to strengthen cyber security. This included —
- Enactment of amendment to existing laws and procedures for surveillance, particularly for securing the citizens’ right to privacy;
- no non-state entity to use spyware;
- establishment of mechanism for citizens to raise grievances against illegal surveillance;
- setting up of a well-equipped independent primary agency to investigate cybersecurity vulnerability.