As India deals with a massive cyberattack against its citizens by allegedly its own government, we are all left wondering as to what have we wrought.
Wasn't this all subject to any rules, regulations or laws that would protect us? Can the government not only legislate about what we eat or watch on TV but also spy on our most intimate of conversations?
The news of the use of the spyware " Pegasus " sold by Israel's NSO Group used to tap into WhatsApp accounts of prominent rights advocates, politicians and journalists has brought the vulnerability of our phones and lack of any legal protection against government surveillance to the forefront.
In response to the entire saga, NSO issued a statement saying, "The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years." Thus making it all but certain that we have been subjected to spying by our very own government.
As citizens, we are responsible for understanding and acting on these realities. If we fail to safeguard our future by acting now, we will be responsible for losing our democracy and our lives as we know it.
A representational image of the Pegasus spyware by Kaspersky.
Major takeaways from WhatsApp hack for India
Four points emerge from this revelation: India's laws allow surveillance of all its citizens on a wide variety of broadly worded grounds without any judicial or parliamentary oversight; the laws are almost never subjected to judicial review to keep up with the technological review; we are always in the dark about surveillance and dependent on the goodwill of private companies like WhatsApp to tell us about surveillance and it's time to talk about the development of comprehensive and surveillance systems developed ostensibly to counter terrorism like the Central Monitoring System (CMS), Network Traffic Analysis (NETRA) and National Intelligence Grid (NATGRID) that can be used for purpose of surveillance of regular citizens.
Surveillance for limited purposes of national security, to check on terrorism is what each nation is entitled to carry out but one would expect that such spying, especially on one's own citizens, would be subject to some kind of oversight: parliamentary or judicial?
An examination of the surveillance-enabling provisions found across Indian legislations will reveal that communications surveillance is currently permitted on a wide variety of broadly worded grounds, from national security to the prevention of spreading of computer viruses.
Surveillance capabilities with no judicial oversight
Government authorities in India and law enforcement agencies (LEA) have near-unqualified surveillance capabilities when it comes to India's communication networks without any judicial or parliamentary oversight. What we have is a patchwork of loosely worded laws with questionable compliance rates that can tap into virtually any network.
Central/State governments, their authorised agents and LEAs in India derive their authority to conduct communications surveillance from several legislative Acts and Rules in addition to the communications service licenses. These include the Indian Telegraph Act 1885, >Information Technology Act 2000, rules framed under these Acts, Code of Criminal Procedure 1973 and service licenses granted by the Department of Telecommunications (DoT) to communications service providers " including but not limited to the Unified Access Service License, Internet Service License and Unified License.
In conclusion, it's all legal.
As noted above, democracies around the world recognise that there is a critical place for legitimate, tailored and targeted surveillance, to protect national security and to investigate serious crimes. So a classic constitutional balancing act is required: how do we meet the legitimate objectives of lawful surveillance while respecting a citizen's constitutional rights?
An examination of case law reveals that Judges are often hesitant to intervene and have deferred to the government to carry out these activities with feebly expressed hopes that they would follow the anaemic process laid out. This is in sharp contrast to most democracies in the world where even Foreign Surveillance is subjected to judicial oversight where a judge oversees requests for surveillance warrants against foreign spies by law enforcement and intelligence agencies.
Fast developing surveillance systems such as the CMS and NETRA are among the most invasive in the world. They have been kept under tight wraps by the government citing various security concerns, and reliable information on them is extremely difficult to come by in the public domain. It's important to note that they were envisioned during the tenure of the UPA government. They are exempt from the provisions of the Right to Information Act. From what we can screen from the media reports, it's clear that that they are all set as a centralised system to monitor communications on mobile phones, landlines and internet in the country. These have not even been discussed let alone made subject to any oversight.
Several existing monitoring systems in India are already capable of intercepting fixed-line/mobile/internet telephone calls, log and provide real-time access to the entirety of Indian internet traffic, provide access to Call Data Records/Exchange Data Records/IP Data Records. The last we heard about these was when now-deceased Union Minister Arun Jaitley was rumoured to be surveilled and his mobile phone monitored in 2013.
It does not matter what political party is in power, the lure of using technology for control is being practised by the Chinese and perfected by several governments with help ironically from the Israelis.
We need to be wary of all those who sell us the technology for efficiency and rob us of our individuality and rights. Only a collective movement of empowered citizens can prevent our democracy from withering away.
The author is a technology lawyer and Managing Partner, Mishi Choudhary Associates.