Over the last few years, there has been a steady stream of major news stories involving government surveillance or privacy concerns regarding Big Tech, from the Edward Snowden leaks to the Cambridge Analytica scandal. For some, the most recent Pegasus Project reports are neither surprising nor terribly concerning in their revelations of how governments have been using spyware developed by an Israel company to target journalists, activists and political rivals all over the world, including in India.

Yet these stories are not the same. The manner in which Pegasus was potentially deployed in India, covering Opposition leaders, Election Commission officers and journalists in the run-up to the 2019 elections, threatens the pillars of India’s electoral democracy.

Delhi lawyer Vrinda Bhandari has paid close attention to questions of privacy and digital rights and, as Of-Counsel to the Internet Freedom Foundation, is party to a challenge in the Supreme Court calling for reforming India’s surveillance framework.

Scroll.in interviewed Bhandari over e-mail about Pegasus, what we understand about its legality and why it is different from Big Tech privacy concerns.

Is Pegasus a big deal? Should citizens be worried?
It’s a very big deal. This is not just a case of traditional surveillance or phone tracking. We’re talking about malware and spyware that can look at all the contents of your phone and take control of it, through “zero click” attacks (ie without any action by the user). This is not surveillance in the traditional sense, this is hacking.

And that’s why I think we should be worried for three reasons:

  • The undemocratic use.
  • The unprecedented magnitude.
  • The unreasonable invasion into privacy.

The undemocratic use is because this is done without any transparency, without any accountability, without any or legal backing. The unprecedented magnitude is just the sheer number of people reportedly on these lists, whether you’re talking about Gangandeep Kang, a famous biologist, to journalists to activists to a sitting judge. The unreasonable invasion is because this is hacking, not just surveillance.

If we don’t raise our voices at this moment, we are never going to raise our voices. If this does not shock people and if citizens don’t demand an inquiry to know the true facts – because so much is currently based on allegations and reports – and there is no public reckoning, I think we will lose the opportunity to ever have surveillance reform.

Why do you make the distinction between surveillance and hacking?
Under the Information Technology Act, when you have surveillance, you can intercept a phone conversation – what we traditionally understand as call phone tapping. But Pegasus is really is about taking control of your phone. Section 69 of the IT Act, in my reading, does not permit this kind of privacy invasion.

How does Pegasus work? It infects the device and hijacks its basic functioning. It looks at messages, calls, emails, audio, camera, data, everything. That is very different from what is legally permissible under Section 69.

Additionally, any interception under law has to happen for a “public emergency” or a “public safety” purpose in the interest of specifically defined purposes recognised in Section 69, such as national security, public order, or to prevent the commission of a cognisable offence.

What potential public safety or emergency reason could there be to target or hack journalists or a sitting judge or the family of the survivor making a sexual harassment complaint? You are compromising their work and creating a chilling effect downstream (whether it is on journalists or their sources, or anyone who may be critical of the government), which is very severe.

That’s why this is not interception as we traditionally know it, but more like hacking, because the core ingredients of Section 69 cannot be met.

Do you distinguish between the sort of surveillance the Intelligence Bureau used to do in the past, and what Pegasus can do?
As we know, the IB is completely outside any statutory framework, and I’ve spoken in the past about the need for legal accountability for all of our intelligence agencies. You need a statute that sets them up and establishes an accountability mechanism.

Nevertheless, the IB is an authorised agency to conduct surveillance operations under Section 69 of the IT Act. This means it can intercept, monitor, or decrypt information on a target’s phone. It does not, however, have the power to take full control of a target’s phone and comb their phone history, contacts, photos, videos, and messages. What happened in Pegasus, therefore goes beyond the scope of legal surveillance, and hence, is different from the work done by the IB.

However, it is important to note that both the IB reports and use of Pegasus speaks to the lack of transparency in how surveillance measures function in India.

According to an RTI response from the Ministry of Home Affairs in 2014, that said that there were about 7,500 to 9,000 surveillance requests – orders for interception of telephones – per month from the Central government. This is data from 2014. We can only imagine this has increased. Justice Srikrishna too, talks about this expressly in his data protection report while mentioning the need for judicial oversight.

The Internet Freedom Foundation actually filed an RTI looking for the number of aggregate requests between 2016 and 2018. We were denied these requests, citing national security concerns. Note that we were not asking who is being surveilled or any other information about individual surveillance orders. We just wanted to know the aggregate number of surveillance requests issued by the central government in a year.

This means that you’re not even getting the basic levels of transparency to help us understand the extent of legal surveillance in the country.

Why is this important? This is because the entire justification for the surveillance framework is that there is independent review and there are these checks and balances, through a three-member executive review committee that is supposed to meet, and look at whether each surveillance order complies with the requisites of Section 69.

The review committee is supposed to evaluate whether every single surveillance order meets the standard of public emergency, or of endangering public safety, and fulfils the requirements under Section 69 of the IT Act. This three-member bureaucratic review committee is expected to verify that. It is not humanly possible for such a team to evaluate 7,500-9000 requests per month (based on 2014 data), and ensure any due process, as of 2014.

If you would imagine that that number has only increased, where are the checks and balances? This is then completely a free-for-all system, with no procedural safeguards. And that is assuming that we agree that executive review is sufficient. I’ve argued previously that it is not.

For Puttuswamy (the Supreme Court judgment affirming a fundamental right to privacy) to mean anything, we need independent oversight, whether it is judicial or via Parliament.

The government keeps falling back on the line that ‘no unauthorised interception took place’. What you’re saying is that, even before Pegasus, government surveillance appeared to be neither transparent nor reasonable, from what we know.
Yes, 100%. And also, what does “authorised interception” mean? Who is it authorised by? Why is there so much obfuscation? Notably, the government has not issued a blank denial rejecting the claims that have emerged over the past two days, which leads us to believe that there is some truth to the reporting. Instead, the response has been, “there was no unauthorised interception”.

Now, authorised interception does not necessarily make it legal. Because they have not told us who authorised it. Is it pursuant to the powers under Section 69? Was there a review committee that evaluated each of these requests? Did you follow the long procedure under the 2009 Interception Rules?

It is not enough to say there was no unauthorised interception because the answer raises even more questions. It provides no clarity on who the authorising entity was or what the reasoning or justification for engaging in targeted surveillance (assuming that it was legal in the first place).

Maybe there are three layers to that:

  • Is it authorised? If so, by whom?
  • Even if it is authorised, is it legal?
  • And even if it is authorised and legal on paper, is it justified? Is it right?

From a law perspective, we would look at the first two: Was it authorised and legal?

Is it morally defensible is obviously not a law question. But it is one for society. Are we willing to live in a society where this is acceptable?

I would add a bit more to the second layer. Is it legal, but also, is it proportionate? Because that’s what the Puttuswamy judgment changes. It asks if a breach of privacy by the state is proportionate. Is there a less restrictive alternative? Was this narrowly tailored? Was there a reason to do this? So I would say, is it legal and proportionate? And then, yes, what does it mean for us as a society?

Some people believe that Pegasus is just the same as the phone tapping we had earlier, just that there is more of it. But is there a sense that the magnitude of access to our lives, which you mentioned earlier, goes so far as to change the relationship between citizen and state?
I believe that privacy concerns about the state are always more important than even those of private actors. Undoubtedly, there are problems and there is a need to regulate Big Tech. But the state enjoys power, and we need to be more afraid of that. As I have argued before, this is partly due to the fact that relationships between individuals and corporations are defined by consent, choice, and control, even if illusory.

This is unlike the relationship between citizens and the State, where governments wield greater influence in our lives, primarily due to their coercive and police powers, including the power to prosecute and punish; to legally place citizens under surveillance; and even to harass/intimidate dissidents.

The State thus, enjoys a monopoly of power in every sphere of human existence and privacy rights against it are premised on the ideals of freedom, liberty, and dignity. It is the only entity that can legally put me in jail, that can place charges against me, that can take away my liberty. So it is always an asymmetric relationship. What Pegasus does is it shows just how asymmetric that relationship can be.

When states collaborate with private companies and use the power of big data, that power expands. As US Justice Sotomayor puts it this way in her concurring opinion in US vs Jones, the space for the traditional safeguards against surveillance decreases.

In olden times, apart from legal safeguards, law enforcement agencies suffered from the constraints of resources. So, 20 people in a police force could only potentially target a certain number of people, not an entire population. Your traditional constraint has always been resources or community hostility.

What technology has changed, and you really see this in Pegasus, is that it allows the government to have a much wider net of potential targets, and a much more invasive ability. To further muddy the waters, technological advancements have meant that while interception in 2010 would be limited to phone tapping or listening to your conversations, today Pegasus allows a government to access the target’s email, their messages, their sources, their entire life.

Since you brought up Big Tech, people do ask all the time, why get worked up about this when we willingly give our data to Google and Facebook?
It’s an important question. The thing is, Big Tech has a lot of power in our lives. It’s absolutely important that Big Tech is regulated. But at the end of the day, Facebook cannot come into my house and arrest me. Facebook cannot register a case against me. We do know that criminal law is used to intimidate and deter activists and protesters. We know how the state can work.

And so, the monopoly of power that the state has is what is relevant. At the end of the day, the state is the biggest data collector. Yes, Facebook has a lot of power over all of us. But the state has access to all of our intimate information, and it is the only entity that can legally get access to that information.

But, and this is important: No one is saying that this means Big Tech should not be regulated. A huge part of the push for a data protection law is that, at least against the state, we do have some writ remedies. Whereas, against private actors, you traditionally don’t have constitutional remedies, and so we need a law.

I don’t think the two are contradictory. One can ask for the regulation of Big Tech, but also say that the bigger fear will always be the state, because of the way the state can exercise its powers.

What is your ideal response to these revelations? An investigation? A regulatory framework for surveillance?
Both.

We definitely need a radical overhaul of our surveillance framework. I have argued that we need judicial oversight, and much better transparency and accountability, to give full effect to the rich recognition of privacy in Puttuswamy. We need to see changes in the law.

Another aspect, for example, is that evidence obtained, even illegally, is admissible in trial in India, as long as it’s relevant, which is a very low threshold. Think of the incentives that gives to law enforcement? There is no incentive to follow the law. And that will increase the asymmetry of power. We need to change the standard that illegally obtained evidence is admissible.

We also need a regulatory framework for intelligence agencies. Currently, the IB and the Research & Analysis Wing notoriously lack any statutory or parliamentary accountability. There is very little knowledge of how they function. There was a private member’s Bill introduced by Manish Tiwari in 2011 [to regulate them], but it lapsed and there have been no developments since.

It’s important to have our intelligence agencies have some element of statutory accountability. I’m not even talking about public transparency. Some minimal level of accountability to Parliament, which is currently missing.

On the judicial side, it’s important the court decide the surveillance challenge which has been pending for three years. That will help structure push the debate moving forward. And if and when any petitions go before the court on these issues, they need to be decided fast. We can’t just let this be hanging.