Published on: August 04,2021 17:35 IST
By Tanya Napolean
Introduction
NSO Group’s Pegasus is arguably the most potent spyware ever built. Its goal is to infiltrate Android and iOS cellphones and transform them into surveillance devices. An investigation by an international media consortium found that this spyware built by NSO Group, an Israeli software firm, targeted more than 50,000 phone lines.[1]
Over 300 Indians are reported to be on the leaked list of prospective targets, including two serving ministers in the Modi government, three opposition figures, journalists, human rights activists, and entrepreneurs. The software is solely sold to governments by the NSO Group.
The Israeli company promotes it as a tool for tracking criminals and terrorists — not for bulk monitoring, but targeted espionage.
How does the Spyware work?
Pegasus takes use of Android and iOS flaws that have yet to be found. This implies that even if a phone has the most recent security patch installed, it could be compromised.
The first hack entails sending a specially designed SMS or iMessage with a link to a website. If people click on this link, they will get malicious software that infects the device.
The goal of the spyware is to get complete control of the software of a mobile device, either via rooting Android devices or jailbreaking Apple iOS devices.
Rooting and jailbreaking both eliminate the security features built into Android and iOS devices. They usually consist of a mix of configuration modifications and a “hack” of fundamental operating system components to run customized programs.
Once a device has been unlocked, the hacker can install further software to get remote access to the device’s data and operations. This individual is likely to be entirely oblivious of the situation.
Legal History of Pegasus
WhatsApp launched a lawsuit against NSO Group in a California court in 2019. Looking back at the case. The case of WhatsApp vs. NSO reveals the extent of the harm that NSO’s spyware products may inflict, the impending threat to not only privacy protection but also people’s lives, and why digital titans have joined Facebook in this fight.
WhatsApp has cited the Computer Fraud and Abuse Act (CFAA) of the United States, the California Comprehensive Data Access and Fraud Act, and section 502 of the California Penal Code for breach of contract and trespass.
An injunction was issued against NSO by the major corporation, which requested damages and an injunction.
As part of its petition, WhatsApp has requested the court to ban NSO from “trespassing” on the territory of its parent firm, Facebook, and to order NSO to pay a penalty for violating the data protection rules and fraudulent laws, as well as for breaching the agreement between WhatsApp and its customers.
Facebook’s claims were dismissed as “baseless” by NSO. The Israeli business maintains that its primary objective is to offer governments and law enforcement agencies technology to assist them to combat terrorism and severe crimes and that it does not have any other malicious intentions.
Microsoft and Google also filed a petition in December 2020 to join Facebook’s legal battle against NSO. In addition, the Internet Association, GitHub, and LinkedIn have also signed on to this initiative.
Pegasus’s vulnerabilities may be dramatically increased if NSO is granted constitutional protections when it works on behalf of its foreign-government customers, the tech titans claimed.[2]
Opposition’s Reaction
Opposition parties demanded an independent inquiry and accountability from the government over the suspected use of Pegasus software to spy on ministers, legislators, and journalists.
Political parties such as the Congress, TMC, NCP, Left parties, RJD, and Shiv Sena all demanded an investigation.
The Congress called the Centre’s actions “treasonous,” and Home Minister – Amit Shah was called to account for the whole incident, which included the spying and hacking of journalists’, judges’, and politicians’ phones. They also urged an investigation into the “role of the prime minister” in the situation.
“We absolutely demand the resignation of Mr. Amit Shah as Home Minister,” the Congress tweeted. They also added “We cannot emphasize enough how important it is to uphold our democratic and constitutional ideals and principles for the protection and security of all of our residents. An International Ransomware Meant Solely for Government agencies has hacked into the phones of our citizens. Accountability is required.”
“The Modi government is hacking into its own journalists, opposition leaders, and constitutional authorities using foreign military grade spyware. It is basically fighting for the destruction of our democracy and constitution.” the CPI(M) stated.
In light of the findings, David Kaye, the former UN special rapporteur on freedom of speech, has called for a global embargo on the purchase of spyware, something he had previously proposed.
Indian Government’s Response
The BJP said that the news about suspected surveillance through Israeli spyware Pegasus is “concocted, fictitious, and baseless,” and that further claims based on it are “false and misleading.”
Amnesty International, the human rights organization involved with the Pegasus Project, has denied the existence of a list of prospective targets of the alleged surveillance, according to sources quoted by BJP member Meenakshi Lekhi.
She said during a news conference at the BJP headquarters that the “false” list is nothing more than a compilation of phone numbers pulled from the yellow pages.
Similarly, BJP leader Ravi Shankar Prasad dismissed any link between the Modi Government and the Israeli spyware “Pegasus” , saying a “false story” was “broken before the Monsoon Session of Parliament to disrupt it and stall India’s growth,” whilst the opposition accused the government of “treason” over the spyware issue.
Indian laws relating to the Pegasus Spyware issue
To understand the Pegasus situation in India, one must first understand the lack of cybersecurity law in the country. The Information Technology Act, 2000, the Indian Cyberlaw, is twenty-one-year-old legislation that was modified just once in 2008.
It is apparent that the present legal frameworks are not enough to cope with modern surveillance technology and their newly developed manifestations, given that there have been enormous technical developments in monitoring tactics over the previous decade.
There is just one legislation that pertains to such a situation at the moment: the Information Technology Act of 2000. “Lawful interception” is defined under section 69 of the Act
Section 69 of the Information Technology Act of 2000 states:
1“Where the Central Government or a State Government or any of its officers specially authorized by the Central Government or the State Government, as the case may be, in this behalf may if satisfied that it is necessary or expedient to do in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offense relating to above or for investigation of any offense, it may, subject to the provisions of sub-section”[3]
2 “for reasons to be recorded in writing, by order, direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource.”[4]
Spyware is banned in India as of today. As a result, the use of spyware is considered a cybercrime under Section 66B of the Information Technology Act, 2000.
Section 66B in The Information Technology Act, 2000 states:
“66B Punishment for dishonestly receiving stolen computer resource or communication device. -Whoever dishonestly received or retains any stolen computer resource or communication device knowing or having reason to believe the same to be stolen computer resource or communication device, shall be punished with imprisonment of either description for a term which may extend to three years or with fine which may extend to rupees one lakh or with both.”[5]
Individuals who oppose the government are currently subject to such monitoring. Furthermore, in today’s world, monitoring has become an acceptable weapon in the hands of authorities.
As a result, this is all the more important that the Indian Cyberlaw be revised to include proper safeguards against the exploitation of surveillance systems for interception.
Conclusion
In this scenario, it is apparent that a great deal of effort needs to be changed to confirm that illegal spying does not become the ideal practice. Spyware attacks like Pegasus represent the beginning of a new era of digital conflict. Such accidents are expected to become more common as technology advances.
There must be strict regulations in place in the event of foreign unlawful access to devices and malware control limits. The Pegasus case also emphasized the necessity for spyware regulation, as the goal of targeting users who are criminals or suspicion of criminal activity might extend to spying on persons like activists and demonstrators, threatening democracy, and personal privacy overall.
Reference-
- Revealed: leak uncovers global abuse of cyber-surveillance weapon, the Guardian (2021), theguardian.com (last visited Jul 24, 2021). ↑
- Robert Bloomberg, Google, Microsoft back Facebook lawsuit against NSO group over surveillance Business-standard.com (2020), business-standard.com (last visited Jul 24, 2021). ↑
- Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 — The Centre for Internet and Society, Cis-india.org, cis-india.org (last visited Jul 24, 2021). ↑
- Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 — The Centre for Internet and Society, Cis-india.org, cis-india.org(last visited Jul 24, 2021). ↑
- : India Code: Section Details, Indiacode.nic.in, indiacode.nic.in (last visited Jul 24, 2021). ↑