Pegasus Software: Legality and the State of the Law in India

The Pegasus Software is a spyware that has been alleged to infiltrate the phones and computers of many politically relevant people. The article breaks down the legal status of the software and the constitutional validity of its usage by the government, and discusses the laws of India, in general, with respect to such software.

Pegasus, the highly sophisticated surveillance software (or spyware) is a product of the NSO Group, an Israel-based cybersecurity company. This software has arguably found its way to the phones and computer system of many journalists, politicians, activists, and other imminent personalities across the world and has raised concerns related to data breach, privacy infringement and espionage, among others.

The legal status and usage of such software in India is mainly determined by the Information and Technology, 2000 (IT Act) and the rules and regulations laid down under it. In addition, the illegal usage of such software resulting in the compromising of the privacy of computer devices raises questions related to the fundamental rights and freedom conferred upon the citizens of India by the Constitution and the obligation on the State to protect them.

Overview of the Pegasus Software

Developed by the NSO Group, the software has been in human knowledge since around 2016, when it was allegedly used by unidentified groups to target human rights activists. The software is used for the purposes of surveillance and espionage.

Kaspersky defines a ‘spyware’ as a “malicious software designed to enter a computer device, gather its data, and forward it to a third-party without the owner’s consent.” Since the Pegasus Software is designed to function exactly like the ‘malicious software’ mentioned in this definition, it well qualifies as a spyware.

Who is the NSO Group?

The NSO Group is an Israeli company well-known for its expertise in creating specialized cyber weapons. It licenses surveillance software to governments around the world. According to the company, its Pegasus software was developed “for the sole purpose of preventing and investigating terror and serious crime” and it “licenses its products only to government intelligence and law enforcement agencies”.

How Does Pegasus Software Work?

The Pegasus Software can be installed to a device conventionally, that is, through spam, phishing, etc. or remotely, that is, without the device user having to do anything, such as, opening a document or a website link. This is regarded as one of the most outstanding feature of the software, making it one of the most advanced and the most popular of all software used for similar purposes. The software’s remote installation feature may be carried out by installing it through a missed call or by exploiting security bugs in voice calls made over the internet.

On installation, the software has the potential to access every information on the phone including encrypted chats and files, emails, call logs, app activity, user location, video camera and microphone.

What is the Issue?

The software has been alleged by various human rights and activists groups to be used for mass surveillance of journalists, political leaders and activists around the world. According to them, such surveillance is being done by unknown organisations and government agencies to serve their political motives and curb any voices of criticism and opposition raised against the government.

This puts the government on the warpath against the common masses who face the threat of espionage, illegal surveillance and monitoring, interception of their information and communications, denial of correct information, curbing of speech and expression, among others.

State of the Law in India for Spywares Like Pegasus Software

In India, the main regulatory statute for matters related to software, internet and cybercrime is the IT Act. It penalises any activity that breaches, modifies or causes a damage to a computer including mobile phones or to the data stored on such computer or mobile phones. With respect to Spywares such as the Pegasus Software, the State of the law in India can be understood by analysing the following laws laid down by the IT Act:

1. Tampering with Computer Source Documents
 
A ‘computer source code’ or source document means any:
 
  • programme,
  • computer command,
  • design and layout, and
  • programme analysis of computer resource in any form.
 
The IT Act, under Section 65, provides for punishment to anyone who knowingly or intentionally conceals, destroys or alters or causes another to conceal, destroy, or alter any computer source code or source document used for a:
  • computer,
  • computer programme,
  • computer system or
  • computer network.
 
2. Computer Related Offences and Damage to Computer, Computer System or Computer Network
 
Section 66 and Section 43 of the IT Act read together provide for the punishment to anyone who dishonestly or fraudulently or without permission of the owner or any other person who is in charge of a ‘computer, computer system or computer network’ (CSN) commits any of the following acts with respect to such CSN:

a) accesses or secures access to the CSN;
b) downloads, copies or extracts any data, ‘computer database’ or information from the CSN, including information or data held or stored in any removable storage medium. A computer database is a representation of information, facts, knowledge, instructions or concepts that are prepared or produced on a computer, computer system or computer network;
c) introduces or causes to be introduced any ‘computer contaminant’ or computer virus into the CSN. A computer contaminant is a set of computer instructions designed to:
  • record, transmit, modify, destroy any data or programme in a computer, computer system or computer network; or
  • to usurp the normal operation of such computer, computer system, or computer network;
d) damages or causes the CSN or any data, computer database or any other programmes residing in such CSN to be damaged;
e) disrupts or causes disruption of any of the CSN;
f)  denies or causes the denial of access to any person authorised to access the CSN by any means;
g) provides any assistance to any person to facilitate access to the CSN in contravention of the provisions of the IT Act or any rules or regulations made under it;
h) charges the services availed of by a person to the account of another person by tampering with or manipulating the CSN;
i) destroys, deletes or alters any information residing in a CSN or computer resource, or diminishes its value or utility or affects it injuriously by any means;
j) conceal, steal, destroys or alters or causes any person to conceal, steal, destroy or alter any computer source code used for the CSN or a computer resource with an intention to cause damage.
 
3. Breach of Confidentiality and Privacy
The IT Act, under Section 72, also penalizes any person who while exercising the powers conferred under the IT Act or any rules or regulations made under it, secures access to any electronic record, book, register, correspondence, information, document or other material and without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person.

What Do These Provisions Mean for the Legal Status of Pegasus?

These provisions of the IT Act clearly specify that any use of a computer programme or software for the purposes of:
  • concealing or altering a computer system or computer programme; or
  • securing access to them; or
  • downloading, extracting, or copying any data from them; or
  • introducing a computer contaminant to them that does any of the above, is an offence punishable with imprisonment and fine.
As such, the usage of a software like Pegasus, which is essentially a “spyware” used to infiltrate a computer or mobile phone without the consent or knowledge of the user for the purposes listed under these provisions, is strictly unlawful in India.

What are the Powers of the Government to Use Such Means?

To justify the use of Pegasus for any of the purposes listed under Sections 43, 65, 66 and 72 of the IT Act, the government takes the defence of Section 69 of the IT Act itself and the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (IT Rules).

Section 69 of the IT Act confers on the Central Government, the State Governments, and on any of their officers, the “power to issue directions for interception or monitoring or decryption of any information through any computer resource” if they are satisfied “that it is necessary or expedient” to do so:

1) in the interest of –
  • the sovereignty or integrity of India,
  • defence of India,
  • security of the State,
  • friendly relations with foreign States, and
  • public order.
2) for preventing incitement to the commission of any cognizable offence with respect to the sovereignty, integrity, defence and security of India and friendly relations with foreign State.

3) for investigation of any offence.

The IT Rules, 2009, provide for the competent authority, direction and procedure of such interception, monitoring or decryption.

However, neither the IT Act in its Section 69 nor the IT Rules, 2009, provide for the installation or usage of a spyware like Pegasus. Rather, sub-clause (2) of Section 69 and Section 7 of the IT Rules state that the reasons for any direction made for the purposes of interception, monitoring or decryption of any information through a computer resource must be recorded in writing and be forwarded to a review committee within a period of seven working days.

Further, as per Section 8 of the IT Rules, the competent authority must consider alternative means of acquiring information before issuing directions for such interception, monitoring or decryption. In addition, according to Section 16 of the IT Rules, the designated officer of the intermediary or person in charge of the computer resource authorised to intercept, monitor, or decrypt any information must maintain proper records wherein they must mention:
  • the intercepted, monitored or decrypted information,
  • the particulars of persons, website address, computer resource, email account, etc. whose information has been intercepted, monitored or decrypted;
  • the name and particulars of the officer or authority to whom the information has been disclosed;
  • the number of copies, including electronic records of such information;
  • the date of destruction of such copies, including the electronic records.
Infringement of the Right to Privacy    
                                                             
The Supreme Court in Justice K.S. Puttaswamy v. Union of India, 2017, held that the Constitution of India guarantees the right to privacy to the citizens of India as a Fundamental Right under Articles 14, 19 and 21 of the Constitution.

As such, any person, body of persons, the Government or any agency of the Government, cannot intercept, monitor, or decrypt any information from a computer resource or carry out any form of espionage or surveillance on the citizens of India without:
  • providing valid and legal grounds of such interception, monitoring, decryption, surveillance or espionage, and
  • the use of proper legal and constitutional means.
According to the law of India, the use of a spyware like Pegasus falls way out of the ambit of any legal or constitutional means.