09, Nov 2023 | Tanya Arora
On the morning of October 31, several journalists and politicians from the opposition parties in India woke up to alerts on their iPhones pertaining to a state-sponsored attack on their phones. The alerts were sent by Apple via message and email. The alert had also alleged that the reason behind the attempts to comprising the phones of the individuals might have something to do with who they are and what they do.
The message received was “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID.” An email, with the subject line titled “ALERT: State-sponsored attackers may be targeting your iPhone”, went on to provide, “These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone.” It further urged the recipients, “While it’s possible this is a false alarm, please take this warning seriously.”
These alert messages and email had been received by multiple opposition leaders, including Mahua Moitra (All India Trinamool Congress), Priyanka Chaturvedi [Shiv Sena (Uddhav Balasaheb Thackeray)] Raghav Chadha (Aam Aadmi Party), Sitaram Yechury [Communist Party of India (Marxist)], and Shashi Tharoor (Indian National Congress) amongst others. It was also sent to several journalists, including Siddharth Varadarajan, (founding editor of The Wire), Sriram Karri (resident editor of Deccan Chronicle) and Ravi Nair, journalist at Organized Crime and Corruption Reporting Project (OCCRP).
The recipients of the above mentioned alerts had taken to ‘X’ (formerly Twitter) to express their shock at being targeted in such a manner. TMC MP (Member of the Parliament) Mahua Moitra had alleged that the Indian government was trying to hack into her phone. “Received text & email from Apple warning me Govt trying to hack into my phone & email. @HMOIndia – get a life. Adani & PMO bullies – your fear makes me pity you”, the Lok Sabha member had written on ‘X’.
Pawan Khera, media and publicity department head of INC, took to ‘X’ and said, “Dear Modi Sarkar, why are you doing this?” Similar allegations connecting the Indian government to these state-sponsored attempts at comprising the phones were raised by many other recipients.
In the face of such allegations, the Bharatiya Janata Party (BJP) was quick to dismiss the same as baseless. Ministers and leaders of the ruling parties also took to twitter to slam the opposition party leaders and deem their concerns to be nothing more than publicity gimmicks. After a few hours, Apple Inc. had issued a statement stated that it could possible that some of threat notifications may be false alarms and some attacks may not be detected. The firm had further said that “Apple does not attribute the threat notifications to any specific state-sponsored attacker.” The firm added that state-sponsored attackers are “very well-funded and sophisticated, and their attacks evolve over time”.
While the statement provided by the firm was used by the BJP party to defend itself, the question that is yet to be answered is why only alerts were send to the most vocal critics of the Modi government? If these alerts were just false alarms, then why did none of the leaders from the ruling party receive them? The alerts that were received by the journalists and opposition leaders alleged that attempts have been made by state-sponsored attackers to steal information from their iPhones. In view of the recent history of surveillance tactics being weaponised by the ruling government, how wrong were the recipients to assume that the union government were behind them?
Senior BJP leader Ravi Shankar Prasad had reacted to the allegations by slamming the opposition for targeting the government without taking up the matter with Apple and dared its leaders, who have received it, to file a criminal case (FIR). Prasad had stated that these confusion and allegations regards the alerts sent were to be clarified by the firm and not the government. But, the question that arises here is that why were the leaders of the opposition and the journalists critical of the current government the only ones who received this alert? Viewing the part track record of India, employing Pegasus malware and the Arsenal report alleging planting of evidence in the case of violence at Bhima Koregaon, do the people of India not have a valid concern of their phones being hacked?
Amid the row, Electronic and Information Technology Minister Ashwini Vaishnaw had stated that the government had ordered a probe into the matter. “In light of such information and widespread speculation, we have also asked Apple to join the investigation with real, accurate information on the alleged state-sponsored attacks,” he added.
State-sponsored cyber-attacks in India
The cybersecurity company Cyfirma, based in Singapore, recently released its 2023 India Threat Landscape Report, which states that 13.7% of all cyber-attacks target India, making it the most targeted nation in the world. According to the aforementioned analysis, there was a 278% surge in state-sponsored cyber-attacks on India between 2021 and September 2023. The majority of these attacks targeted services companies, such as IT and BPO enterprises. According to a report of The Wire, there was a notable 460% increase in targeted cyber-attacks on government institutions during this period, whereas start-ups and small and medium-sized firms (SMEs) experienced a staggering 508% increase.
These statistics, while deeply concerning, are not surprising. It is crucial to highlight here that this is not the first time that opposition leaders and journalists have come under the scrutiny of the current union government. In 2021, India had been rocked by reports that the current government had used Israeli-made Pegasus spyware to snoop on scores of journalists, activists and politicians. An investigation published by 17 media organizations, led by the Paris-based non-profit journalism group Forbidden Stories, had provided that the said spyware was made and licensed by Israel’s cyber intelligence company NSO Group had been used in attempted and successful hacks of 37 smartphones belonging to journalists, government officials and human rights activists.
The Wire had also reported that smartphones of politicians including Rahul Gandhi, a senior leader of the opposition Congress party, and two other lawmakers were among 300 verified Indian numbers listed as potential targets for surveillance during 2017-19 ahead of national elections. Former Indian election commissioner Ashok Lavasa and former Central Bureau of Investigation director Alok Verma were also a part of the list. The NSO Group had provided that its product was intended only for use by vetted government intelligence and law enforcement agencies to fight terrorism and crime.
The government had denied all the accusation of illegally accessing the conversation of many people by hacking cell phones with the Pegasus spyware. In August 2022, a Supreme Court appointed panel had conducted a probe into the allegations raised in the case of using Pegasus spyware to snoop into the phones of certain citizens. The panel, which included three experts on cyber security, digital forensics, networks, and hardware, had been asked to “inquire, investigate and determine” whether Pegasus spyware was used for snooping on citizens and their probe would be monitored by a former apex court judge Raveendran. Notably, the panel members were Naveen Kumar Chaudhary, Prabaharan P, and Ashwin Anil Gumaste.
The said probe panel had found some kind of malware in 5 phones out of 29 examined by technical committee. The panel had said some malware was found on five of the 29 phones its panel examined, but it was not clear if it was Pegasus. The court had also provided that the Central government had not cooperated with the investigation into the Pegasus spyware cases. The said panel has now been disbanded.
As per a report of India Today, in 2019, Facebook had filed a case against NSO Group for creating Pegasus. The report detailed that the security researchers at Facebook were chasing Pegasus across their systems, and they found that the software was used to infect several journalists and activists in India. Notably, in the year 2019, Facebook-owned platform WhatsApp had confirmed that it had informed the government of India in 2019 that at least 121 Indian numbers—belonging to academics, lawyers, Dalit activists, and journalists—had been hacked by Pegasus, exploiting a chink in the chat app’s armour. A report on the same had been written by the Guardian and the Washington Post which had provided details of what they called global surveillance operations using Pegasus. The reports had provided that over 10 governments, including India, have been involved in surveillance of people using Pegasus spyware. India, in a statement to the Guardian, called the Guardian report “fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.” However, the country, in its statement to the Guardian, had not categorically denied using Pegasus.
The concerns regarding abuse of the Pegasus increased when another report had emerged which alleged the employment of the software by the government to frame people in a criminal manner. A 2021 report of the Washington Post had revealed that eight of the 16 under trials in the Bhima Koregaon violence case were targeted by Pegasus before being imprisoned. According to Arsenal Consulting, a US-based digital forensic firm, there is evidence of digital files being planted remotely on the computers of two of those shrivelled, These files are precisely what were deemed as critical evidence for keeping the accused in the case behind bars. Notably, another report by the American forensic firm had exposed how multiple incriminating documents were planted in the computer of Father Stan Swamy, the 83-year-old activist-priest who was arrested for alleged terror links in 2020 in the Bhima Koregaon case and who had died in custody a year later.
A recent report of Deccan Herald had alleged that India has reportedly started looking for alternative spyware after the US-based Amazon.com’s cloud services shut down the infrastructure of the NSO Group. The Financial Times reported in March that India was in the market with an estimated budget of $120 million for buying alternatives to Pegasus like Quadream and Cognyte (both made by Israeli firms) and Predator sold by Greek firm Intellexa, which had employed Israeli military veterans to create the spyware. The report further provided that in April, the Congress party had claimed that the Union government was buying Cognyte spyware to snoop on politicians, media, activists, and NGOs. As expectedly, there is no official information in the public domain regarding the purchase of any new spyware programmes by India.
Laws on surveillance in India
As the allegations of state-sponsored surveillance surfaced, IT Minister Ashwini Vaishnaw stated that Indian has a well-established procedure in which lawful interception of electronic communication can be carried out by federal and state agencies for the purpose of national security, particularly in the case of a public emergency or in the interest of public safety. And yet, an August 2023 report of the Financial Times, alleged that India’s “so-called lawful interception monitoring systems” are helping provide the “backdoor” that allows “Prime Minister Narendra Modi’s government to snoop on its 1.4 billion citizens, part of the country’s growing surveillance regime.”
Laws established in India that govern surveillance and address lawful interception, such as The Indian Telegraph Act, 1885 (Telegraph Act) and Information Technology (Amendment Act, 2008 (IT Act), were adapted by our legislation before spywares that are being used today were even conceivable. Under the legal grounds of the Section 5(2) of the Telegraph Act, 1885 and Section 69 of the IT Act, the state can “intercept, monitor, and decrypt any information for protecting sovereignty, national security, friendly relations with international governments, integrating public order etc.”
These specified laws allow for interception of the phone for certain specific purposes. In specific to targeted surveillance, the current regulatory framework allows the Central and state government directly or notified agencies to conduct an interception of the communication. This provides discretionary power to the state in determining legal enforcement agencies that can perform targeted surveillance without any oversight or contestation of the Parliament and judiciary. However, these law do not permit the state agencies to go to the extent of hijacking and weaponising a phone in the way an illegally used spyware like Pegasus makes possible.
In addition to this, Sections 43 and Section 66 of the IT Act criminalises cybercrime and stolen computer resources. Hacking is a punishable offence under the same. However, the Pegasus ‘snoop gate’ revealed that hacking operations may take place without even the target possessing any knowledge of the said infringement. Under the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, no agency or a person can perform interception without direction and approval of the competent authority.
As has been established above, a gap is present in our legislations when it comes to sustainably protecting the citizens from state-sponsored illegal surveillance. It is pertinent to draw one’s focus to the digital personal data protection Act that was passed by the Parliament in the monsoon session of 2023 in the face of criticism by activist, academicians and scholars. The said act for being one that protects governments from scrutiny and not citizens, providing legal cover for surveillance. Critics and activists voiced their concerns by stating “the government’s favourite catchphrase ‘as may be prescribed’ is the highlight of this DPDP Act. It has been used 28 times in a 21-page Act with 44 sections. The ambiguity has been kept so that the government can take arbitrary decisions,” as per a report of the Wire.
The Jurisprudence on the Right to Privacy
The legislations highlighted above under the IT act and the Telegraph Act allow the state to perform surveillance under broad mandates such as “to maintain public order, national security, and public safety”. These mandates were then adjudicated upon by the Constitutional Courts of India:
In August 2017, a nine-judge bench of the Supreme Court in the Puttaswamy Case gave legitimacy to the right to privacy under the Constitution of India. The Court held it to form a part of the fundamental rights guaranteed to the citizens of India (Article 21) and made its derogation subject to the highest level of judicial scrutiny. However, the bench clarified that a person’s fundamental right to privacy could be overridden by competing state and individual interests, or in other words, lawful interception. Premised on the principle that “Privacy is the ultimate expression of the sanctity of the individual”, the Supreme Court held that:
- The violation of privacy with regard to arbitrary state action would be subject to the “reasonableness” test under Article 14.
- Privacy invasions that implicate Article 19 freedoms would have to fall under the restrictions of public order, obscenity etc.
- Intrusion of one’s life and personal liberty under Article 21 will attract the just, fair and reasonable threshold.
- Phone tapping not only infringes Article 21 but also contravenes Article 19 freedoms. Such a law would have to be justifiable under one of the permissible restrictions in Article 19(2), in addition to being “fair, just and reasonable” as required by Article 21, and as was held in the People’s Union for Civil Liberties (PUCL) versus Union of India (1997). It would also need to be subject to a higher threshold of “compelling state interest”.
- The ‘proportionality and legitimacy’ test was also established – which is a four-fold test that needs to be fulfilled before state intervention in the right to privacy:
- The state action must be sanctioned by law.
- In a democratic society, there must be a legitimate aim for action.
- Action must be proportionate to the need for such interference.
- And it must be subject to procedural guarantees against abuse of the power to interfere.
In 2019, the Bombay High Court adjudicated upon the law pertaining to phone tapping and surveillance in the post-Puttaswamy era, applying the principles in relation to the right to privacy to section 5(2) of the IT Act. In this case, a businessman, who was alleged to have given bribes to bank employees to avail himself of credit, challenged certain Central Bureau of Investigation orders that directed interception of his telephone calls on the grounds that such orders were ultra-vires of section 5(2) of the IT Act.
At the outset, the Bombay High Court had reiterated that an order for interception as per Section 5(2) of the IT Act can be issued only in the circumstances of public emergency or public safety. The impugned orders were given on the basis of ‘public safety’.
While deciding the case, the High Court took reference from the already settled stance of the Supreme Court in previous cases. Drawing from the case of Hukum Chand Shyam Lal v. Union of India and other case laws, and holding that the impugned offence was related to an economic offence, the High Court was of the opinion that there is no apparent public safety interest to substantiate the said orders or satisfy the test of “principles of proportionality and legitimacy” as laid down in the Puttaswamy Case.
Thus, in regards to the question of interception, the Supreme Court held:
- An order of interception under section 5(2) of the IT Act can only be given in situations of ‘public emergency’ or ‘public safety’.
- If interception has been undertaken in contravention of Section 5(2) of the IT Act, it is mandatory for the said intercepted messages to be destroyed.
- Evidence procured in violation of Section 5(2) and the rules made thereunder, is not admissible in court.
The most important lessons from the aforementioned two cases are that in order to justify an interception under section 5(2) of the IT Act, the stringent requirements of “public emergency” and/or “public safety” must be satisfied, and adherence to the regulations and guidelines established thereunder is required. The evidence will be excluded from court proceedings with even a small divergence from the protocol. The Vinit Kumar Case is helpful in protecting fundamental rights and ensuring that authorities do not abuse their ability to monitor phone conversations to target particular individuals without adhering to legal procedures. Given the turbulent times we live in, it seems like this is a judgment whose applicability will be called into question repeatedly.
Protection from state-sponsored surveillance- a distant dream?
Arbitrary or illegal invasions of privacy are prohibited by International Human Rights Law, which establishes the right to privacy. Furthermore, as noted by the Supreme Court and other Constitutional Courts of India, restrictions and exceptions to the fundamental right to privacy are only allowed if they are both legally mandated and required to accomplish a legitimate purpose. In view of this, the disproportionate, unlawful, or arbitrary use of spyware—like Pegasus—for surveillance breaches people’s right to privacy, erodes their ability to freely express themselves and associate, and endangers their security, safety, livelihood and lives. The recent attempts of the government in employing Pegasus malware and the alerts sent by the Apple Inc. indicate a threat to the already weakened privacy protection practices in India. In addition to overhauling the outdated framework of privacy protection laws in India, it is essential to ensure that the newer laws being implemented are more citizen centric rather than government centric. At present, the legislations have cracks and loopholes that allow state actors to perform targeted surveillance at their discretion in the absence of appropriate checks and balances. To put value to the words, “India is the mother of democracy”, it is essential that we move towards holding the state accountable for employing illegal and unethical tactics against critical voices.
Image Courtesy: ikigailaw.com