A recent report in The New York Times has brought the Pegasus scandal back in the news in India. The spyware was allegedly used to infiltrate the devices of many prominent figures in India, including judges, an election commissioner, and many journalists. Israeli company NSO Group, the maker of Pegasus, claimed that it sells the cyberweapon only to authorised government entities, thereby indicating that the Indian government may have misused Pegasus – a claim reaffirmed by the NYT report. The government has, however, not accepted the charge in its affidavit to the Supreme Court. The threats posed by this targeted surveillance are far-reaching and dangerous for democracy.
Some months ago, the Grand Chamber of the European Court of Human Rights gave a progressive judgement with regard to a controversial surveillance law of the United Kingdom. In the case of Big Brother Watch and Others v. The UK, the Court held that although States had a wide margin to undertake surveillance in the interest of national security, certain minimum safeguards had to be followed in conducting such surveillance. The contested law did not meet those criteria, nor did it satisfy the test of necessity and proportionality. The law was thereby declared invalid for infringing on citizens’ Right to Privacy and Right to Freedom of Expression. Indian courts could borrow from the findings in this case for the Pegasus case.
The ECHR verdict recognises that there needs to be independent oversight “to minimise the risk of abuse” and for the same, a State’s surveillance orders should ideally be allowed only after prior judicial authorisation. Judicial oversight is a well-recognised component of any rule of law society, and independent courts are of utmost importance to keep a check on the possible abuse of State powers.
But the authorising mechanism under Indian law is different. Here, the State derives the power to intercept communication from the Indian Telegraph Act and the Information Technology Act. Under both these laws, sanction for surveillance is required from the Home Secretary, thereby vesting control in the Executive, instead of in the Judiciary.
An independent, impartial scrutiny of any order for interception is critical to strike a balance between national interests and individuals’ fundamental rights. So, it would be better if the power to authorise surveillance lies with the Judiciary, and not with the Executive itself.
A striking feature of the Big Brother Watch judgement is that it is one of the few international judgments which recognises that an interception of metadata is just as intrusive and violative as an interception of the content of a communication. It also rightly acknowledges that the change and growth on the internet calls for the evolution of more robust laws regulating data. Technology is, after all, a double-edged sword.
Both of these observations lead us to the insufficiency in Indian law. Despite the massive increase in internet availability and features over the last decade, the laws dealing with misuse of the same are fairly inadequate. The Supreme Court, in PUCL v. Union of India gave certain guidelines for surveillance cases, focusing on telephone-tapping, over 20 years ago. Both the technology and its misuse have evolved since then, but a legal framework tailored specifically to keep a check on internet and metadata surveillance is missing.
Rather, the new IT Guidelines compel social media intermediaries to share metadata of the users with the State, authorise traceability of private messages, and enhance State presence in the functioning of intermediaries. Although Section 66 of the Information Technology Act keeps a check on “unauthorised access”, the provision lacks teeth and is insufficient to control the invisible hand of the State. Even the proposed legislation, the Personal Data Protection Bill, does not provide protection from surveillance, and indeed gives wide exemptions to State authorities.
The ECHR verdict in Big Brother Watch has significantly strengthened the requirements for lawful interception in Europe by suggesting a detailed eight-point mandate. The judgement has also favoured the cause of citizens’ right to privacy and free speech over the State’s interest in surveillance. And while this judgement has its fair share of flaws, too, it offers reasonable findings that India can draw inspiration from.
In light of the Pegasus affair, it needs to be seen whether the targeted surveillance was indeed authorised by the government, and if so, was it indeed to protect national security and prevent crimes or whether it was employed as a tool for political vendetta. A fair, impartial and devoted inquiry commission with judicial members could unravel this. Indian law could incorporate the mandate of strict oversight of data surveillance, a compulsory requirement to meet certain minimum safeguards and quick and effective redressal of complaints about cyber-spying. Surveillance reform is the need of the hour to prevent our reality from spiralling into an Orwellian dystopia. As long as there is critical inquiry, there is hope.
(The writer is a Rajasthan-based advocate)