India: Spyware use violates Supreme Court privacy ruling
Indian authorities should immediately, independently and credibly investigate the government’s alleged use of advanced spyware to target activists and apparent opponents, Access Now, the International Commission of Jurists, the Electronic Privacy Information Center, Electronic Frontier Foundation, PEN America, the Center for Democracy and Technology, CIVICUS, Freedom House, Privacy International, the Association for Progressive Communications (APC) and Human Rights Watch said today. The authorities should also put in place broad reforms to establish proper judicial and parliamentary oversight of government surveillance measures that fully comply with international standards on privacy and other civil liberties.
August 24, 2021, was the fourth anniversary of Puttaswamy v. Union of India, the landmark digital rights case in which the Indian Supreme Court ruled that the right to privacy is a fundamental right under the Indian Constitution. Since then, the government, instead of overhauling the surveillance law framework and enacting robust data protection mechanisms, has used public safety and national security arguments in court and in parliament to deflect concerns about violations of privacy rights.
In July, the Indian news website The Wire, as part of the international collaborative Pegasus project, reported that there were at least 300 Indian phone numbers, including those of human rights defenders, journalists, lawyers, government officials, and opposition politicians, in the leaked global list of 50,000 numbers. These were concentrated in countries known to engage in unlawful and arbitrary surveillance of their citizens and were also known to have been clients of NSO Group, an Israeli company that develops and sells surveillance spyware called Pegasus. NSO Group asserts that it “sells only to authorized governmental agencies.”
Forensic tests by Amnesty International found traces of Pegasus activity on 37 out of 67 phones examined, of which 10 belonged to Indian nationals. Once a smartphone is infected with the spyware, government agencies are able to monitor all activity on the phone, including emails, files, contact lists, location information, and chat messages. The spyware also enables governments to secretly record audio or video using a phone’s built-in microphone and camera. The Pegasus project identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates.
NSO Group has repeatedly denied the Pegasus news reports, claimed that the reporting is “erroneous and false,” and said it “will no longer be responding to media inquiries on this matter.” Previously the company claimed that the reporting was based on “wrong assumptions and uncorroborated theories.” None of the Pegasus Project partners have retracted their reporting.
Hacking is illegal under Indian law, and thus far the Indian government has not said whether it used Pegasus to hack into devices. The government has only made vague statements that safeguards are in place to avoid unauthorized surveillance. It has also stalled any attempts by opposition leaders in parliament to investigate the allegations.
The surveillance allegations come amid an intensifying crackdown on freedom of speech and peaceful assembly by the Bharatiya Janata Party-led national government, and its enforcement of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules target internet intermediaries, including social media services, digital news services, and curated video streaming sites. While the government says they are aimed at curbing misuse of social media, including for the spread of “fake news,” they allow greater governmental control over online content, threaten to weaken encryption, and would seriously undermine rights to privacy and freedom of expression online.
The authorities have increasingly arrested human rights defenders, peaceful protesters, and members of religious minorities in politically motivated cases, including under counterterrorism, sedition, and national security laws. There is evidence that the phone numbers of several activists currently in jail on terrorism charges were on the leaked Pegasus list. In some cases, their lawyers, relatives, and friends were also on the list.
International human rights law establishes a right to privacy and bars arbitrary or unlawful infringements on the right. The Indian Supreme Court has also observed that restrictions on privacy are only permissible if they are necessary and proportionate to achieve a legitimate purpose, and are provided for in law. The disproportionate, illegal, or arbitrary use of spyware, like Pegasus, for surveillance violates the right to privacy, undermines freedom of expression and association, and threatens personal security and lives, the groups said.
The government has argued in several petitions filed in the Supreme Court regarding the Pegasus spyware that the cases had national security implications that could not be publicly disclosed. Instead, the details would be revealed to a government-appointed committee of experts.
A government-appointed committee is not a substitute for an independent inquiry, the groups said. Under international law, India has an obligation to ensure that victims of rights violations have an effective remedy. The United Nations special rapporteur on counterterrorism and human rights has noted that remedial bodies must have “full and unhindered access to all relevant information, the necessary resources and expertise to conduct investigations, and the capacity to issue binding orders.”
The Indian government’s claims that it has sufficient safeguards to prevent unauthorized surveillance have no basis, the groups said. In India, the legal regime for surveillance is governed by the 1885 Telegraph Act, along with the 2000 Information Technology Act. Under these laws, which have been challenged in Indian courts, the executive branch has unchecked and extremely broad powers of surveillance that are devoid of any meaningful safeguards, with no judicial authorization or independent oversight.
Even though the Supreme Court has twice stated, in 1997 and in 2017, that an order of surveillance can be passed only when strictly necessary and if there is no other alternative, the lack of independent scrutiny and effective reporting mechanisms result in lack of accountability.
State surveillance powers will be further enhanced by a proposed law on personal data protection that will grant exemptions to government agencies on vague and overbroad grounds. The current draft of the Personal Data Protection Bill should be amended to clearly restrict the government’s discretionary powers, and mandate prior judicial authorization for access to data and surveillance on a case-by-case basis.
Four years after the Supreme Court’s pronouncement on the right to privacy, the Pegasus revelations should serve as a wake-up call for the urgent need to meaningfully recognize and protect the right to privacy in India, the groups said. The government should carry out surveillance reform that ensures independent, judicial oversight, and provides for judicial remedy, as well as a data protection framework that respects people’s rights.