A spyware is any malicious software designed to enter your computer device, gather your data, and forward it to a third-party without your consent. Pegasus, developed by NSO Group, is perhaps the most powerful spyware ever created. It is designed to infiltrate Smartphone's - Android and iOS - and turn them into surveillance devices.

The Israeli company, however, markets it as a tool to track criminals and terrorists - for targeted spying and not mass surveillance. NSO Group sells the software to governments only. A single licence, which can be used to infect several Smartphone's, can cost up to Rs 70 lakh. According to a 2016 price list, NSO Group charged its customers $650,000 to infiltrate 10 devices, plus an installation fee of $500,000.

Pegasus is a spyware developed by NSO Group, an Israeli surveillance firm, which helps spies hack into phones. In 2019, when WhatsApp sued the firm in a U.S. court, the matter came to light. In July 2021, Amnesty International, along with 13 media outlets across the globe released a report on how the spyware was used to snoop hundreds of individuals, including Indians.

While the NSO claims its spyware is sold only to governments, none of the nations have come forward to accept the claims. Human rights and press freedom activists are up in arms about a new report on NSO Group, the notorious Israeli hacker-for-hire company. The Pegasus Project, an investigation by an international media consortium, has revealed that more than 50,000 phone numbers were targeted by a spyware created by NSO Group, an Israeli software company.

On the list were 300 verified phone numbers in India, including those of ministers, opposition leaders, a sitting judge, more than 40 journalists, and several activists and business persons.

The report, by a global media consortium, expands public knowledge of the target list used in NSO's military-grade spyware. According to the report, that now not only includes journalists, rights activists and opposition political figures, but also people close to them, the groups have decried the virtual absence of regulation of commercial surveillance tools.

A number of reports on Pegasus Spyware in India indicate that at least 1,000 Indian phone numbers are in a list of potential targets of surveillance using the Pegasus spyware. An Israeli company, the NSO Group, sells the Pegasus spyware to vetted governments. The evidence is strong that Indian citizens were indeed targets of a vicious and uncivil surveillance campaign by a government entity, Indian or foreign.

What can it do?
Once installed on a phone, Pegasus can intercept and steal more or less any information on it, including SMS, Contacts, Call History, Calendars, Emails and Browsing Histories. It can use your phone's microphone to record calls and other conversations, secretly film you with its camera, or track you with GPS.

Brief history of Pegasus 2016:
Researchers at Canadian cyber security organisation The Citizen Lab first encountered Pegasus on a Smartphone of human rights activist Ahmed Mansoor.

September 2018:
The Citizen Lab published a report that identified 45 countries in which Pegasus was being used. As with the latest revelations, the list included India.

October 2019:
WhatsApp revealed that journalists and human rights activists in India had been targets of surveillance by operators using Pegasus.

July 2021:
The Pegasus Project, an international investigative journalism effort, revealed that various governments used the software to spy on government officials, opposition politicians, journalists, activists and many others. It said the Indian government used it to spy on around 300 people between 2017 and 2019.

How does it work?
Pegasus exploits undiscovered vulnerabilities, or bugs, in Android and iOS. This means a phone could be infected even if it has the latest security patch installed.

A previous version of the spyware - from 2016 - infected smart phones using a technique called spear-fishing: text messages or emails containing a malicious link were sent to the target. It depended on the target clicking the link-a requirement that was done away with in subsequent versions.

By 2019, Pegasus could infiltrate a device with a missed call on WhatsApp and could even delete the record of this missed call, making it impossible for the user to know they had been targeted. In May that year, WhatsApp said Pegasus had exploited a bug in its code to infect more than 1,400 Android phones and iPhones this way, including those of government officials, journalists and human rights activists. It soon fixed the bug. Pegasus also exploits bugs in iMessage, giving it backdoor access to millions of iPhones. The spyware can also be installed over a wireless transceiver (radio transmitter and receiver) located near a target.

All about the Pegasus Project
Pegasus is a type of malware classified as a spyware. Pegasus enables law enforcement and intelligence agencies to remotely and covertly extract data from virtually any mobile devices

The Spyware Pegasus can gain access to devices without the knowledge of users. After this, it can gather personal information and relay it back to whoever is using the software to spy.

A zero-click attack helps spyware like Pegasus gain control over a device without human interaction or human error. Pegasus can infect a device without the target's engagement or knowledge. So, all awareness about how to avoid a phishing attack or which links not to click are pointless.

The Israeli firm NSO Group (set up in 2010) developed the Pegasus spyware. Since then, NSO's attack capabilities have become more advanced.

What really does Pegasus comprises of?
Upon installation, Pegasus contacts the attacker's Command and Control (C&C) servers to receive and execute instructions and send back the target's private data. This data can include passwords, contact lists, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps).

The attacker can control the phone's camera and microphone, and use the GPS function to track a target.

To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server. The spyware can evade forensic analysis and avoid detection by anti-virus software. Also, the attacker can remove and deactivate the spyware, when and if necessary.

Pegasus: The beginnings
According to a profile of the NSO Group published by the French non-profit Forbidden Stories, which has published the 'Pegasus Project' along with its media partners, the company were started by Shalev Hulio and Omri Lavie, friends who started out with a product placement start up Media and in the early 2000s. The startup was all but washed out by the recession of 2008, but Hulio and Lavie found an opportunity in the 2007 launch of Apple's iPhone. It marked a watershed moment - people began to use handheld devices for more than just calling and texting at scale.

Hulio and Lavie launched Communitake, Forbidden Stories reported, which allowed users to take control of any Smartphone from a distance. This was originally meant for mobile operators, who would want to take control of devices to provide tech support. But as the use of smart phones spread and the need arose for providing security features like encrypted messaging services, this presented a challenge for law enforcement and intelligence agencies.

So far, intelligence agencies would intercept a message or call while it was in transit on networks of telecom companies. But encrypted services meant that without the encryption key, they couldn't access the message anymore - unless they accessed the device itself and decrypted the communication.

Spy - Tech and Zero - Click
From here on, NSO started focusing on building Pegasus as a spying solution for intelligence agencies and police forces. The narrative they built was that government agencies would use it to tackle terrorism, drug-trafficking, etc. But its first known state client - Mexico - then equipping itself with cyber-espionage tools to fight drug trafficking, went beyond the script. Forbidden Stories reported that more than 15,000 numbers were selected for targeting by Mexican agencies between 2016 and 2017. Among these were those of people close to then candidate Andres Manuel Lopez Obrador, now Mexican President, besides journalists, dissidents, their colleagues and family members.

This catapulted NSO Group to a leader in the spy-tech industry, leaving behind then heavyweights such as European companies Hacking Team and Fin Fisher.

Until then, Pegasus was utilising attack vectors such as malicious links in e-mails and SMS. Once clicked, the link would install the spyware, giving the hacker complete access to the device without the target's knowledge. Then, it leapfrogged to zero-click infections.

Such infections, used in WhatsApp and iMessage hacks, do not require any intervention from the end-user. On WhatsApp, a missed call on the voice call feature would insert a malicious code into the device. With iMessage, a short message preview did the trick.

Pegasus Spyware Earlier Controversy
Researchers discovered the earliest version of Pegasus in 2016. This version infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.

In 2019, WhatsApp blamed the NSO Group for exploiting vulnerability in its video-calling feature which secretly transmitted malicious code in an effort to infect the victim's phone with spyware without the person even having to answer the call.

In 2020, a report showed government operatives used Pegasus to hack phones of employees at Al Jazeera and Al Araby.

Recent Pegasus Spyware Attacks in India
Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm. Indian ministers, government officials and opposition leaders also figure in the list.

In India, several opposition leaders including Rahul Gandhi were on the leaked potential targets' list. Smartphones of Politicians, Journalists were hacked for gathering confidential information. This is the first time in the history of this country that all pillars of our democracy - Judiciary, Parliamentarians, Media, Executives and Ministers - have been spied upon.

The Indian government has denied any wrong doing or carrying out any unauthorised surveillance. However, the government has not confirmed or denied whether it has purchased or deployed Pegasus spyware.

Issues with Government's surveillance
In 2012 in Himachal Pradesh, the new government raided police agencies and recovered over a lakh phone conversation of over a thousand people, mainly political members, and many senior police officials, including the Director General of Police (DGP), who is legally responsible for conducting phone taps in the State.

In 2013, India's current Home Minister Amit Shah was embroiled in a controversy dubbed Snoopgate, with phone recordings alleged to be of him speaking to the head of an anti-terrorism unit to conduct covert surveillance without any legal basis (as there was no order signed by the State's Home Secretary which is a legal necessity for a phone tap).

The UPA government in 2009 said that the CBDT had placed a PR professional, under surveillance due to fears of her being a foreign spy. Later on, the CBDT did not prosecute the person.

Such examples of unlawful surveillance which seem to be for political and personal gain are antithetical to the basic creed of democracy. Consequently, they also bring up the need for ensuring that the surveillance is necessary and proportionate.

Legislations on Surveillance
The laws authorizing interception and monitoring of communications are:

1. Section 92 of the Criminal Procedure Code (CrPC)
2. Rule 419A of the Telegraph Rules
3. The rules under Sections 69 and 69B of the IT Act

The Telegraph Act
Section 5(2) of the Telegraph Act of 1885 provides the basis for interception of telephone calls, or phone-tapping as it is colloquially called. The constitutionality of this was challenged in the Supreme Court by the People's Union for Civil Liberties, and in a judgment dated December 18, 1996, the Supreme Court upheld the constitutionality of the provision, subject to certain procedural safeguards which were later codified in Rule 419A of the Telegraph Rules, 2007.

The suggestion that since Phone - Tapping is permitted under Section 5 of the Telegraph Act, this means Pegasus can also be procured and put to use under the said provision, is a lazy analysis not only of the law but also of Pegasus, which is by no means a mere tool for the interception of messages.

The scope of Section 5(2) of the Telegraph Act is to prevent transmission, carry out interception and ensure disclosure of message(s).

The term 'message' is defined in Section 3(3) of the Telegraph Act to mean:
Any communication sent by telegraph, or given to telegraph officer to be sent by telegraph or to be delivered.

Thus, at best, Section 5(2) can be resorted to in order to authorise interception of messages including multimedia messages sent (or received) by a device to (or from) another device. It does not envisage constant surveillance by the electronic device including of all multimedia files which were created in the device and not sent by telegraph to anyone else, nor does it envisage recording people's real-life interactions that take place in the vicinity of their device but not through it.

This concept is better understood once the term interception has been analyzed.

Information Technology Act
The Minister of Electronics and Information Technology, Ashwini Vaishnaw, on July 19, 2021, stated in parliament with regard to the allegations of the use of Pegasus that, In India, there is a well established procedure through which lawful interception of electronic communication is carried out….

This begets the question – what is the scope of the term interception?
The answer to this lies in Rule 2(f) of the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, which were passed in furtherance of Section 69 of the IT Act which provides power to issue directions for interception, decryption or monitoring of information.

Interception is defined to mean the acquisition of the contents of any information so as to make the contents of the information available to any person other than the sender, recipient or intended recipient of the communication. Thus, it is amply clear that 'interception' can only be done of the contents of information that forms part of some 'communication' through a computer resource, and not of actions and conversations that simply happen to be near a computer resource.

In simpler words, this implies that lawful interception means that the government can have eyes and ears on messages and media shared through electronic devices, but it cannot weaponries the device itself to be an eye and an ear to what happens around it as opposed to in it.

Intercepting messages does not mean turning phones into spy-cams
In effect, interception of messages and information under the Telegraph Act and the IT Act only applies to 'communication' made through telegraph or computer resources, which is very different from the wide arsenal of surveillance that is offered by Pegasus once it infects a phone.

The use of someone's mobile phone's microphone or camera to record her actions or conversations which take place in their daily lives, and not over their electronic device, is thus not authorised by either Section 5(2) of The Telegraph Act or Section 69 of the Information Technology Act.

To argue the contrary is to fundamentally fail in understanding the difference between surveillance by lawful interception and illegal surveillance by unlawful hacking of electronic devices.

The law allows the state, under certain circumstances, to keep an eye on our devices, but that does not permit the state to turn the device itself to its eyes to record things and actions that do not use the electronic device. It is that jump from surveillance over electronic devices to surveillance by electronic devices which makes Pegasus alien to the scheme of the Telegraph Act and the IT Act, and it travels from the field of interception to that of illegal hacking, which attracts the penalties listed under Chapter IX of the IT Act.

In light of the Pegasus spyware scandal, what are the checks and balances to prevent abuse of procedures?
An international group of news publications are reporting that a spyware known as Pegasus has been used to spy on Politicians, Journalists, and Activists, primarily in 10 Countries. The need for parliamentary debates is rooted not only in the desire to iron out creases in draft legislation, but also to address issues of public importance and inform citizens on state policies and clarify issues that may emerge from time to time.

It is precisely this function which parliament failed to fulfil, for one reason or another, in the abruptly concluded Monsoon Session. The Modi Government chose not to make clear and categorical statements regarding the serious allegations of the use of Pegasus Spyware to snoop on the Opposition, Journalists and Human Rights activists.

While the government is suggesting that any public discussion on the use of Pegasus may pose a threat to national security – the CJI has said that the court will be mindful of this – that in itself does not prevent a discussion on the legal regime of surveillance in India and whether the use of Pegasus would fall within or without the confines of the law.

Simply put, spyware like Pegasus cannot be lawfully used in India as it is not only unconstitutional but also does not have legal sanction.

How can we fight terrorists then?
It cannot be argued against lawful interception of messages and information sent or communicated over electronic devices.

The law clearly allows for that, and that gives ample ammunition to the intelligence and law enforcement agencies to track terror activity. Any messages or information sent from one device to another can be lawfully intercepted by state agencies. Thus, if any terror outfit sends any messages or information to one of its sleeper cells, such messages can be intercepted under the law without even resorting to use of deeply pervasive software like Pegasus.

The use of Pegasus allows interception and much more, and it is in this domain of what more Pegasus offers its clients which are of alarm and concern, and which travels far beyond the realm of lawful interception carried out in the interest of the State. The argument of need for Pegasus to intercept terrorism related messages is premised on the notion that lawful interception cannot be done by any other means, and that the use of Pegasus will be limited to interception only and nothing more, although there is no way to presently gauge its use and keep a check.

The government of India has not placed any material in the public domain to justify either of these two notions.

Incompatible with India's constitutional democracy
One of the essential limbs of the test of proportionality is that state action must have a legitimate aim which is permissible in a democracy, and that it must also be the least invasive means to achieve the state's goal.

The use of a Pegasus-like spyware which provides remote access not only to the electronic device but also to the life and activity around the device, exposes journalists and political opponents of the government and leaves them vulnerable to excesses. One can imagine that if the government has eyes and ears on the whereabouts of all potential whistleblowers, then not enough whistles will get blown, which is detrimental to a functional democracy.

A deafening silence of state-controlled media would overpower public narratives and dissenting voices would find it impossible to exercise their constitutional rights if all their conversations and actions are under constant watch and scrutiny, even if it is carried out in the purported privacy of one's home.

A deeply pervasive spyware like Pegasus, which effectively turns an electronic device into a spy cam, can never be permitted as an investigative or security tool which is deployed in use against India's own citizens – be it journalists, social activists, politicians, lawyers, court officers, judges, or victims of sexual harassment at the hands of mighty men.

The distinction between intercepting messages or information sent over electronic devices vis-a-vis an electronic device working as a spy cam to record one's actions and communications which were not carried out through the said device, is critical to the issue of illegality of Pegasus.

The law may permit the state to look through an individual's phone for information, but it definitely does not permit the state to constantly look at the individual through his phone.

For instance, if I am wondering somewhere, and send a picture of it to my friend through my phone, the interception if carried out for one of the legitimate grounds listed under Section 69 of the IT Act would result in the state learning that I sent a picture of myself wondering to my friend. However, if I don't wonder and take no picture of it and tell nobody, yet if the state uses my mobile which was placed with me at every instance to turn the camera on through Pegasus and Record me wondering, then such a recording is not lawful interception but illegal hacking which breaches the fundamental core of my privacy and my intimate life.

This example would hold true for anything one does without using their electronic devices, which the state captures an image, audio or video of, using Pegasus on people's phones. Concepts of spousal privilege and lawyer-client confidentiality, the right to silence and the right against self-incrimination, would all stand in jeopardy under the glare of Pegasus.

The inner core of privacy, intimacy and human dignity would stand shredded if Pegasus was sanctioned by law, and that is why it is argue that such a software would not be constitutionally compatible in India, even if new legislation is attempted to be brought in to protect it, as it would be an unreasonable and disproportionate restriction on the fundamental right to privacy and human dignity.

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organizations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International's Security Lab.

Who can conduct Surveillance under Indian Law?
A limited number of agencies are provided powers to intercept and monitor. In 2014, the Ministry of Home Affairs told Parliament that nine central agencies and the DGPs of all States and Delhi were empowered to conduct interception under the Indian Telegraph Act.

In 2018, 9 central agencies and 1 State agency were authorized to conduct intercepts under Section 69 of the IT Act. The Intelligence Organizations Act, which restricts the civil liberties of intelligence agency employees, only lists four agencies. However, the RTI Act lists 22 agencies as intelligence and security organizations established by the central government that are exempt from the RTI Act.

K.S. Puttaswamy judgment, 2017 regarding Surveillance
The K.S. Puttaswamy judgment, 2017, made it clear that any invasion of privacy could only be justified if it satisfied three tests:

1. The restriction must be by law
2. It must be necessary (only if other means are not available) and proportionate (only as much as needed)
3. It must promote a legitimate state interest (e.g., national security)

The judgement held that privacy concerns in this day and age of technology can arise from both the state as well as non-state entities. As such, a claim of violation of privacy lies against both of them.

The Court also held that informational privacy in the age of the internet is not an absolute right and when an individual exercises his right to control over his data, it may lead to the violation of his privacy to a considerable extent.

It was also laid down that the ambit of Article 21 is ever-expanding due to the agreement over the years among the Supreme Court judges. A plethora of rights have been added to Article 21 as a result.

The court stated that Right to Privacy is an inherent and integral part of Part III of the Constitution that guarantees fundamental rights. The conflict in this area mainly arises between an individual's right to privacy and the legitimate aim of the government to implement its policies. Thus, we need to maintain a balance while doing the same.

Various recommendations in the past regarding Surveillance
In 2010, then Vice-President called for a legislative basis for India's agencies and the creation of a standing committee of Parliament on intelligence to ensure that they remain accountable and respectful of civil liberties.

The Cabinet Secretary in a note on surveillance in 2011 held that the Central Board of Direct Taxes having interception powers was a continuing violation of a 1975 Supreme Court judgment on the Telegraph Act.

In 2013, the Ministry of Defence-funded think-tank published a report which recommended that the intelligence agencies in India must be provided a legal framework for their existence and functioning; their functioning must be under Parliamentary oversight and scrutiny.

In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India's intelligence agencies are potentially unconstitutional. This is because they are not constituted under a statute passed by Parliament - the National Investigation Agency being an exception.

Written By: Bhaswat Prakash, Student at Ajeenkya DY Patil University, Pune