A PIL has been filed in the Supreme Court seeking a direction to form a Special Investigation Team under Supreme Court supervision to investigate the Pegasus scandal and prosecute all accused persons/ ministers for buying Pegasus spyware and snooping on citizens of India including judges, opposition leaders, and political persons, activist, advocates, and others for their vested political interest since 2017 under provisions of the Information Technology Act, 2000, the Official Secrets Act and the Indian Penal Code.
The PIL, filed by Advocate Manohar Lal Sharma, further prayed for a declaration that the purchase of Pegasus spyware for snooping is illegal and unconstitutional being violative of Articles 21, 266(3), 267(2) and 283 of the Constitution and that Prime Minister Narendra Modi and his minister jointly and severally liable to return the amount with interest issued from the public treasury without the permission of Parliament.
According to the PIL, the cause of action arose to the petitioner on 28.11.2019 when the Prime Minister and his Minister did not reply in the Lok Sabha in response to pointed questions from Congress MPs Digvijaya Singh and Jairam Ramesh whether the government had bought Pegasus software. Another fresh cause of action arose on 20.07.2021 when in the Rajya Sabha, the minister did not reply again to the same question raised by the opposition about the purchase of Pegasus spytware from Israel and using it in India against opposition leaders, human rights activist, and political rivals prior to 2019 Lok Sabha elections and thereafter. It’s an amount of admission, a serious violation of Articles 21, 266(3), 267(2) and 283(2) of the Constitution of India read with serious financial and personal injury to the citizens of India.
It is submitted by the petitioner that the Pegasus scandal is a matter of grave concern and a serious attack upon Indian democracy, judiciary, and country security. The widespread and unaccountable use of surveillance is morally disfiguring. Privacy is not about the wish to hide, as is often asserted. It is about having a space of one’s own where our thoughts and being are not the instruments of someone else’s purposes. It is an essential component of dignity and agency. Pegasus is chilling software. It is not just eavesdropping on conversations; it can be used to access the entire digital imprint of your life. It renders helpless not just the owner of the phone hacked but everyone who is in contact with them.
The national security implications of these revelations are enormous. The explosive growth of surveillance technology vendors is a global security and human rights problem. It is not primarily China, but democratic states like Israel and UK, that are selling technologies for deepening the surveillance powers of states. There needs to be a global compact, or at least one amongst democratic states, on regulating these technologies, said the PIL.
It is alleged that the Pegasus is not just a surveillance tool. It is a cyber-weapon being unleashed on the Indian polity. Even if authorised (which is doubtful), the use of Pegasus poses a national security risk.
Pegasus was discovered in August 2018 after a failed attempt at installing it on an iPhone belonging to a human rights activist led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited. Israel-based “Cyber Warfare” vendor NSO Group produces and sells a mobile phone spyware suite called Pegasus. To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Pegasus exploits links and C&C servers use HTTPS, which requires operators to register and maintain domain names.
The PIL highlighted that Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies.
In the Petition , Manohar Lal mentioned various news reports regarding controversies of Pegasus software. In late 2019, Facebook initiated a suit against NSO, claiming that Pegasus had been used to intercept the WhatsApp communications of a number of activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved. Moreover in July 2021, widespread media coverage of the Project Pegasus revelations along with an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely exploited against high-profile targets. It showed that Pegasus was able to infect all modern iOS versions up to the latest release, iOS 14.6, through a zero-click iMessage exploit.
“Snooping by using Pegasus software attracts criminal offenses under The Information Technology Act, 2000, such as unlawful access to computer resources (that is without permission), disclosure of computer records and altering computer data without permission. i.e. Section 65, tampering with computer source documents, Section 66, hacking computer system:(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking; and (2) Whoever commits hacking shall be punished with imprisonment upto 3 years, or with fine which may extend upto Rs. 2 Lakh, or with both. The section talks about hacking activity. Section 72, the penalty for breach of confidentiality and privacy for two-year imprisonment,” the PIL reads.