17 of the 22 human rights activists, academics and lawyers, who had been targeted by the Pegasus spyware using a WhatsApp vulnerability, have written to the Parliamentary Standing Committee on Information Technology (letter below), asking it to summon government departments to answer questions related to their unauthorized surveillance operations and if they had purchased and deployed Pegasus. Calling the revelation of this kind of surveillance “deeply disturbing” and a “flagrant violation of our rights as citizens”, they have also volunteered to provide an oral testimony to the committee.

The standing committee is scheduled to meet tomorrow, that is, November 20. MediaNama had earlier reported that the standing committee would take up the WhatsApp issue in its meeting. In addition, the committee is also expected to discuss the cyber attack on Kudankulam Nuclear Power Plant. It is headed by Dr Shashi Tharoor.

19 of the 22 affected people had earlier written an open letter to the government of India, asking it to reveal all information it has about the attack, other similar methods of mass surveillance, and the identity of concerned players. WhatsApp had told the Indian government that 121 people were targeted by Pegasus in India through the WhatsApp vulnerability.

Nihalsing Rathod, one of the people who was targeted using Pegasus, told MediaNama that the signatories believe this committee “to be more empowered, with more expertise on the issue” as it deals with data security and surveillance. The signatories haven’t written to the Standing Committee on Home Affairs, which is the other Parliamentary committee that is looking at this surveillance row.

“It is, therefore, incumbent on the government to act immediately and decisively against these flagrant violations of fundamental rights and freedoms of Indians by dubious actors and entities with possible links to foreign governments.” (from the letter)

What questions do they want answered?

The signatories have asked the committee to seek answers to the following questions [edited for brevity] from the government departments:

  1. Which agencies are carrying out this targeted and unauthorised surveillance of Indian citizens?
  2. Are sections of the Indian government, central or state, involved in deployment of the Pegasus software?
  3. Has public money been spent on these illegal and unauthorised attacks? Under whose authorisation?
  4. Are central security agencies aware of the presence of NSO Group employees and operatives in India? Have these operatives entered the country legally?
  5. Who were the individuals under surveillance by the Central or State agencies using this or other related technology?
  6. What steps is the government taking to identify and prosecute the entities involved in the Pegasus attacks and other possible instances of illegal and unauthorised surveillance of Indian citizens?
  7. What steps is the government taking to identify and repair the breaches in the national telecommunications infrastructure and protect it against any further attacks?
  8. Which companies, agencies and other entities are authorised by the Government of India to carry out surveillance in accordance with legal provisions? What are the terms and conditions that govern the operations of these agencies? What are the arrangements for monitoring and overseeing their work?

While the NSO Group has repeatedly claimed that it sells its products only to governments and law enforcement agencies, the letter draws attention to IT Minister Ravi Shankar Prasad’s statement which, the letter says, “suggests that this targeting … has been carried out without the knowledge and permission of the Government of India”. They have called this attack by “foreign private companies and other foreign actors” on “national telecommunications infrastructure” a “direct attack on our national sovereignty”.