Legal experts weigh in on the unfolding Pegasus controversy and suggest future steps towards surveillance reform such as parliamentary oversight, judicial oversight, and more.
Where do we go from here? This has been the question on most citizens’ minds as reports claimed that the Israeli firm NSO Group’s Pegasus spyware has targeted several Indian politicians, journalists, and activists. Firstly, it is unclear whether there are any possible defences against this military-grade spyware which deploys a zero-click attack — essentially meaning that one doesn’t have to click on a malicious link for this malware to activate; it can infect your phone because of an existing vulnerability in the system.
Secondly, since NSO Group has said that it sells its products only to vetted governments and agencies, there is a deeper concern of state-sponsored surveillance. This brings us to the question: Is our current mechanism of containing surveillance efficient? Do we have enough checks and measures in place to question, say, an abuse of surveillance mission by a government or an agency?
The experts MediaNama spoke to gave varied responses in this regard. While one proposed a judicial oversight mechanism with penalties in place for possible misuse, another contended that the country’s existing laws and statutes are sufficient to tackle such cases. Another expert referred to the Shah Commission Report which was constituted after the 1975 Emergency in India to record institutional excesses.
Many interestingly pointed towards Congress MP Manish Tewari’s Private Member’s Bill on regulating intelligence agencies, introduced in 2011. MediaNama did a summary of the different provisions of the bill.
What kind of parliamentary structure should exist to tackle surveillance?
Rahul Narayan, a Supreme Court advocate was for the constitution of an oversight mechanism within the parliamentary framework. He said that the role of Parliament would be to pass a law with robust safeguards and stringent rules imposed on the executive before any surveillance is undertaken.
“This should include policy over how long surveillance can continue for, deletion of data etc. The actual mechanism must involve at least 1 person outside the executive, typically a judge who should have the responsibility of actually issuing a warrant based on evidence put before him. The scope of emergency surveillance orders must be severely limited subject to a judge determining whether they should continue or not,” Narayan said.
Alok Prasanna Kumar, senior resident fellow at the Vidhi Centre for Legal Policy said that the first step should be to ensure that there is a legislative basis for the existence of these agencies clearly mandating what they can and cannot do. “Without that, any parliamentary oversight will be futile,” he said.
It’s a little difficult to identify with absolute specificity what intelligence agencies can and cannot do but I think the more important thing is that they should have to justify their actions before a Parliamentary committee or some authority which is independent of executive and ask tough questions. Broadly, of course, intelligence cannot be permitted to collect data of everyone without proper authorization and reasons, cannot be permitted to breach individual privacy without immediate justification, etc — Alok Prasanna Kumar, senior resident fellow at Vidhi Centre for Legal Policy
Is judicial oversight necessary?
Narayan said that although proceedings for surveillance are necessarily secret, there has to be a way to keep a check on executive powers. “In this case, a careful law interpreted by the judicial branch should permit surveillance when necessary while ensuring the process is not abused to gather intelligence on opposition leaders etc,” he said adding that the judge should be responsible for issuing a warrant based on concrete evidence, in areas of alleged organised crimes, narcotics-related crimes, national security issues, and so on.
Meanwhile, Kumar had a different opinion. “Judicial oversight is almost never realistic oversight. The experience of this in India and elsewhere is that the “judicial oversight” is usually used to give a cover of legality to the actions of the intelligence agencies. In the absence of transparency and assured independence of the judges in question, such judicial oversight inevitably becomes a box-ticking exercise,” he said.
Kumar stressed that there have to be substantive limits on the powers of intelligence agencies, and both Narayan and Kumar were unanimous in their opinion that certain information accrued through surveillance should be declassified and made public after a certain period of time. While Narayan proposed a 10-year gap, Kumar did not specify a timeline. The latter also said that “blanket RTI exceptions should be removed and it should be limited only to operations”.
‘Sufficient safeguards already in place’
Supreme Court advocate Gopal Sankaranarayanan had a different opinion from the first two experts. He did not agree that there was a lack of regulation to deal with such situations. “Under the IT Act as well as the Telegraph Act and Rules, there are sufficient safeguards in place to tackle a Pegasus-like situation.”
However, he raised the following points of concern regarding the Pegasus spyware attack:
- Action by a foreign private entity in hacking into the phones of Indian citizens.
- The probable conspiracy by individuals in the Indian Government in carrying out such hacking
- The lack of any Constitutional protection to those public servants who have placed orders with the NSO to carry this out.
Commissions had recommended bringing intelligence agencies under governance framework
Without going into the details of what a possible framework for governing intelligence agencies could look like, Nitin Pai, co-founder of the Takshashila Institution pointed out that the Shah Commission’s Report into the excesses during Emergency had recommended that intelligence agencies and CBI must be placed under a governance framework. “The LP Singh Committee that was appointed to follow up on the Shah Commission report recommended that the IB be covered by a statute and given a written charter,” he said.
What does the Shah Commission report say? According to India Today, the second report of the commission had suggested that steps should be taken to improve the workings of the intelligence agencies. Quoting from the Shah Commission report, the India Today article said, “Their activities and achievements should be suitably overseen and evaluated by responsible forums composed of persons specially selected for their integrity and sense of public duty functioning independently of the intelligence agencies.”
What did the LP Singh Committee report say? According to a report by Outlook, the LP Singh Committee had pointed out that the Intelligence Bureau which was created by the British before 1947 and the Central Bureau of Investigation which came into existence after 1947, were functioning without formal charters of their functions and responsibilities. The committee stressed the need for formal charters to prevent future misuse, but also recommended government detailed model charters for adoption.
“Needless to say protecting citizens’ fundamental rights is crucial to this. The goal of the governance mechanism is to strike a deliberate balance between national security and individual rights,” he added.
More reading on Pegasus
- A decade-old Bill had proposed to regulate surveillance by govt agencies; this is what it said
- A Guide To The NSO Group’s Pegasus Spyware In India
- Members Of Parliament React To Pegasus Spyware Controversy Amidst Monsoon Session
- ‘Illegal And Deplorable’: How Pegasus Spyware Targets In India Are Reacting
- Amazon Web Services shuts down infrastructure linked to Pegasus vendor NSO Group
Update, July 21, 1.50 pm: Takshashila Institution was incorrectly named as Takshashila Foundation. The error is regretted.