In the second part of a series analysing the legal questions surrounding the Pegasus Project revelations, NIPUN SAXENA examines the Indian legal framework governing lawful interception of phones and data provided by the Indian Telegraph Act, 1885, the Information Technology Act, 2000, and the rules framed thereunder to uncover some complex constitutional questions and demonstrate the disparity between what is allowed by India’s legal architecture in this regard, and what the NSO Group’s contractual terms are regarding the use of Pegasus. Regardless of whether the snooping was authorised by the Indian State, a foreign government, or some private entity, Indian law has been violated in every scenario.

——-

IN Part–I of this series, after analysing the contractual provisions and policy of Pegasus’s developers NSO Group, the question which I posed that, dare I say would have tremendous ramifications for our national interest is could the exercise of sovereign powers of surveillance be contractually performed by a corporate entity registered in a foreign territory?

A sequitur would perhaps be if a ‘co–surveillance’ exercise jointly carried out by the State and a foreign entity would survive constitutional scrutiny.

A third question which also has to be posed in the Indian context is could this mechanism of co-surveillance be the death knell of the very avowed objective of ‘national security’ in pursuance of which the State allegedly employed Pegasus?

But let us first set the tone for the Indian context. The first formidable instance of en masse phone tapping came here in 1991 when the Central Bureau of Investigation submitted a report about the phones of many politicians being tapped, which reeked of unbridled discretion in the hands of a few to snoop on the many.

This led to widespread public outcry and resulted in the human rights body People’s Union for Civil Liberties (PUCL) filing a writ petition before the Supreme Court. The counsel appearing for the Government of India did not question the authenticity of the report, which disclosed a lack of uniformity in the mode and manner of collecting and storing intercepted copies.

In many cases, interception went on beyond the statutory mandate of 180 days only on oral assurances, and none of the procedural safeguards guaranteed under the Indian Telegraph Rules of 1951 were being complied with.  

The Supreme Court held, in its 1996 judgment, that while the sovereign right to carry out interception may be necessary in certain circumstances, the same cannot be enforced to sacrifice the privacy of citizens at the altar of democracy, since surveillance is the most intrusive form of encroachment of privacy.

The Supreme Court stressed the need for appropriate safeguards to be laid down. The court also decided that there was no requirement of prior judicial scrutiny of the interception, and instead directed that the practice in the U.K., where an order of surveillance could only be passed by the highest offices of the bureaucratic setup, be followed. The power to issue orders for phone-tapping was thus conferred in the hands of the Secretary, Union Ministry of Home Affairs.

Also read: Pegasus Project latest: Anil Ambani and Dassault’s India representative, many Kashmiri separatists and journalists, Tibetan officials feature on the list

As indicated in the previous part, the NSO Group has clarified that Pegasus works on a solitary surveillance request model, which means that the client State has to request for every suspect individually by sharing their contact number. In this way, it is more akin to wire-tapping technology, than to a mass-surveillance machine.

In that context, it would be apposite to briefly examine the law which applies to the traditional wiretapping model of surveillance, including the safeguards that were laid down by the Supreme Court of India in its PUCL judgment, and draw parallels with the unique challenges that the technological innovation of Pegasus poses.

Pegasus’s tango with Indian Telegraph Act and Information Technology Act

Some might argue that the sophisticated technology employed by Pegasus cannot possibly be regulated by archaic laws such as the Indian Telegraph Act, 1885 and rest this assumption on the Biblical parable of putting new wine into old wineskins

This cannot be any farther from the truth as the entire scheme of the Indian Telegraph Act operates on a fundamental assumption that the power to carry our interception vests exclusively in the sovereign State. In other words, the power to order interception solely and exclusively vests in the officer appointed by the Central or State Government in this regard. Section 5(2) of the Indian Telegraph Act further enjoins that there are a few fundamental conditions that have to be fulfilled for the valid exercise of powers of interception therein:

  1. Such power can be exercised only by the central/state government or an officer appointed by either to exercise such powers;
  2. The occasion to exercise the power of interception shall only arise if there is a public emergency or if it is in the interest of public safety;
  3. Satisfaction has to be recorded in writing that it is necessary and expedient to do so in the interest of “security of state”, “sovereignty and integrity of State”, “friendly relations with foreign nations”, “public order” or for “preventing incitement to the commission of an offence”.

Section 26 of the Telegraph Act prescribes a punishment of up to three years for unlawfully intercepting or disclosing, messages, or divulging the purport of signals. Section 7(2)(b) empowers the central government to also frame appropriate rules for the precautions to be taken in order to prevent the improper interception or disclosure of messages.

Also read: Pegasus revelations undermine soft power of India

In the context of the Information Technology Act, 2000, the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 came to address the lacunae in the Telegraph Act, which does not define “interception” in the digital context.

Instead of “messages”, the 2009 IT Rules provide for interception, decryption and monitoring of “information” which is broader in its ambit and covers a spectrum of data within its meaning. The definition of “interception” under Rule 2(l) now means the “acquisition” of the contents of any information carried out through the use of “any means” so that the information could be accessed by any person other than the sender or recipient of that information. The definition also includes the power to monitor, view, examine, inspect or even divert any information from its intended destination to a different destination.

Similarly, the definition of “monitor” contained in Rule 2(o) brought within its ambit the power to record the information. The power to decrypt the information under Rule 2(f) would further entail the conversion of information in the non-intelligible form to an intelligible form through the complex use of algorithms and mathematical formulae to make the information intelligible.

From a bare reading of the statutory scheme of both legislations, it clearly emerges that the power of the State to order interception is not subject to any supranational approval process. If it is established that the State has in fact submitted its request of surveillance of a “suspect” with evidence to NSO, that would be a process that hits the core of the legislative scheme and all the protections guaranteed and afforded under it. 

The statutory scheme provides additional protection to the press since accredited journalists and members of the press have additionally been safeguarded from interception in terms of the Proviso to Section 5(2) of the Telegraph Act, 1885 which in no uncertain terms maintains that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government shall not be intercepted or detained, unless their transmission has been prohibited under this sub-section.

This additional protection was engrafted into the statute to eliminate any chances of snooping by the State against journalists unless the transmission was prohibited under the grounds mentioned in Section 5(2). This clearly means that the State would have to establish that it has credible actionable information against every such journalist whose phone was intercepted and that there was an order to that effect passed by a competent officer appointed by the government who had passed an order recording his individual satisfaction as to the involvement of every journalist in acts which are against the security of the nation. However, no such protection is available to journalists and members of the press under the 2009 IT Rules.

Also read: Pegasus tracking reporters portends dark future for Indian journalism

Assuming that the State does have actionable information on every Indian person who has been named in the Pegasus Project’s alleged leaked list, and assuming further that every information discloses involvement in the commission of an act which is against the security of the nation which has been so recorded by reasoned order, what is baffling is that it would form part of a further request to the NSO Group’s headquarters in Israel for a further assessment/review (as per the contractual terms revealed by NSO, which were examined in the previous part) on the basis of which Pegasus license would be issued to carry out surveillance on a case to case basis.

This not only undermines national security but would also have a perilous effect on the sovereignty of the State itself since the Government of India would be trusting its data with a corporate entity. The same data containing sensitive actionable information, if released, would have disastrous implications for the sovereignty and integrity of India. In doing so, will the State not violate its own constitutional mandate by being an accessory to the disclosure of that information to a foreign corporate entity?

Of Procedural Safeguards and fallacies

The Indian Telegraph (Amendment) Rules, 2007 incorporated Rule 419A into the Indian Telegraph Rules, 1951 for providing additional safeguards to citizens. These safeguards also form part of the 2009 IT Rules.

The only distinction between the two sets of Rules is that while an external agency is called a “service provider” in Rule 419A of the Telegraph Rules, the 2009 IT Rules use the expression “intermediary”. The order for interception can only be passed by the Secretary, Union Ministry of Home Affairs or the Secretary of Department of Home Affairs in the State Government, depending upon the nature of such request.

A very crucial safeguard is the recording of the satisfaction of the officer that there are no other means through which this information can be accessed, and therefore interception is being carried out as a last resort.

Other safeguards which are guaranteed under Rule 419A are:

  1. The order carrying out interception shall be reviewed by a Review Committee headed by the Cabinet Secretary and a copy of the order will be sent to the Review Committee within seven days;
  2. The order shall specify the person to whom the intercepted messages would be disclosed to and also specify that those messages are subject to the requirements of Section 5(2) of the Telegraph Act;
  3. The power to intercept shall remain valid for a period of 60 days from the date of issuance of order, and in any case not extend over a period of 180 days;
  4. Proper records have to be made about the messages which are intercepted, including a record of the officer to whom the disclosures have been made, the duration of the interception, and  the mode and manner in which intercepted copies were made and destroyed;
  5. The service providers shall put in place adequate and effective internal checks to ensure that unauthorised interception of messages does not take place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of interception of messages as it affects the privacy of citizens, and also that this matter is handled only by the designated nodal officers of the company. The employees of the service provider are also liable for offences under Sections 2020A23 and 24 of the Telegraph Act for any unauthorised surveillance or interception.

For NSO to be made amenable to these Rules, it would have to be established that NSO had in fact been appointed as a “service provider” by the Government before availing the services of the Pegasus spyware. There are no rules which lay down the procedure as to how an entity can become a service provider.

Also read: Pegasus Snooping Victim Explains Why Users No Longer Believe WhatsApp and Mobile Phones Are Secure

One wonders: why would an Israeli company knowingly submit itself to the jurisdiction of one of its customers and would also undertake to be bound by the high standards set out in the provisions of Rule 419A(14) and 15 of the Telegraph Rules? Furthermore, can a foreign agency with its areas of operations and servers located abroad be even classified as a ‘service provider’?

It certainly wouldn’t be far-fetched to think that NSO could give a fly-by to the various procedural safeguards laid down by the Supreme Court in its PUCL judgment, which only found statutory recognition in Rule 419A almost a decade later.

In the context of the IT Act, while Section 2(1)(w) of the Act defines an intermediary as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, web-housing service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes”, this functional definition is given a further expansion under the 2009 IT Rules, where the intermediary has now been conferred with additional tasks of “interception”, “decryption” and “monitoring”.

However, on a bare reading of the contractual provisions claimed to be entered into by NSO with its client countries, it appears that it is the client/State which has to make the request, along with supporting evidence, which is then the subject matter of review/assessment by the company’s management, instead of what has been contained in the Rules.

Also read: Pegasus and Cyberweapon Threats in the Age of Smartphones

If this was a mere contractual dispute, it could well have been argued that the specific contractual recital is against the wordings of statutory rules, and is therefore unenforceable as being fundamentally opposed to public policy as per Section 23 of the Indian Contract Act, 1872.

But if the allegations reported by the Pegasus Project are true, and if the Government is, in fact, using the services of NSO, then the handing over of information with a request for surveillance seems to suggest that the law is subservient to a foreign contractual recital. It would also suggest that the sovereignty of our nation is subject to a contract dictated by a foreign company. 

Of Perception, International Covenants and the Constitution 

On a perceptual basis, can private persons or agencies be conferred with the right to store sensitive data, the misuse of which has all the makings of being a “threat to the security of the nation”? This question assumes even more significance when the entity is registered abroad.

Even the Supreme Court of India, while upholding the constitutional validity of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, read down Section 57 of the Act, unequivocally holding that body corporates or private individuals cannot store sensitive data of the citizens. It was also observed that the meta–base or digital repository of Aadhaar data cannot be stored, as it may result in a grave and serious national security risk. Understandably so, this led to Section 57 of the Aadhaar Act, 2016 being omitted in its entirety in the Aadhaar and Other Laws (Amendment) Act, 2019.

If Indian companies and corporate bodies have been forbidden from storing, collating, or processing sensitive data belonging to citizens, how can a foreign company registered abroad be permitted to collect or store data which may pose a significant national security risk? How can the Government of India, with the most laudable of intentions be justified in sending such data to NSO? Would that not be a fundamental breach by the State of the right to privacy of its citizenry? 

Now, if the State is not a customer of NSO, then on the basis of information collected by Project Pegasus, NSO could face grave charges of hacking, which is a punishable offence under Section 66 of the IT Act since personal information including chats, phone calls, messages, video and audio files have been accessed without the information and consent of people. The ghost of the Northern California District Court verdict from July last year would come to haunt NSO again.

With no data privacy law to protect its citizenry, India finds itself in a unique predicament, a sordid reminder of the Aadhaar enrolment drive, where data security was breached far too many times, and with citizens left without redressal. To borrow an expression from the controversial Mitrokhin Archive: India continues to be a Disneyland for anybody who is willing to offer the right price for the data of its citizens.

From a constitutional perspective, while there is no doubt tension between the legitimate objective of preventing the commission of an offence or an anti-terror activity which may imperil the security of the state and the rights of privacy and freedom of speech and expression of its citizens, a fine balance has to be carved between the two so that the power is exercised only on the basis of actionable information. The Indian State’s power to regulate the former cannot be unfettered or unregulated and must be kept in check with appropriate safeguards.

Also read: Pegasus: The cyber weapon for authoritarianism in India

Electronic surveillance is one of the most invasive forms of intrusion into the privacy of an individual, and the fact that it could be committed by a non-State actor is against all tenets of rule of law.

The liability of non-State actors for violation of human rights has been a subject of intense litigation before international judicial bodies, and principles of customary International law afford very little guidance in this regard. As a result, Nation-States continue to find more and more efficient and convenient means to evade their obligations under international covenants by seeking the assistance of private entities who pay no homage to such treaties and covenants.

The conclusion arrived by all social contractarian theorists such as English philosophers Thomas Hobbes and John Locke, and Genevan philosopher Jean-Jacques Rousseau was unanimous: that the State is the custodian of the security of its citizens, and that understanding forms the bedrock of the constitutional powers which the State could exercise to preserve its citizens’ security.

Will the co–surveillance model with a foreign entity shake the tectonic plates of the Constitution? If the State is in breach of its own commitment, one could only seek solace in Mark Antony’s famous words in the Shakespearean play ‘The Tragedy of Julius Caesar’: This was the most unkindest cut of all.

Click here to read Part-I

[Nipun Saxena is an advocate at the Supreme Court of India. The views expressed are personal.]