When The New York Times reported on 28 January that the Indian government had acquired the controversial Pegasus spyware as part of a defence deal with Israel in 2017, there was a great deal of outrage from the supporters of the Modi government, who saw it as a part of a grand conspiracy to derail a session of India's Parliament.
However, what they appear not to have realised is that India was hardly the focus of the NYT report, which was about how Pegasus had become a part of Israel's diplomatic efforts with several countries (of which India was just one).
The report, in fact, opened with how even the Federal Bureau of Investigation (FBI) in the US had been given a demonstration of the spyware's potential, despite one of the key features of Pegasus supposedly being that it couldn't be used to target phones in the US.
Another key allegation against the US government regarding Pegasus raised in the report was that it paid the government of Djibouti to purchase and use the spyware.
While the Indian government has refused to respond to the report and former ministers have called the American newspaper 'supari media', the FBI has now confirmed at least one aspect of the report.
In a statement to The Washington Post and The Guardian, as reported by the publications on 2 February, the FBI said it had indeed tested the Pegasus spyware under a "limited license."
"The FBI works diligently to stay abreast of emerging technologies and tradecraft – not just to explore a potential legal use but also to combat crime and to protect both the American people and our civil liberties. That means we routinely identify, evaluate, and test technical solutions and problems for a variety of reasons, including possible operational and security concerns they might pose in the wrong hands. There was no operational use in support of any investigation, the FBI procured a limited license for product testing and evaluation only."FBI statement to The Washington Post and The Guardian
While this does not categorically mean that everything else in the NYT report must be true, it certainly helps the credibility of its reporting, based on a year-long investigation, which involved speaking to intelligence and law enforcement officers in multiple countries, cyber-security experts, politicians, and human rights activists.
So what would it mean for India if NYT's claims about the Modi government's acquisition of Pegasus are true?
Would this affect the work of the technical committee appointed by the Supreme Court to look into the usage of Pegasus against Indian citizens? Would this mean that the Modi government has misled Parliament and the court? And would it mean that the Indian government broke the law, or is it instead entitled to use this kind of technology against Indian citizens?
1. What Value Will This Report Have for the Supreme Court Case?
A newspaper report, no matter how credible, cannot in itself amount to proof of a particular fact in a court of law.
While there are a number of circumstantial 'proofs' which may indicate that the Indian government did purchase the spyware, the Supreme Court can't rely on them to arrive at a finding that the government did, in fact, buy and use Pegasus.
The apex court, in particular, is not supposed to deal with questions of fact, since the evidence is not recorded before it. Any findings of fact would have to be made through affidavits or fact-finding inquiries – which is where the technical committee set up by the court on 27 October 2021 is crucial.
The terms of reference for the committee include the following question:
Whether any Pegasus suite of spyware was acquired by the Centre, any state government, or any central or state agency for use against the citizens of India?
The NYT report cannot amount to a confirmation for the committee either, but it could help in its inquiries.
Questions to the government can be made more pointed, since a potential timeframe for the purchase of the spyware has been identified, and the committee can also pinpoint which officials it can seek information from. It may even be that some of the sources for the NYT report could be convinced to provide evidence to the committee.
While the government could stonewall any inquiries from the committee, the Supreme Court had said that if they did refuse to provide answers, citing national security, "they must also prove and justify the same in Court on affidavit."
"They must justify the stand that they take before a Court," the order reads, adding: "The mere invocation of national security by the State does not render the Court a mute spectator."
2. Did the Modi Government Mislead Parliament or the Supreme Court Over Pegasus Use?
Central to the Supreme Court's decision to set up a committee to delve into the use of Pegasus was the Modi government's refusal to answer whether or not it had acquired and used the spyware. In its order, the court noted:
"However, despite the repeated assurances and opportunities given, ultimately, the Respondent Union of India has placed on record what they called a "limited affidavit", which does not shed any light on their stand or provide any clarity as to the facts of the matter at hand."
This refusal to answer the question – Solicitor General Tushar Mehta repeatedly argued in court that even a denial would be a potential security risk – does, however, mean that even if NYT's revelations are proved true, the Centre has made sure it hasn't actually misled the apex court.
At no point has anything the Centre said in the Supreme Court amounted to a denial of using Pegasus.
The same goes for Parliament – for the most part. Back in 2019, when the first revelations about Pegasus had come to light, then Law and IT Minister Ravi Shankar Prasad had said no "unauthorised interception" of communications had taken place.
On 19 July 2021, after the newer revelations were released by the Pegasus Project (the India partner of which was The Wire), current IT Minister Ashwini Vaishnaw once again failed to deny that it had been purchased or used.
Instead, he talked about the regime for lawful surveillance and interception in Indian law:
"In India, there is a well-established procedure through which lawful interception of electronic communication is carried out for the purpose of national security, particularly on the occurrence of any public emergency or in the interest of public safety, by agencies at the Centre and States. The requests for these lawful interception of electronic communication are made as per relevant rules under the provisions of section 5(2) of Indian Telegraph Act, 1885 and section 69 of the Information Technology Act, 2000."
He insisted that any interception of communications was approved by "the competent authority" and that there was an oversight mechanism for this.
If the NYT report's allegations can be proven, then technically, these statements would not amount to misleading Parliament, because the government's stand would be that any use of it was in accordance with this law and procedure.
However, there is a catch to this.
3. Would Usage of Pegasus After Following Interception Procedures Be Legal?
The Indian Telegraph Act and the Information Technology Act do allow for interception of electronic communications, but a tool like Pegasus arguably goes further than that.
The spyware doesn't just provide access to messages or information on a person's phone, it also allows the user to take control of their camera and microphone, turning them on and off remotely. Privacy experts have argued since 2019 that this amounts to hacking, rather than interception – which means even if the government does it, that's illegal.
Raman Chima, policy director at digital rights advocacy group Access Now, had explained this to The Quint back when the first allegations about the Pegasus use in India came out, saying:
“This could never have been actually legally used. In India, hacking a device is a criminal offence under Section 43 of the Information Technology Act. What NSO and Pegasus do is definitely an example of illegal hacking. That provision has no exception for the government.”
Several of the petitions filed in the Supreme Court following the more recent revelations, including by potential victims of Pegasus, have reiterated this argument.
According to the petitions filed by journalists Paranjoy Guha Thakurta, SNM Abdi, Prem Shankar Jha, Rupesh Kumar Singh, and activist Ipsa Shatakshi, the use of a "military-grade technology such as Pegasus" to compromise their phones amounts to 'hacking' as defined under the Information Technology Act.
This is, on the face of it, illegal, and a violation of Section 43 of the IT Act, since it involves accessing a computer system, damaging the device, and extracting data from it.
They also argue that the use of Pegasus violates:
Section 66B of the IT Act – which punishes dishonest receiving of stolen data.
Section 72 of the IT Act – which punishes breach of confidentiality and privacy.
The problem, of course, is that there has been no judicial finding on this issue as of yet. As a result, the government can still get away with it claiming that even if Pegasus was used, it could be done legally.
However, this could change after the Supreme Court eventually delivers its judgment in this matter. The petitioners in several of the cases have asked the court for a declaration that the use of technology like Pegasus would amount to illegal hacking, and the court does appear to be considering this issue.
Another one of the terms of reference for its special committee is:
If any governmental agency has used the Pegasus suite of spyware on the citizens of this country, under what law, rule, guideline, protocol or lawful procedure was such a deployment made?
This will not necessarily be an easy issue to deal with, as if the court holds that usage of spyware like Pegasus amounts to hacking, then it would technically be illegal to use it even against terrorists or organised criminals.
Even if the usage of spyware is not held to be illegal hacking by the court, the usage of 'lawful' surveillance/interception methods to target members of civil society, journalists, and opposition leaders would certainly be illegal, as the circumstances under which lawful interception is allowed would not be met, ie., genuine threats to the security of the state and public order.
However, for any action to be taken, it would require a conclusive finding of who used the spyware. It remains to be seen if the Supreme Court will go that far.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)