Tech4Humanity Lab

Issues of Government Surveillance and Spyware use in India

By: Emma Szczesniak and Ahissa Rice

The Indian government's use of Pegasus spyware demonstrates the need for stronger regulations to protect citizens' constitutional right to privacy from unlawful government surveillance. The distribution of spyware technology to governments and subsequent infiltration of personal data in the name of national security has resulted in mass human rights abuse. As the right to privacy is a fundamental right expressed in the Indian constitution, recent revelations on the unlawful use of Pegasus spyware by the Indian government procured by the Pegasus Project initiative question the regulations in place to protect human rights against spyware technology. Enactment of the Digital Personal Data Protection Bill serves as the initial step towards protecting the constitutional rights of Indian citizens; however, further regulation is needed to ensure government accountability of surveillance use. As such, implications of the recently enacted legislation on surveillance and the consideration of additional regulations needed to prevent future human rights violations will be explored. To prevent such egregious rights violations in the future, India needs stricter laws limiting government surveillance powers and closing loopholes that enable spyware abuse.

Recent Human Rights Issues in India in Relation to Spyware

Recent revelations from the Pegasus project have exposed significant human rights issues stemming from the alleged use of invasive spyware by the Indian government. Investigations revealed that the mobile devices of hundreds of Indian activists, journalists, opposition politicians, and government critics were targeted and infected with Pegasus spyware developed by the NSO group.1 This suspected widespread surveillance represents a major infringement on the fundamental right to privacy in the Indian Constitution. However, the Indian government has provided minimal transparency or accountability regarding its use of Pegasus, citing national security interests despite the lack of judicial oversight for surveillance under current Indian law.2 Critics argue that the unchecked use of spyware to monitor the media and political opponents constitutes a form of authoritarian overreach that undermines democratic freedoms. There is a need for independent investigation into the uses of Pegasus in India and legal reforms to establish parliamentary and judicial oversight of surveillance measures that adhere to

international human rights standards. Concerns about Pegasus spyware in India first emerged in 2019 when WhatsApp revealed a vulnerability that had been exploited to allow Pegasus infection attempts via WhatsApp calls.3 In 2021, the Pegasus project, found that over 300 phone numbers of Indian human rights activists, journalists, lawyers, opposition politicians, and government critics were included in a leaked database of 50,000 numbers listing those potentially targeted for surveillance using Pegasus spyware.4 As allegations mount regarding the Indian government's use of invasive surveillance, it is important to review the background of Pegasus in India and analyze how surveillance could violate constitutionally guaranteed freedoms.

India Constitution and History of Civil Rights Abuses

As stated in Article 21 of the Indian constitution, the right to privacy is a fundamental 5.6 Data privacy is the freedom of control over the collection and use of personal information; therefore, surveillance to access data of Indian dissidents is a violation of a constitutional right.7 IAPP article, 8rovides useful context and background on the concept of privacy as well as a framework for thinking about privacy that can inform analysis of problems with government surveillance and spyware abuse in the Indian context.9 Created by Israeli cyberarms firm NSO Group, Pegasus can covertly infect mobile devices to monitor all communications and activities. Forensic analysis confirmed traces of Pegasus on dozens of phones targeted in India. The Indian government has not explicitly denied using Pegasus, fueling allegations of unlawful state-sponsored surveillance. The Pegasus revelations highlight concerns about illegal government surveillance and spyware abuse targeting dissidents in India. India lacks laws strong enough to govern surveillance and data protection properly.

India has a long history of civil rights abuses in relation to government use of technology and surveillance. This includes wiretapping and spying on political opponents using intelligence agencies with minimal oversight and transparency.10 In 2019, 121 Indian users of WhatsApp, including activists, scholars, and journalists were targeted by Pegasus spyware through a vulnerability exploitation.11 This highlights concerns about authorities misusing spyware to suppress dissent. That same year, the Indian government escalated crackdowns on critics by using politically motivated prosecutions and invasive spyware like Pegasus, as exposed by the WhatsApp Pegasus scandal. This scandal revealed how such tools could undermine civil liberties, building on previous events like the 2008 amendment enabling interception of communications over criticism and the 2010 directive for weaker mobile encryptions despite

backlash.12 The 2019 WhatsApp Pegasus scandal was a significant event that put spyware misuse on India’s radar13 and demonstrated the urgent need for reforms to safeguard against spyware abuse and protect privacy, free speech, and democratic rights in India. This history of surveillance and civil rights violations provides essentials context for current concerns about government spyware use enabled by insufficient safeguards, and protections. India lacks laws strong enough to properly govern surveillance and data protection. The Supreme Court ruled that privacy was a fundamental right in 2021. This rulling has the potential to make unregulated mercenary spyware unconstitutional under Indian law.14 There are calls for India to urgently reform surveillance practices to require judicial oversight and ensure they comply with privacy rights.

Effect of Pegasus Spyware on Privacy in India

The extensive monitoring and data collection enabled by Pegasus spyware represents a significant infringement on privacy rights in India. The constant threat of surveillance has led to widespread self-censorship, as citizens censor their communications and activities out of fear of being monitored. This climate of fear takes a psychological toll, breeding paranoia, anxiety, and a breakdown of trust in society.15 Specifically, the use of Pegasus to target journalists, activists, opposition figures, and other government critics damages public trust in the government. Citizens feel vulnerable when those in power employ invasive tools meant for fighting terror and crime against civil society members vocalizing concern, reporting news or actively exercising freedom of speech. The Pegasus revelations have exposed the Indian government's lack of transparency and oversight regarding surveillance practices.16 This erosion of privacy through unregulated spyware usage violates democratic principles and stifles the freedoms of speech, press, and association constitutionally protected in India.17

Surveillance Legislation in India

Three main pieces of legislation comprised the legal framework for cybersecurity in India prior to the enactment of the Digital Personal Data Protection (DPDP) Bill on August 9, 2023. The Information Technology Act of 2000 constitutes the first notable legislation with respect to cybersecurity in India. With the growing technology presence in India, there is a greater need to implement protections against corruption of online information. The Technology Act of 2000 provides regulations to properly authenticate an electronic file to ensure credibility of

documentation transferred electronically.18 An amendment to the Information Technology Act of 2000 made in 2008, established the Computer Emergency Response Team whose purpose is to respond to cybersecurity threats in India.19 The Information Technology Rules implemented in 2011 and revised in 2021, provided a set of guidelines regarding the collection and storage of personal information by corporations.20 In 2013, the National Cyber Security Policy was published by the Department of Electronics and Information Technology, an independent ministry under the government of India.21 Although former cybersecurity legislation provided protection against corporate misuse of personal data, there were no regulations to prevent government surveillance nor to hold the government accountable for an unconstitutional breach of privacy.

Despite the DPDP act, India continues to lack sufficient legislation to properly govern surveillance and data protection. The unanimous Supreme Court ruling that the right to privacy was a fundamental right during the 2017 Puttaswamy vs Union of India case initiated the formation of a law on data privacy in the technology sphere.22 A draft Data Protection Bill (DPB) created in 2018 by the Srikrishna Committee, a group headed by the Supreme Court judge, Srikrishna, and organized by the Ministry of Electronics and Information Technology, proposed data protection regulation against government and private entities.23 However, the government proposed an alternative bill reducing regulation on government surveillance capabilities. The proposed DPB was withdrawn and reworked before being introduced to Lok Sabha and quickly passed by Rajya Sabha on August 9, 2023.24

Formation of the DPDP Bill included strategies adapted from the European Union’s General Data Protection Regulation concerning what qualifies as personal data and processing.25 The Bill defined personal data as “any data about an individual who is identifiable by or in relation to such data” and processing as “wholly or partially automated operation or set of operations performed on digital personal data”.26 The Bill is applicable to the processing of personal data within India as well as outside India if in relations to Indian goods and services; data may not be transferred to restricted countries listed by the Indian government. Consent of the individual is required for data processing and details regarding data collection must be provided unless the data is being used for “legitimate uses”.27 Individuals have the right to obtain information on the processing of and request the deletion of personal data.28 Data fiduciaries are required to implement measures to prevent a data breach and ensure the accuracy and

completeness of data. A Data Protection Board (DPB) will be established by the Indian government with the responsibility of monitoring compliance, imposing penalties, directing data fiduciaries in the event of a data breach, and hearing grievances.29 In addition, there are a variety of exemptions, most of which pertain to the Indian government. Failure to comply with the DPDP Bill regulations will result in a fine of varying degree based on the offense.30 The Bill provides a basis for data protection, though further regulation is required to ensure government accountability and prevent unlawful surveillance of Indian dissidents.

National and Global Implications of Spyware Use in India

India’s abusive use of spyware technology will have lasting impacts in both the national and international spheres. On a national level, previous authoritative actions have led to human rights abuses. In 2022, journalists known to speak out against the government and current politics were arrested, including Rupesh Kumar Singh who petitioned the government’s use of Pegasus spyware.31 Imprisonment of journalists reporting in opposition to government actions squanders freedom of expression and elicits fear of the government’s ability to encroach on other fundamental rights. In addition to limiting journalistic reporting, the government’s use of Pegasus spyware, disclosed by the Pegasus Project, deprived dissidents of their right to privacy in India.32 Enactment of the DPDP Bill further enables government abuse of the fundamental right to privacy. The initial DPB was withdrawn in 2022 due to push back from technology companies and advocacy groups on the threat to privacy rights by the Bill’s expansion of government authority on surveillance.33 Despite protests that the Bill undermined citizens’ rights, the revised DPDP Bill passed in 2023 did not address this grievance, creating the potential for civil unrest as concern elevates in response to the government’s use of surveillance technology.

In theory, the DPDP Bill was formulated to ensure data protection; however, it has enabled unreasonable exemptions from government compliance due to protection provisions.34 Under the law, government entities do not have to comply with the privacy obligations in response to ensuring the sovereignty and integrity of India nor when maintaining public order and relations with foreign nations, allowing the government to function without being bound by the law.35 Furthermore, the government has control over the appointment of DPB members, preventing an impartial enforcement of penalties for noncompliance of privacy regulations.36 As such, recent data privacy legislation provides virtually unchecked surveillance power to the Indian government with limited accountability and does little to protect citizens’ rights.

Violation of the fundamental right to privacy will escalate the growing distress of human rights abuse and has the potential to impact global order. In 2022, India refrained from speaking out about human rights abuse in Southeast Asia, evoking concern from major nations including those in the European Union and the United States.37 Furthermore, the Biden administration has privately expressed concerns surrounding the implications of surveillance and censorship in India.38 As relations between the United States and India have strengthened only within the recent decade, data protection and civil liberty disparity in India could be detrimental to the United States – India relationship. India’s attempt at addressing human rights concerns with regards to surveillance through the DPDP Bill was a missed opportunity for India to exemplify an effective legal framework to reduce unlawful surveillance and introduce regulations regarding government control over citizens’ data.

Democracies depend on the free press to hold politicians accountable. In Mexico since 2000, 104 journalists have been killed and 25 have disappeared.39 Journalists are often targeted after investigating politicians or businesses abusing power. The cases of Indian and Mexico demonstrate concerning patterns of state surveillance and violence used to repress journalists and dissidents. While the tactics differ, the result is the same – undermining democracy by stifling dissidents and criticism. India’s use of invasive spyware without necessary safeguards is similarly enabling human rights violations, impacting civil liberties, freedom of expression, privacy rights, and statewide accountability. These practices could strain India's international relations and reputation, just as the case in Mexico where authoritarian surveillance and violence against the media erodes rule of law and democratic freedoms.40
The implications of India’s spyware use extend beyond its borders. As a major economy, how India balances security with rights and oversight with accountability holds influence worldwide. India missed an opportunity with the DPDP to set a standard that would have exemplified effective legislation to limit unlawful surveillance. Instead, the rushed bill grants the government concerning unchecked powers without impartial oversight. This will enable further abuse, harming both Indian citizens and India’s global standard. Unchecked state powers, discretionary exemptions, and censorship provisions provided by the law raise concerns about privacy protection and adversely impact international data flows in India. This makes India’s data protection law an issue with both domestic and international implications. India has a chance to correct its course and demonstrate globally how democracies can enact laws protecting privacy and free speech from authoritarian overreach. This would protect the civil liberties of India’s people, strengthen its global leadership, and offer a model for nations navigating security and human rights in the digital age.

1 International, Amnesty, and Forbidden Stories. “ABOUT THE PEGASUS PROJECT.” Forbidden Stories, n.d. https://forbiddenstories.org/about-the-pegasus-project/.

2 “India: Spyware Use Violates Supreme Court Privacy Ruling.” Human Rights Watch (HRW), August 26, 2021.https://www.hrw.org/news/2021/08/26/india-spyware-use-violates-supreme-court-privacy-ruling.

3 Scott-Railton, John, Elies Campo, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, Gözde Böcü, Salvatore Solimano, and Ron Deibert. “CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru.” Toronto, Canada, March 26, 2023.https://tspace.library.utoronto.ca/bitstream/1807/119418/1/Report_155--catalangate_012023_.pdf.

4 International, Amnesty, and Forbidden Stories. “About the Pegasus Project.” Forbidden Stories, n.d. https://forbiddenstories.org/about-the-pegasus-project/.
5 The Constitution of India, 1967, Art. 21-A, (Eighty Sixth Amendment), pp. 10. https://www.mea.gov.in/Images/pdf1/Part3.pdf

6 The Constitution of India, 1967, Art. 21-A, (Eighty Sixth Amendment), pp. 10. https://www.mea.gov.in/Images/pdf1/Part3.pdf

7 The Constitution of India, 1967, Art. 21-A, (Eighty Sixth Amendment), pp. 10. https://www.mea.gov.in/Images/pdf1/Part3.pdf

8 IAPP, About the IAPP The world’s largest global information privacy community, (Association of Privacy Professionals), https://iapp.org/about/what-is-privacy/
9 IAPP, About the IAPP The world’s largest global information privacy community, (Association of Privacy Professionals), https://iapp.org/about/what-is-privacy/

10 “India: Dangerous Backsliding on Rights Activists, Critics Targeted; Growing Attacks on Muslims, Groups at Risk.” The Human Rights Watch, 2022.

11 Biswas, Soutik. “Pegasus: Why Unchecked Snooping Threatens India’s Democracy.” BBC News, 2021. https://www.bbc.com/news/world-asia-india-57887300.

12 Scott-Railton, John, Elies Campo, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, Gözde Böcü, Salvatore Solimano, and Ron Deibert. “CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru.” Toronto, Canada, March 26, 2023.https://tspace.library.utoronto.ca/bitstream/1807/119418/1/Report_155--catalangate_012023_.pdf.

13 Biswas, Soutik. “Pegasus: Why Unchecked Snooping Threatens India’s Democracy.” BBC News, 2021. https://www.bbc.com/news/world-asia-india-57887300.
14 “India: Spyware Use Violates Supreme Court Privacy Ruling.” Human Rights Watch (HRW), 2021. https://www.hrw.org/news/2021/08/26/india-spyware-use-violates-supreme-court-privacy-ruling.

15Kaldani, Tamar, and Zeev Prokopets. “PEGASUS SPYWARE and Its Impacts on Human Rights.” Council of Europe, 2022. https://rm.coe.int/pegasus-spyware-report-en/1680a6f5d8.

16 “India: Spyware Use Violates Supreme Court Privacy Ruling.” Human Rights Watch (HRW), 2021. https://www.hrw.org/news/2021/08/26/india-spyware-use-violates-supreme-court-privacy-ruling.(Anon 2021) 17 The Constitution of India, 1967, Art. 21-A, (Eighty Sixth Amendment), pp. 10. https://www.mea.gov.in/Images/pdf1/Part3.pdf
18 Pawar, R., B. Sawant, and A. Kaiwade. “Information Technology Act 2000 in India - Authentication of E- Documents.” Journal of Digital Forensics, Security and Law 2 (2007). https://doi.org/10.15394/jdfsl.2007.1023.
19 Tejpal, Khyati, D.Y. Patil Vidyapeeth, Jayashree Patole, D.Y. Patil Vidyapeeth, Tanmay Ghugare, and D.Y. Patil Vidyapeeth. “Cybersecurity: Pressing Priority in India.” Journal of Distance Education and E-Learning 11, no. 2 (n.d.).
20 “The Information Technology Rules, 2011,” April 11, 2011.
21 Tejpal, Khyati, D.Y. Patil Vidyapeeth, Jayashree Patole, D.Y. Patil Vidyapeeth, Tanmay Ghugare, and D.Y. Patil Vidyapeeth. “Cybersecurity: Pressing Priority in India.” Journal of Distance Education and E-Learning 11, no. 2 (n.d.).
22 “Justice K.S. Puttaswamy vs. Union of India.” Privacy Library, 2017. https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors.
23 Burman, Anirudh. “The Withdrawal of the Proposed Data Protection Law Is a Pragmatic Move.” Carnegie India, August 22, 2022. https://carnegieindia.org/2022/08/22/withdrawal-of-proposed-data-protection-law-is- pragmatic-move-pub-87710.
24 “Legislative Brief: The Digital Personal Data Protection Bill, 2023.” PRS Legislative Research, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
25 Roy, Raktima, and Gabriela Zanfir-Fortuna. “The Digital Personal Data Protection Act of India Explained.” Future of Privacy Forum, August 15, 2023. https://fpf.org/blog/the-digital-personal-data-protection-act-of-india- explained/.
26 “Legislative Brief: The Digital Personal Data Protection Bill, 2023.” PRS Legislative Research, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
27 “Legislative Brief: The Digital Personal Data Protection Bill, 2023.” PRS Legislative Research, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
28 “Legislative Brief: The Digital Personal Data Protection Bill, 2023.” PRS Legislative Research, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
29 “Legislative Brief: The Digital Personal Data Protection Bill, 2023.” PRS Legislative Research, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
30 “Legislative Brief: The Digital Personal Data Protection Bill, 2023.” PRS Legislative Research, 2023. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023.
31 “World Report 2023: Rights Trends in India.” Human Rights Watch, 2022. https://www.hrw.org/world- report/2023/country-chapters/india.
32 International, Amnesty, and Forbidden Stories. “About the Pegasus Project.” Forbidden Stories, n.d. https://forbiddenstories.org/about-the-pegasus-project/.
33 “India: Data Protection Bill Fosters State Surveillance.” Human Rights Watch, December 22, 2022. https://www.hrw.org/news/2022/12/23/india-data-protection-bill-fosters-state-surveillance.
34 “India: Data Protection Bill Fosters State Surveillance.” Human Rights Watch, December 22, 2022. https://www.hrw.org/news/2022/12/23/india-data-protection-bill-fosters-state-surveillance.

35 Burman, Anirudh. “Understanding India’s New Data Protection Law.” Carnegie India, October 3, 2023. https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624.
36 Burman, Anirudh. “Understanding India’s New Data Protection Law.” Carnegie India, October 3, 2023. https://carnegieindia.org/2023/10/03/understanding-india-s-new-data-protection-law-pub-90624.

37 “World Report 2023: Rights Trends in India.” Human Rights Watch, 2022. https://www.hrw.org/world- report/2023/country-chapters/india.
38 Miller, Manjari Chatterjee. “Sort Out Granular Issues to Bolster U.S.-India Ties.” Council on Foreign Relations, January 27, 2023. https://www.cfr.org/article/sort-out-granular-issues-bolster-us-india-ties.

39 “Mexico Events of 2017.” Human Rights Watch, 2018. https://www.hrw.org/world-report/2018/country- chapters/mexico.

40 Scott-Railton, John; Marczak, Bill; Nigro Herrero, Paolo; Abdul Razzak, Bahr; Al-Jizawi, Noura; Solimano, and Salvatore; Deibert. “Project Torogoz.” Citizen Lab Research Report No. 148 (2022). https://tspace.library.utoronto.ca/handle/1807/123609.