Democracy and Spyware: The Case of India
By Ahissa Rice
Abstract
India, the world's largest democracy, faces a critical challenge in safeguarding citizens' privacy rights amid the proliferation of invasive surveillance technologies. The troubling contradiction between India's constitutional commitment to privacy and the government's use of spyware like Pegasus to target journalists, activists, and opposition figures is examined. The Pegasus revelations expose the exploitation of legal loopholes and lack of oversight in India's surveillance regime, enabling the unchecked abuse of power. Specific instances of surveillance overreach, such as the WhatsApp Pegasus Scandal of 2019 and the targeting of human rights defenders and journalists, demonstrate the chilling effects on free speech and dissent. By analyzing the gaps and deficiencies in India's surveillance laws and practices, the urgent need for comprehensive reforms is underscored. The comparative analysis with the European Union's data protection framework, using the Most Similar Systems Design (MSSD) method, offers valuable insights into balancing security and privacy concerns while upholding democratic principles. The critical importance of aligning India's surveillance practices with its constitutional values and international human rights standards to safeguard the future of Indian democracy in the digital age is emphasized. Concerted efforts from civil society, policymakers, and the international community are called for to hold the government accountable and ensure the protection of citizens' rights and freedoms.
Background: India's Constitutional Right to Privacy
India's constitution recognizes the right to privacy as a fundamental right under Article 21, which states, "No person shall be deprived of his life or personal liberty except according to procedure established by law, nor shall any person be denied equality before the law or the equal protection of the laws within the territory of India."[1] The Supreme Court of India has upheld this right in several landmark judgments, including the 2017 Puttaswamy v. Union of India case, which affirmed that privacy is an integral part of the right to life and personal liberty.[2] However, despite these strong constitutional protections, the reality on the ground paints a different picture. The Indian government has repeatedly engaged in invasive digital surveillance of its citizens, particularly those who express dissent or criticize those in power. The Pegasus spyware revelations have exposed the shocking extent of this surveillance and the government's exploitation of legal loopholes and lack of oversight to spy on journalists, activists, opposition figures, and other perceived threats.
Surveillance and Digital Rights Abuse in India
The Pegasus Project, a collaborative investigation by a consortium of media organizations, revealed that the Indian government had used Pegasus, a powerful spyware tool developed by the Israeli NSO Group, to target hundreds of individuals, including journalists, human rights activists, lawyers, and opposition politicians.[3] Pegasus is capable of infiltrating smartphones and accessing all stored data, as well as activating the device's camera and microphone for real-time surveillance, effectively turning the phone into a pocket spy.
One prominent example of the abuse of spyware in India is the WhatsApp Pegasus Scandal of 2019. In this incident, it was revealed that 121 Indian users of WhatsApp, including activists, scholars, and journalists, were targeted using Pegasus spyware through a vulnerability in the messaging app.[4] This scandal highlighted the growing concern that authorities were misusing spyware to suppress dissent and undermine civil liberties in India. Moreover, the targeting of human rights defenders and journalists in India using invasive spyware has become increasingly common. In 2019, Amnesty International and Citizen Lab uncovered a coordinated spyware campaign targeting at least nine human rights defenders, eight of whom were advocating for the release of the Bhima Koregaon 11 activists.[5] In 2023, forensic analysis by Amnesty International confirmed that journalists Siddharth Varadarajan and Anand Mangnale were targeted with Pegasus spyware on their iPhones, with Varadarajan having been previously targeted and infected in 2018.[6] These cases demonstrate a disturbing pattern of illegal surveillance targeting individuals who speak out against the government or work to defend human rights, violating their rights to privacy and freedom of expression.
India's Surveillance Laws and Practices: Gaps and Deficiencies
India's legal framework for surveillance suffers from significant gaps and deficiencies that enable government overreach and abuse. The Information Technology Act of 2000 and its subsequent amendments give the government broad powers to intercept, monitor, and decrypt digital information without adequate judicial oversight or transparency.[7]The lack of clear legal standards for surveillance approval and the absence of independent oversight mechanisms create a permissive environment for the misuse of surveillance powers. Furthermore, India's surveillance regime lacks essential safeguards such as public notice and regular reporting requirements. The government's refusal to disclose the details of its surveillance activities or the legal justifications for targeting specific individuals has created a climate of secrecy and impunity. This lack of transparency and accountability undermines public trust and raises concerns about the government's commitment to the rule of law and democratic principles.
The Pegasus spyware revelations have also exposed the inadequacy of India's data protection laws in safeguarding citizens' privacy rights. The Personal Data Protection Bill, which was introduced in 2019 and later withdrawn, had been criticized for its broad exemptions for government agencies and lack of meaningful checks on state surveillance powers. The absence of a comprehensive data protection framework leaves citizens vulnerable to privacy violations and data breaches, as evidenced by the targeting of individuals using spyware like Pegasus.
Unconstitutional Surveillance Overreach and the Need for Reform
The Indian government's use of invasive spyware to target journalists, activists, and opposition figures represents a clear violation of the constitutional right to privacy and a threat to democratic freedoms. The chilling effect of unchecked surveillance on free speech and dissent undermines the very foundations of India's democracy and the ability of citizens to hold their government accountable. To address this crisis, urgent reforms are needed to align India's surveillance practices with constitutional principles and international human rights standards. This includes amending laws like the Information Technology Act to provide clear legal standards for surveillance approval based on necessity and proportionality, establishing independent oversight mechanisms, and ensuring judicial checks and balances on executive power. The government must be transparent about its use of surveillance tools and provide public justification for any restrictions on privacy rights. Regular reporting on surveillance activities and the establishment of avenues for redress for individuals targeted by unlawful surveillance are essential for promoting accountability and rebuilding public trust.
Comparative Analysis: India and the European Union
To better understand the factors contributing to India's surveillance problems and potential solutions, a comparative analysis with the European Union (EU) using the Most Similar Systems Design (MSSD) method can provide valuable insights. The EU, like India, has a diverse population and a commitment to human rights and the rule of law. However, the EU has developed a robust data protection framework, including the General Data Protection Regulation (GDPR), which sets strict standards for the collection, processing, and storage of personal data. By comparing the constitutional protections, laws, policies, and practices related to surveillance and data protection in India and the EU across key variables such as constitution, laws, policies/regulations, diversity of population, and security, we can identify the gaps and deficiencies in India's approach and draw lessons from the EU's experience.
This comparative analysis aims to shed light on how the EU has managed to balance national security concerns with the protection of individual privacy rights, and what India can learn from this approach. By examining the similarities and differences in the two systems, we can propose targeted reforms to strengthen India's legal framework for surveillance and data protection, ensuring that the government's actions align with the country's democratic values and constitutional commitments.
The Pegasus spyware revelations have exposed the urgent need for India to address the problem of unchecked government surveillance and the abuse of invasive spyware against its own citizens. As the world's largest democracy, India has a responsibility to uphold the constitutional right to privacy and protect the freedoms of speech, press, and association that are essential for a thriving democratic society. By undertaking a comparative analysis with the EU and implementing comprehensive reforms to its surveillance laws and practices, India can chart a path forward that safeguards the rights of its citizens in the digital age. This includes establishing clear legal standards for surveillance, independent oversight mechanisms, and avenues for redress for those targeted by unlawful snooping.
Ultimately, the issue of surveillance and digital rights in India is not just about privacy, but about the very future of Indian democracy. If left unchecked, the government's abuse of surveillance powers risks eroding public trust, stifling dissent, and undermining the rule of law. It is therefore imperative that civil society, policymakers, and the international community work together to hold the Indian government accountable and ensure that the country's surveillance practices align with its democratic principles. As India continues to grapple with the challenges posed by new technologies and the evolving nature of security threats, it must reaffirm its commitment to protecting the rights and freedoms of its citizens. Only by striking the right balance between security and liberty can India truly live up to its status as the world's largest democracy and a beacon of hope for those fighting for human rights and civil liberties around the world. By shining a light on the government's surveillance abuses and proposing a path forward based on comparative analysis and international best practices, we hope to inspire meaningful change and safeguard the rights of all Indians in the digital age.
Notes
[1] The Constitution of India, 1967, Art. 21-A, (Eighty Sixth Amendment), pp.10. https://www.mea.gov.in/Images/pdf1/Part3.pdf
[2] “Justice K.S. Puttaswamy vs. Union of India.” Privacy Library, 2017. https://privacylibrary.ccgnlud.org/case/justice-ks-puttaswamy-ors-vs-union-of-india-ors.
[3] International, Amnesty, and Forbidden Stories. “ABOUT THE PEGASUS PROJECT.” Forbidden Stories, n.d. https://forbiddenstories.org/about-the-pegasus-project/.
[4] Biswas, Soutik. “Pegasus: Why Unchecked Snooping Threatens India’s Democracy.” BBC News, 2021. https://www.bbc.com/news/world-asia-india-57887300.
[5] International, A. & Lab, C. India: Human Rights Defenders Targeted by a Coordinated Spyware Operation Summary Introduction. Amnesty International (2020). https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/
[6] India: Damning new forensic investigation reveals repeated use of Pegasus spyware to target high-profile journalists. Amnesty International(2023). https://www.amnesty.org/en/latest/news/2023/12/india-damning-new-forensic-investigation-reveals-repeated-use-of-pegasus-spyware-to-target-high-profile-journalists/
[7] Pawar, R., B. Sawant, and A. Kaiwade. “Information Technology Act 2000 in India - Authentication of E-Documents.” Journal of Digital Forensics, Security and Law 2 (2007). https://doi.org/10.15394/jdfsl.2007.1023.