wordpress blog stats
Connect with us

Hi, what are you looking for?

Pegasus spyware: How do we rein in State surveillance? Here’s what experts had to say

Legal experts weigh in on the unfolding Pegasus controversy and suggest future steps towards surveillance reform such as parliamentary oversight, judicial oversight, and more. 

Where do we go from here? This has been the question on most citizens’ minds as reports claimed that the Israeli firm NSO Group’s Pegasus spyware has targeted several Indian politicians, journalists, and activists. Firstly, it is unclear whether there are any possible defences against this military-grade spyware which deploys a zero-click attack — essentially meaning that one doesn’t have to click on a malicious link for this malware to activate; it can infect your phone because of an existing vulnerability in the system.

Secondly, since NSO Group has said that it sells its products only to vetted governments and agencies, there is a deeper concern of state-sponsored surveillance. This brings us to the question: Is our current mechanism of containing surveillance efficient? Do we have enough checks and measures in place to question, say, an abuse of surveillance mission by a government or an agency?

The experts MediaNama spoke to gave varied responses in this regard. While one proposed a judicial oversight mechanism with penalties in place for possible misuse, another contended that the country’s existing laws and statutes are sufficient to tackle such cases. Another expert referred to the Shah Commission Report which was constituted after the 1975 Emergency in India to record institutional excesses.

Many interestingly pointed towards Congress MP Manish Tewari’s Private Member’s Bill on regulating intelligence agencies, introduced in 2011. MediaNama did a summary of the different provisions of the bill.

Advertisement. Scroll to continue reading.

What kind of parliamentary structure should exist to tackle surveillance?

Rahul Narayan, a Supreme Court advocate was for the constitution of an oversight mechanism within the parliamentary framework. He said that the role of Parliament would be to pass a law with robust safeguards and stringent rules imposed on the executive before any surveillance is undertaken.

“This should include policy over how long surveillance can continue for, deletion of data etc. The actual mechanism must involve at least 1 person outside the executive, typically a judge who should have the responsibility of actually issuing a warrant based on evidence put before him. The scope of emergency surveillance orders must be severely limited subject to a judge determining whether they should continue or not,” Narayan said.

Alok Prasanna Kumar, senior resident fellow at the Vidhi Centre for Legal Policy said that the first step should be to ensure that there is a legislative basis for the existence of these agencies clearly mandating what they can and cannot do. “Without that, any parliamentary oversight will be futile,” he said.

It’s a little difficult to identify with absolute specificity what intelligence agencies can and cannot do but I think the more important thing is that they should have to justify their actions before a Parliamentary committee or some authority which is independent of executive and ask tough questions. Broadly, of course, intelligence cannot be permitted to collect data of everyone without proper authorization and reasons, cannot be permitted to breach individual privacy without immediate justification, etc — Alok Prasanna Kumar, senior resident fellow at Vidhi Centre for Legal Policy

Is judicial oversight necessary?

Narayan said that although proceedings for surveillance are necessarily secret, there has to be a way to keep a check on executive powers. “In this case, a careful law interpreted by the judicial branch should permit surveillance when necessary while ensuring the process is not abused to gather intelligence on opposition leaders etc,” he said adding that the judge should be responsible for issuing a warrant based on concrete evidence, in areas of alleged organised crimes, narcotics-related crimes, national security issues, and so on.

Meanwhile, Kumar had a different opinion. “Judicial oversight is almost never realistic oversight. The experience of this in India and elsewhere is that the “judicial oversight” is usually used to give a cover of legality to the actions of the intelligence agencies. In the absence of transparency and assured independence of the judges in question, such judicial oversight inevitably becomes a box-ticking exercise,” he said.

Kumar stressed that there have to be substantive limits on the powers of intelligence agencies, and both Narayan and Kumar were unanimous in their opinion that certain information accrued through surveillance should be declassified and made public after a certain period of time. While Narayan proposed a 10-year gap, Kumar did not specify a timeline. The latter also said that “blanket RTI exceptions should be removed and it should be limited only to operations”.

‘Sufficient safeguards already in place’

Supreme Court advocate Gopal Sankaranarayanan had a different opinion from the first two experts. He did not agree that there was a lack of regulation to deal with such situations. “Under the IT Act as well as the Telegraph Act and Rules, there are sufficient safeguards in place to tackle a Pegasus-like situation.”

Advertisement. Scroll to continue reading.

However, he raised the following points of concern regarding the Pegasus spyware attack:

  • Action by a foreign private entity in hacking into the phones of Indian citizens.
  • The probable conspiracy by individuals in the Indian Government in carrying out such hacking
  • The lack of any Constitutional protection to those public servants who have placed orders with the NSO to carry this out.

Commissions had recommended bringing intelligence agencies under governance framework

Without going into the details of what a possible framework for governing intelligence agencies could look like, Nitin Pai, co-founder of the Takshashila Institution pointed out that the Shah Commission’s Report into the excesses during Emergency had recommended that intelligence agencies and CBI must be placed under a governance framework. “The LP Singh Committee that was appointed to follow up on the Shah Commission report recommended that the IB be covered by a statute and given a written charter,” he said.

What does the Shah Commission report say? According to India Today, the second report of the commission had suggested that steps should be taken to improve the workings of the intelligence agencies. Quoting from the Shah Commission report, the India Today article said, “Their activities and achievements should be suitably overseen and evaluated by responsible forums composed of persons specially selected for their integrity and sense of public duty functioning independently of the intelligence agencies.”

What did the LP Singh Committee report say?  According to a report by Outlook, the LP Singh Committee had pointed out that the Intelligence Bureau which was created by the British before 1947 and the Central Bureau of Investigation which came into existence after 1947, were functioning without formal charters of their functions and responsibilities. The committee stressed the need for formal charters to prevent future misuse, but also recommended government detailed model charters for adoption. 

“Needless to say protecting citizens’ fundamental rights is crucial to this. The goal of the governance mechanism is to strike a deliberate balance between national security and individual rights,” he added.

More reading on Pegasus

Update, July 21, 1.50 pm: Takshashila Institution was incorrectly named as Takshashila Foundation. The error is regretted.

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ