India has no data protection law
On June 15, 2020, Amnesty International and Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto, uncovered a coordinated spyware campaign that targeted nine Indian human rights defenders between January to October 2019.
In the world’s largest democracy, these types of incidents are a concern especially when viewed alongside the government’s broader crackdown on dissent. Under the Bharatiya Janata Party (BJP) led government, India has gained global notoriety for silencing critical voices through frivolous defamation suits, arrests and detentions of citizens engaging in peaceful protests, and the imprisonment of journalists.
The activists were sent multiple emails, containing links to malicious software, disguised as important communications. If downloaded, the software would infect a user’s phone or computer with NetWire, a piece of commodity malware designed to cause extensive damage to data and systems or to gain unauthorized access to a network.
Eight of the individuals targeted had been calling for the release of those indicted in the Bhima Koregaon case dating back to 2018 when, in the wake of violent attacks against Dalit communities in Maharashtra, police arrested several activists known for their advocacy work on behalf of these communities.
Unanswered questions about Pegasus in India
Three of the individuals targeted with Netwire were also targeted earlier in 2019 in the now infamous NSO WhatsApp hack, a spyware attack in which at least two dozen academics, lawyers, Dalit activists and journalists in India were targeted with Pegasus, a spyware that can extract a user’s private data, including passwords, contact lists, calendar events, text messages, and even voice calls. Some variants of it can even turn on a phone’s camera and microphone to capture activity in the phone’s vicinity.
The individuals were informed about this attack by Whatsapp, who contacted and alerted them that their phones had been under state-of-the-art surveillance for a two-week period in May 2019. This hack was part of a wider attack that targeted at least 100 members of civil society around the world and led to Whatsapp suing the NSO group in a US court.
Following the revelation of the Pegasus attacks in November 2019, NSO defended itself saying that it only sells its technology to “licensed government intelligence and law enforcement agencies. Consequently, several of those targeted in India wrote to the Parliamentary Standing Committee on Information Technology asking whether the government had authorized the use of this spyware. Unfortunately, the Indian government’s Ministry of Home Affairs and the Ministry of Information Technology refused to give a straight answer to this question, only claiming that “no unauthorized interception” had taken place. Subsequently, the government sought to shift the blame on Whatsapp, insinuating that the tech platform had allowed the breach to take place and had not informed it about it. Embarrassingly, Whatsapp responded stating that it actually had informed the country’s nodal cyber response agency when the attacks had first taken place.
Illegally intercepting or accessing computer devices is recognized as a criminal act under international law and India’s Information Technology Act. If the hackers were private actors, it is concerning as to why the Indian government has not yet released details of any criminal investigations against them, despite sufficient evidence of a crime having been committed against its own citizens. The alternative scenario, if it happens to be true, is doubly concerning. State surveillance through the use of spyware not only violates India’s own laws around the interception of private communications but also poses a huge threat to free expression, privacy and freedom of thought.
BJP surveillance measures
While less invasive forms of surveillance have been used by different ruling powers through the decades in India, the BJP’s measures are excessive, to say the least. In December 2018, the Ministry of Home Affairs gave ten agencies blanket legal authority “to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer.” This order was challenged in the Supreme Court to which the government responded with a statement that “the veil of privacy can be lifted for legitimate state interest.” The order continues to be enforced, pending a final judgement by the apex court.
In May 2020, the Ministry of Information and Broadcasting floated and closed a bid for a tool to provide “fact verification and disinformation detection on social media platforms.” According to media reports, this was the eighth attempt by this government, since it came into power in 2014, to “explicitly and directly monitor social media”. This latest attempt at mass surveillance is currently being challenged in court by the Internet Freedom Foundation. Given the Supreme Court’s 2017 ruling on privacy being a fundamental right, there is hope that this attempt too will be thwarted.
It is important to note that these attempts to monitor citizens’ lives are being made in the absence of a personal data protection law, which if enacted in line with international human rights standards, could offer some protection against these repeated attempts at surveillance. Unfortunately, the data protection bill introduced by the BJP-led government in 2019, which is currently undergoing joint parliamentary review, fails to meet such standards. It seeks to give the government unrestricted access to personal data on vaguely worded grounds of sovereignty, violating key legal safeguards around necessity and proportionality, as enshrined in international law and recognized by the Indian Supreme Court as intrinsic to safeguarding the right to privacy. There are further concerns that this is a backdoor attempt to provide legislative backing to the State’s passive surveillance activities online, which are currently conducted outside the remit of the law, merely through executive action, and thus escape meaningful oversight. Understandably, the bill has faced massive pushback from civil society, and even the United Nations Special Rapporteur on Privacy has expressed concern.
A global trend
These attempts to monitor and police digital spaces are not unique to India alone – digital authoritarianism is on the rise around the world, especially in countries where rising nationalism, combined with weaker rule of law has emboldened governments to crackdown on dissent, increasingly with the aid of technology supplied by dubious corporations eager to make a quick buck.
Spyware, one of the most invasive surveillance tools, has managed to evade regulation at the international level so far, largely because surveillance is a topic that governments are not keen to discuss, mostly due to diplomatic, political and national security reasons. Consequently, the lack of an international framework to regulate its production, sale and use coupled with an increasing interest by repressive regimes in the private lives of their critics, has led to an uptick in the use of spyware, as tracked by Citizen Lab. Concerned by this troubling trend, the UN’s Special Rapporteur on Freedom of Expression released a report, calling on governments to “establish an immediate moratorium on the global sale and transfer of private surveillance technology until rigorous human rights safeguards are put in place to regulate such practices and guarantee that governments and non-State actors use the tools in legitimate ways”. The US State Department has also released guidance to “assist U.S. companies seeking to prevent their products or services with surveillance capabilities from being misused by foreign government end-users to commit human rights abuses.”
These are steps in the right direction, which have taken effect largely due to the tireless advocacy done by civil society organizations who are bravely calling out human rights abuses, pushing for rights-respecting legislation and engaging in strategic litigation. Countries seeking to prevent the decline of democracy must support these groups, in India and elsewhere, by engaging them as trusted partners in the fight to keep the internet equal, open and free.