Indian supreme court orders inquiry into state’s use of Pegasus spyware – The Guardian
India’s supreme court has ordered an independent inquiry into whether the government used the surveillance software Pegasus to spy illegally on journalists, activists and political opponents.
The decision on Wednesday to create an independent committee to investigate whether and how the Indian state had used the Israeli spyware tool was a significant victory for privacy campaigners after years of stonewalling by Narendra Modi’s government.
The order was a response to cases lodged by several Indian journalists and activists, including some revealed by the Guardian and a consortium of reporting partners to have been victims of Pegasus – a cyber-weapon capable of hacking a target’s smartphone, extracting its contents and turning on the device’s microphone and camera.
Pegasus is a cyber-weapon capable of hacking a target’s smartphone, extracting its contents and turning on the device’s microphone and camera.
Analysis by the media outlets of infected phones, and of a wider list of more than 50,000 phone numbers believed to have been selected as persons of interest by clients of Pegasus’ manufacturer, NSO Group, strongly indicated the Indian government was using the tool. Delhi has consistently declined to confirm if it has access to it.
The committee will comprise three cybersecurity experts and its work will be overseen by a retired supreme court judge. It will submit its report in two months.
In a decision that opened with a quote from George Orwell’s Nineteen Eighty-Four, the judges criticised the government’s refusal to divulge, on the grounds of national security, any details of what the software was used for and why. They said Delhi had offered “only a vague … denial of allegations”.
“The state cannot get a free pass every time by raising national security concerns. No omnibus prohibition can be called against judicial review,” the judges said.
Siddharth Varadarajan, the founder-editor of the Indian non-profit website the Wire, which worked with the Guardian on the Pegasus project, welcomed the decision. “It’s a good start. The supreme court has rightly refused to buy the government’s ‘national security’ logic,” he said.
The expert group will have powers to call witnesses and seek documents as part of its fact-finding mission, and can issue adverse findings against individuals or the government if they decline to cooperate. The court listed another hearing date for after the committee’s reporting deadline, indicating it intended to continue pursuing the issue.
The opposition in India has accused the Modi government of treason and “unforgivable sacrilege” over the reports from the Pegasus projectthat revealed several top journalists and an election strategist had been targeted using the software.
The stories disclosed details of hundreds of verified Indian phone numbers that appeared in the leaked records of 50,000 numbers, including that of the opposition leader, Rahul Gandhi.
The Pegasus project, an investigation published earlier this year into the Israeli spyware maker, NSO Group, was led by a consortium of 17 news outlets that included the Guardian, Washington Post and the French nonprofit Forbidden Stories.
NSO has said its hacking software was only meant to be used by government clients to conduct legitimate investigations into serious crime. The company said it conducted thorough investigations of allegations of misuse when it received “credible information”.
The Indian government has for years resisted confirming whether it uses Pegasus, and in the current proceedings provided only a brief affidavit that did “not shed any light on their stand or provide any clarity as to the facts of the matter at hand”, the court said.
At the time of the Pegasus project revelations senior government figures claimed the stories, which covered the possible misuse of spyware in more than 10 countries, were part of an “anti-India” campaign timed to coincide with the opening of the monsoon session of the Indian parliament.
The question of whether the Indian government has access to Pegasus, separate to whether it has used it against journalists and other civil society figures, is highly sensitive because India’s surveillance laws allow eavesdropping but ban “hacking”, even by the state.
Indian lawyers have argued that the Pegasus spyware, which inserts malicious code into a smartphone’s operating system that allows it to take control of the device, is a clear example of hacking and therefore the use of it may be illegal, regardless of who it has been deployed against.
Lawyers and privacy advocates welcomed the decision, which they said had wider implications for the government’s accountability on “security issues”. “We’ve seen traditionally in India that [the government] would just cite national security and the court would adopt a hands-off approach,” said Vrinda Bhandari, a lawyer involved in the Pegasus case.
“It’s one of the first times that the court has taken this strong view that you can’t have a ritualistic incantation of ‘national security’ … The mere fact the government is citing national security is not enough – the court is requiring it to back its case up with some kind of detail.”
During earlier hearings, the government had offered to form its own panel of experts but this was rejected on Wednesday by the judges, who began the hearing by noting the “Orwellian concerns” about the misuse of technology.
The judges said indiscriminate spying could not be allowed and highlighted the “chilling” effect it could have on freedom of speech and freedom of the press. They were compelled, they added, to “determine the truth and get to the bottom of the issue”.