Monday, 30th October 2017

E- paper

MPs ask government about spyware Pegasus, but get no clear answer

Home and IT ministries state procedure, skirt specifics on spyware query

By Vishal Narayan in New Delhi
  • Published 21.11.19, 1:56 AM
  • Updated 21.11.19, 1:56 AM
  • 3 mins read
  •  
Concerns about snooping have intensified after a sophisticated cyberattack that relied on spyware called Pegasus developed by an Israel-based company called NSO Group and exploited the video-calling system on WhatsApp to send malware to mobile devices. Shutterstock

The government on Wednesday rubbished the insinuation that it was engaged in spying on citizens through the Pegasus malware, but failed to state clearly whether it has the power to do so under current cyber laws.

The ministry of electronics and information technology informed Parliament that it was aware of the WhatsApp breach and that the media reports insinuating snooping by the government were “completely misleading” and were an attempt to “malign the government of India”. It also said that its Computer Emergency Response Team has issued a notice to WhatsApp, seeking relevant details.

On Tuesday, responding to a question by Lok Sabha member Dayanidhi Maran, who asked whether the government engaged in snooping using the Israeli spyware Pegasus, minister of state for home G. Kishan Reddy did not issue a clear denial, but listed out the legislation that allows elect Indian government agencies to intercept and decrypt data. 

Today, information technology minster Ravi Shankar Prasad responded to a query by Asaduddin Owaisi, the MP from the All India Majlis-E-Ittehadul Muslimeen (AIMIM), who asked, among other things, "whether the Government has taken cognizance of the reports of alleged use and purchase of the Pegasus spyware by Government agencies". If so, would the ministry present details on it, the MP wanted to know.

Prasad wrote: "Some statements have appeared, based on reports in media, regarding this. These attempts to malign the Government of India for the reported breach are completely misleading. The Government is committed to protect the fundamental rights of citizens, including the right to privacy."  

Reddy, in his reply to Maran's query yesterday, cited the Information Technology Act, 2000, and the Indian Telegraph Act, 1885, which empower the government to “intercept, monitor or decrypt” information stored in any computer. 

The replies failed to address to what extent the laws allow agencies to snoop on people using spyware such as Pegasus.

Cyber law expert Apar Gupta told this website that the two acts do not authorise the government to use malware such as Pegasus to snoop on people. He said the ministries' answers were devoid of any meaning as they failed to indicate whether the government can in the future use such spyware. “If we look at the responses given by the government, firstly, the response to Dayanidhi Maran and then to Mr Owaisi, it (the government) is not mentioning if it indeed does have the power to introduce such a spyware as Pegasus on people’s phones…. It did not state very clearly whether present interception powers permit it to do so,” Gupta, a lawyer and the executive director of the Internet Freedom Foundation (IFF), said.

“As per the current laws, the government doesn’t have any authority to introduce malware into phones of people because that falls outside the purview of the existing powers, both under the Indian Telegraph Act as well as the IT Act. The statements made yesterday don’t hold water. It’s an open container there’s nothing much in it. These are words which are stuffed without any clear indication or any substantive or meaningful reply to the question asked by the honourable member”.

The Facebook-owned messaging application, WhatsApp, had informed the Indian government about a vulnerability in its code in May this year. WhatApp, which filed a suit against NSO, the Israeli firm which made Pegasus, had told the government that about 1,400 people globally, including 121 Indians, had been victims of such snooping.

The breach, which hit headlines early this month, has raised concern about the data privacy. Congress leader and Lok Sabha member Shashi Tharoor chaired a meeting on Wednesday by a parliamentary standing committee on information technology to discuss citizens’ data security and privacy.

The Indian government was not always averse to buying a spyware like Pegasus.

As reported on this website earlier, several government agencies, including the Intelligence Bureau and the cabinet secretariat, were in talks to buy a product called Galileo from Italian cyber surveillance firm Hacking Team.

Emails from the Wikileaks stash established several years of interactions between the spyware company and Indian brokers who explicitly stated that the clients they were speaking for were police forces of different states and the cabinet secretariat.