WhatsApp in a list of applications on a phone screen

Letter To The Standing Committee on Information Technology

Recommendations to The Parliamentary Standing Committee on Information Technology for Surveillance Reforms in lieu of WhatsApp-NSO Revelations

 

Recommendations sent to Dr. Shashi Tharoor, Chairperson to The Parliamentary Standing Committee on Information Technology before the meeting with representatives of Home Ministry, The Ministry of Electronics and Information Technology (MeitY), and The Department of Atomic Energy (DAE) to discuss WhatsApp-Pegasus Surveillance revelations. SFLC.IN also issued its Statement on the WhatsApp Surveillance Issue

 

To support our work on fighting for privacy and security online, you may donate to us at – https://sflc.in/donate.

 

Read the letter below:

 

To
Dr. Shashi Tharoor
Hon’ble Member of Lok Sabha
Chairperson, The Standing Committee on Information Technology
Government of India

 

Via Electronic Mail Communication

 

November 18, 2019

 

Respected Sir

 

Greetings from Software Freedom Law Center, India (SFLC.IN).

 

We are writing this letter in reference to the recent WhatsApp-Pegasus Surveillance revelations (“Revelations”), where a proprietary spyware “Pegasus” developed by an Israel based cyber-intelligence firm “NSO Group Technologies Limited (Q Cyber Technologies)” was allegedly used to conduct targeted surveillance in India.

 

As per the recent news reports, Pegasus was allegedly used to hack into WhatsApp accounts and smart phones of over 1400 individuals globally including certain prominent civil rights advocates, journalists, and politicians in India. The reports of such surveillance were further confirmed by WhatsApp Inc. when it publicly attributed the attack to NSO Group and filed a complaint against it before the Northern District Court of California for unauthorized use of WhatsApp’s servers to install malware in the
targeted victims devices. CitizensLab (University of Toronto) in the analysis of its report titled “The Predator In Your Pocket” observed that the Pegasus was operational in several countries and had been previously used to target journalists and activists globally.

 

While the Government of India has also expressed concern and summoned WhatsApp Inc. to explain the “kind of breach” and “steps taken to ensure privacy of millions of Indians”, NSO’s statement that its software (spyware) are sold only to licensed government intelligence and law enforcement agencies leaves a lot to be clarified as to whether NSO’s services were availed by any Indian Government’s agencies. This incident stands in direct contravention of the constitutional standard for contravention of right to privacy laid down by the Hon’ble Supreme Court in K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1], which requires a) an enabling law, b) a legitimate aim, and c) proportionality with the objectives sought to be achieved.

 

The Revelations also point towards a larger concern regarding the need for reforms in the India’s surveillance regulation framework. At present, the Indian Surveillance Laws under the Indian Telegraph Act, 1885, the Information Technology Act, 2000, and Unified License granted to telecom operators allow for surveillance on several broadly worded grounds such as sovereignty/ integrity of India, security of state and public order. Per a Right to Information request filed by SFLC.in a few years back, the central government alone issues 7500-9000 phone interception orders every month. These provisions do not have any adequate judicial or parliamentary oversight, thus, blurring the lines between limited purpose legitimate surveillance for national security or serious crimes, and spying. The recent reports regarding Government’s plan to operationalize comprehensive surveillance system such as NATGRID further deepens the concerns as the current judicial framework enables the use of such Lawful Interception and Monitoring Systems (“LIMs”) to conduct surveillance of regular citizens as well. More than twenty six (26) domestic and international companies already sell/ are keen on providing Internet surveillance technologies to India. However, due to the lack of adequate oversight and exemption from the Right to Information Act, 2005, there is no visibility to the extent of which these technologies are deployed, leaving the citizens at behest of international groups like CitizensLab and WhatsApp to bring light to any unwarranted surveillance.

 

Enforcement of fundamental rights, dialogues on such laws, and transparency regarding governance inter alia are the basic ethos of a vibrant democracy. However, such practices of unauthorized surveillance and deployment of comprehensive technologies without proper judicial framework cast a chilling effects on right to privacy and freedom of speech and expression.

 

We urge you to initiate discussions with different stakeholders regarding the need for reforms in the existing surveillance legal framework. In 2014, SFLC.in released the most comprehensive report on India’s surveillance laws titled “India’s Surveillance State”
(“Report”) providing a thorough analysis of the current framework, proposed surveillance projects such as NETRA, NATGRID, and Central Monitoring System, and existing laws vis-à-vis privacy principles laid down Universal Declaration on Human Rights and International Covenant on Civil and Political Rights. We’ve attached the Report for your reference. With respect to the WhatsApp-NSO Revelations, we recommend the Committee to consider the following measures:-

 

a) Engagement with Targeted Victims: The Committee should engage with the targeted victims along-with the Committee on Home Affairs, and initiate a Parliamentary investigation into this serious breach.

b) Clarification on Indian Government’s engagement with NSO: The Committee should reach out to the relevant departments and Law Enforcement Agencies (LEAs) seeking clarification regarding the authorization, purchase and use of Pegasus to surveil on Indian citizens.

c) Consultations on the advanced LIMs and judicial reforms: The Committee should initiate discussions on advanced LIMs and proposed projects such as NATGRID with the government and other stakeholders and call for judicial reforms to ensure appropriate judicial oversight over the LIMs.

d) Promote Digital Security Trainings (DSTs): The Committee should promote and engage with organizations such as SFLC.in which conducts DSTs to train people in adopting healthy habits to safeguard privacy and security while using digital devices and Internet based services and/or applications.

 

We sincerely hope that the Committee will take these concerns into consideration. As an organization working extensively on promoting and protecting digital rights of Indian citizens for a decade, we’d be honored to assist the Committee with our research, technology expertise and DST sessions, to help the cause of preserving and promoting digital rights and freedoms of citizens.

 

Thank you very much for your time and consideration.
On behalf of SFLC.IN

 

Sincerely,
Sundar Krishnan
Executive Director, SFLC.IN
Email: sundar@sflc.in
Phone: +91 9953074745
Second Floor, K-9, Birbal Road
Jangpura Extension,
New Delhi -110014