India’s Deep State: Is any citizen safe?

Crucial questions raised at online discussion co-organised by Free Speech Collective , NWMI and SabrangIndia on the implications of Pegasus Project, targeted surveillance and violation of privacy by the Indian Gov’t

Online DiscussionImage

An online discussion titled “India’s Deep State: Is Any Citizen Safe?” that analysed “Implications of Pegasus Project, targeted surveillance, violation of privacy by Indian Gov’t” organised by Network of Women in Media, India (NWMI) and SabrangIndia, brought together domain experts and journalists to examine the veritable can of worms opened in wake of shocking disclosures in the Pegasus spyware scandal.

Brief background of the Pegasus Project

Investigations into the ‘Pegasus Project’ began four months ago, when non-profit French organisation Forbidden Stories, that supports investigative journalism, suspected that Indian journalists’ phones were targeted. They got in touch with MK Venu and Sidharth Varadarajan, founding editors of The Wire. They were among the Indian whose phones were said to be infected with the Pegasus spyware.

The Wire joined the global investigations that came to be known as the Pegasus Project which was launched by the Forbidden Stories and Amnesty International. The list of Indian ‘targets’ of the Pegasus malware that Forbidden Stories had uncovered in India, was shared with The Wire. The ongoing investigation, and forensic analysis has so far confirmed that 10 phones of journalists have been ‘fully infected’, said Venu.

Many on the list gave their phones for testing, many more are yet to do so. Fear still reigns supreme on the minds of many of those who are on the ‘list’ of those who may have been subjected to surveillance. The vulnerability runs deep, as the total number of those whose phones may be infected is higher than those disclosed so far.  

The global ‘Pegasus Project’ investigation by Forbidden Stories and Amnesty International has revealed how the citizens “deemed by their governments to be a threat” as well as their families and associates have been subjected to surveillance. Also on the list interestingly are ministers, jurists and even regular citizens. The government’s official statement has been a denial and accusing the news investigations as an attempt ‘to malign Indian democracy and its well-established institutions.’ India so far seems far from initiating an official investigation, even though West Bengal Chief Minister Mamata Banerjee has set up an enquiry committee helmed by Justice (retd) MB Lokur and Justice (retd) Jyotirmay Bhattacharya to probe the Pegasus attack.

Shocking revelations, pertinent questions

“Prashant Kishore’s phone was fully infected,” said Venu who was one of the key speakers at the online discussion organized on Monday July 26, 2021, adding that the investigation was ongoing. There is a “shocking list of army guys, a BSF general who was a part of a border system management team, a CBI director,” he added, highlighting that it was “odd that the Government was in a denial mode”. As the government has so far denied having anything to do with the Pegasus malware, and has said it has not bought it, according to Venu it has “painted itself into a corner”. 

The Indian targets, as multiple reports continue revealing names, include independent journalists, leading human rights activists, student leaders, scientists, professors, lawyers, politicians and prominent dissidents. Pegasus malware that enables remote surveillance of all models of mobile phones is sold by the Israeli-based NSO Group, “avowedly only to authorised governments, to combat terror and crime,” recalled Geeta Seshu founding co-editor of the Free Speech Collective and senior NWMI member. “We know the NSO clients were select, verified, authorised states and state agencies, including Azerbaijan, Hungary, Bahrain, Morocco, Saudi Arabia, Togo, Rwanda, Mexico and of course India,”’ said Seshu. She added that in India, the tool was used “not to combat terror or crime, but to conduct surveillance of well-known journalists, human rights activists, prominent dissenters, families of political prisoners, members of the ruling BJP, and even their house help. The tool was used to monitor the life of a woman and her family, after her complaint of sexual harassment against then chief justice Ranjan Gogoi.” Seshu asserted that over the last decade India had moved “inexorably towards becoming a surveillance state” adding that there still was no proper data protection law.

“France, Hungary, Israel, Mexico have announced enquiry. The Govt (of India) is now under pressure. It is a global issue,” said Venu, adding that “WhatsApp was also infected by Pegasus in 2019.” 

Out of the 20-21 phones of Indian journalists tested, Venu said, “10 were found to be fully infected. That amounts to a 50 percent strike-rate. As [Edward] Snowden had said that 50 percent was a significant strike rate.”

However, the official denial of any government involvement has led to another crucial question. According to Venu, as many “editorials pointed out that if the spyware was not actioned by the govt then all the more reason to investigate. It is a cyber attack by a foreign power.” Many journalists who are on the Pegasus list, may go to court.  

According to Mishi Choudhary, technology lawyer and civil liberties activist, who is the Legal Director of the New York based Software Freedom Law Centre there are “at least 500 software companies that sell spyware to oppressive regimes, worldwide”. However, even though India is witnessing a massive cyber-attack against civilians, she said the denials are coming from the government itself. Choudhary added that the civilians attacked by the malware “are those who incarnate democracy,” yet in India it is seen as “somewhat legal” as “everything in the name of digital India is online. This is a malicious software installed on devices that are now the life and blood of everything. You can’t get ration, covid vaccine without apps.”

Spyware and the Bhima Koregaon Case

Noted lawyer, human rights activist Mihir Desai connected the dots on how such surveillance, data mining, has in fact “reached planting evidence as we saw in Bhima Koregaon case.” He said the “challenge to surveillance is based on the right to privacy” and emphasised, “Law does not allow planting of evidence. In the Bhima Koregaon case, the Arsenal report mentioned that malware could have been easily detected.” Desai recalled that now “no one knows if their phone is hacked. It is real-time tapping,” and that the weak Data Protection Bill is still pending in Parliament.

“We know mobile systems are not secure. We are perhaps the only democracy that has no judiciary oversight on surveillance,” added Choudhary revealing that according to 2014 information, “around 7,500 phones were tapped every month” in India. That was the last year such information was shared. “There were three surveillance projects started under [Congress led] UPA. It doesn’t matter which party is in power, there is a desire to control,” she said, adding that a case was filed in Delhi High Court and letters written to the standing committee on IT, in 2019, however there is no news of any report on that yet. “World over moratoriums are being imposed. Face recognition is recognised as dangerous. But India marches on,” said Choudhary, adding that “surveillance is putting society as a whole in danger.”

Privacy related litigation, oversight and accountability

Apar Gupta, lawyer and Executive Director of the Internet Freedom Foundation (IFF), who has filed several petitions in the Supreme Court on Internet-related policy issues that impinge on citizens’ rights said claims by NSO that Pegasus is used to survey legitimate criminal cases has no ground. “Pegasus goes far above ‘tapping or listening’. It’s not a passive attack but a malware attack,” said Gupta adding that in his legal opinion “Pegasus is a cyber weapon” that requires multiple clearances. 

Claims by NSO group do not stand to muster, said Gupta, adding that it was in 2019 when the first tranche of disclosures was made by Financial Times reportage, that several activists were notified by WhatsApp that their phones were intercepted. They had also deposed before the IT standing committee. The then [IT] minister Ravi Shankar Prasad had not given any clear answers, instead saying in Parliament that if anyone had a complaint, they could register a criminal case. 

Gupta recalled the primary justification by NSO in the Whatsapp Facebook case against it in a California court after the 2019 leak. Whatsapp had then claimed that there was “unauthorised access” to its systems that then undermined it. Gupta read out the Pegasus product description that is an exhibit in the California case that detailed how the ‘product’ [Pegasus] is only sold to governments and state agencies.

NSO had thus claimed “sovereign impunity”, as it only entered contracts with governments. Gupta then showcased an 8 million USD consideration in a contract between NSO and the government of Ghana, and detailed that the software itself is complex and requires “physical presence” of trained experts to be installed in the first place. WhatsApp had in 2019, submitted that NSO is a third-party entity and not a “state agency” and had no claim to sovereign immunity. According to news reports, the California court ruled in favour of WhatsApp in July 2020, and the NSO’s claim to sovereign immunity was dismissed. NSO has challenged this ruling and the case is pending. 

Gupta informed that there has been a subsequent filing by “seven international digital rights organisations” including the IFF, on behalf of victims who have suffered such surveillance.

“Absence of judicial oversight makes it more dangerous,” said human right defender, journalist and SabrangIndia co-founder Teesta Setalvad. She also pointed out how the matter could take a more sisnister direction. “The National Population Register (NPR) rules give power to officials at taluka levels to declare a person ‘non-citizen’”, explained Setalvad highlighting how bureaucratic powers are used. When Setalvad asked if privacy judgements can be used in the Pegasus case, senior lawyer Desai said while one can sue a person who invades privacy, the first problem is identifying who it is asking, “How will those governments who use spyware, issue a moratorium for the same?” Setalvad raised a crucial point. She drew a connection between the need for open and free coding asking, “Why are codes in EVM not made public?” 

A viewer asked if there was a way to block this software completely? According to Mishi Choudhary there isn’t one, but everyone can “indulge in preventive behavior”. She called for a public commentary on such tools, as the surveillance “is not ending anytime soon. There is going to be a constant struggle.” According to Choudhary, the role of private companies and how various applications enable invasion of privacy, should also be remembered, “we have built tech, but we end up paying for them with our civil liberties. We have to question if the apps are really helping us.”

Gupta demanded, “Victims of Pegasus need remedy as well. They need a certain degree of apology.”

“Energies, resources need to be channeled in saying ‘stop using tech against me’. Technology is always two steps ahead of regulation. Law two steps behind regulation,” added Choudhary.

Venu asked, “Pressure needs to be brought by the Opposition and the media. We cannot have bureaucrats deciding whether a media content should be censored or not. For tapping also, why should HM decide?”

According to Choudhary there is in fact a “need for global moratorium and international pressure” to be put on governments.

However, many questions remain:

  • What is the extent of this surveillance?
  • At what cost, in monetary terms, was it ordered?
  • Where did the funds come from?
  • Which agencies of the government have been deployed to conduct it and on what grounds?
  • How does this surveillance affect the democratic rights of citizens to function freely and without threat to their personal and professional security? 

“The nature of the Indian state is changing in front of our eyes. There is no accountability,” said Setalvad calling for a need for “collective action, more discussions in non-English languages” as even the regional media is worried about Pegasus surveillance and they do not have the visibility of the mainstream English media. “Fear holds people back because people can see what this regime is capable of. Collective actions required to overcome the fear,” concluded Setalvad.

The entire discussion may be viewed here: 


Pegasus scandal: Justice Lokur part of West Bengal’s inquiry commission
Pegasus spyware trotting into ministers’ phones, who is next?
Another bullet from Arsenal pierces through NIA’s Bhima Koregaon case!
Handling of electronic evidence by agencies a perversion of criminal justice: CCG
Rona Wilson moves Bombay HC, demands probe into ‘planted evidence’



Related Articles