PEGASUS PROJECT: UN EXPERTS CALL FOR MORATORIUM ON SALE OF SURVEILLANCE TECHNOLOGY
WHY IN NEWS?
- Recently, it has been reported that Pegasus, the malicious software, has allegedly been used to secretly monitor and spy on an extensive host of public figures in India.
ABOUT PEGASUS:
- It is a type of malicious software or malware classified as a spyware.
- It is designed to gain access to devices, without the knowledge of users, and gather personal information and relay it back to whoever it is that is using the software to spy.
- Pegasus has been developed by the Israeli firm NSO Group that was set up in 2010.
- The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
- Since then, however, NSO’s attack capabilities have become more advanced.
- Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.
- These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.
Targets:
- Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm.
- Indian ministers, government officials and opposition leaders also figure in the list of people whose phones may have been compromised by the spyware.
- In 2019, WhatsApp filed a lawsuit in the US court against Israel’s NSO Group, alleging that the firm was incorporating cyber-attacks on the application by infecting mobile devices with malicious software.
RECENT STEPS TAKEN IN INDIA:
- Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
- National Cyber security Coordination Centre (NCCC): In 2017, the NCCC was developed to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.
- Cyber Swachhta Kendra: In 2017, this platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
- Indian Cyber Crime Coordination Centre (I4C): I4C was recently inaugurated by the government.
- National Cyber Crime Reporting Portal has also been launched pan India.
- Computer Emergency Response Team – India (CERT-IN): It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
SURVEILLANCE LAWS IN INDIA AND PRIVACY
TELEGRAPH ACT:
- Under Section 5(2) of this law, the government can intercept calls only in certain situations:
-
-
- Interests of the sovereignty and integrity of India,
- Security of the state,
- Friendly relations with foreign states or public order,
- Preventing incitement to the commission of an offence.
-
- These are the same restrictions imposed on free speech under Article 19(2) of the Constitution.
- However, these restrictions can be imposed only when there is a condition precedent – the occurrence of any public emergency, or in the interest of public safety.
- Further, the grounds of selecting a person for surveillance and extent of information gathering has to be recorded in writing.
- This lawful interception cannot take place against journalists.
- Provided that press messages intended to be published in India of correspondents accredited to the Central Government or a State Government, unless their transmission has been prohibited under this subsection.
- Supreme Court Intervention: In Public Union for Civil Liberties v Union of India (1996), the SC pointed out lack of procedural safeguards in the provisions of the Telegraph Act and laid down following observations:
- Tapping is a serious invasion of an individual’s privacy.
- It is no doubt correct that every Government exercises some degree of surveillance operation as a part of its intelligence outfit but at the same time citizen’s right to privacy has to be protected.
- Sanction for Interception: The abovementioned Supreme Court’s observations formed the basis of introducing Rule 419A in the Telegraph Rules in 2007 and later in the rules prescribed under the IT Act in 2009.
- Rule 419A states that a Secretary to the Government of India (not below the rank of a Joint Secretary) in the Ministry of Home Affairs can pass orders of interception in the case of Centre, and similar provisions exist at the state level.
IT ACT, 2000:
- Section 69 of the Information Technology Act and the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 were enacted to further the legal framework for electronic surveillance.
- However, the scope of Section 69 the IT Act is much broader and vague than the Telegraph Act as the only condition precedent for engaging electronic surveillance is for the “investigation of an offence”.
- These provisions are problematic and offer the government total opacity in respect of its interception and monitoring activities.
ASSOCIATED ISSUES WITH THE SURVEILLANCE:
- Legal Loopholes: According to the Centre for Internet & Society, the gaps in laws allow surveillance and affect privacy. For example:
- Ambiguity on issues like type of interception, granularity of information that can be intercepted and the degree of assistance from service providers helps in bypassing the law and aids surveillance by the state.
- Affects Fundamental Rights: The very existence of a surveillance system impacts the right to privacy (held by the SC in K.S. Puttaswamy v. Union of India case, 2017) and the exercise of freedom of speech and personal liberty under Articles 19 and 21 of the Constitution.
- Authoritarian Regime: The surveillance promotes spread of authoritarianism in the government functioning since it allows the executive to exercise a disproportionate amount of power on the citizen and impacts their personal lives.
- Threat to Freedom of Press: Current revelations over the use of Pegasus highlights that surveillance was also conducted on many journalists. This affects freedom of press.
INTERNATIONAL MECHANISMS:
- International Telecommunication Union (ITU): It is a specialized agency within the United Nations which plays a leading role in the standardization and development of telecommunications and cyber security issues.
- Budapest Convention on Cybercrime: It is an international treaty that seeks to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It came into force on 1st July 2004.
- India is not a signatory to this convention.
TYPES OF CYBER ATTACKS
- Malware: It is short for malicious software, refers to any kind of software that is designed to cause damage to a single computer, server, or computer network. Ransomware, Spy ware, Worms, viruses, and Trojans are all varieties of malware.
- Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
- Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
- DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
- Man-in-the-middle (MitM) attacks: Also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction.
- Once the attackers interrupt the traffic, they can filter and steal data.
- SQL Injection: SQL stands for Structured Query Language, a programming language used to communicate with databases.
- Many of the servers that store critical data for websites and services use SQL to manage the data in their databases.
- A SQL injection attack specifically targets such kinds of servers, using malicious code to get the server to divulge information it normally wouldn’t.
- Cross-Site Scripting (XSS): Similar to an SQL injection attack, this attack also involves injecting malicious code into a website, but in this case the website itself is not being attacked.
- Instead the malicious code the attacker has injected, only runs in the user’s browser when they visit the attacked website, and it goes after the visitor directly, not the website.
- Social Engineering: It is an attack that relies on human interaction to trick users into breaking security procedures in order to gain sensitive information that is typically protected.