The Pegasus surveillance software today represents a new advanced layer of spyware intelligence. It is different from earlier instances of phone tapping as Pegasus software allows injection of the spyware in targeting mobile phones through non-click methodologies. Hence, it represents a sophisticated level of today’s mechanisms of how monitoring through spyware can be effectively enforced.
The Pegasus controversy has actually thrown up some very interesting cyber legal questions. This is a classical case of spyware that has led to monitoring and interception.
This software has been subscribed to by various governmental agencies across the world. This is so because a number of countries across the world do not have cyber security laws to deal with technological advancements in surveillance techniques. Most of the countries have in place the traditional cyberlaws which are more focused on promoting electronic format and the electronic commerce.
Only a handful of countries across the world have dedicated cyber security laws including China, Vietnam, Singapore to name a few.
Coming to the Indian context, one needs to quickly realize that India does not have any dedicated cyber security law. The Indian Cyberlaw being the Information Technology Act, 2000 is primarily a twenty one-years old legislation which got amended only once in the year 2008. Since there have been massive technological advancements in surveillance techniques over the last one decade, it is clear that the existing legal frameworks are not adequate to deal with advanced surveillance technologies and their newly evolved manifestations.
As of now, the only law applicable to such a mechanism is the Information Technology Act, 2000. Section 69 of the Information Technology Act, 2000 deals with lawful interception. This law allows legal interception by the Central Government only in the interests of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.
The said interception has to follow the lawful interception process including following the requirements of the Information Technology. (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
It is important to note that the legal frameworks on interception in our country were laid back in the year 2000 and do not have adequate resources to deal with current technological advancements in surveillance techniques. As of now, in India, spyware is illegal. This is so because spyware does such activities which constitute cybercrimes under Section 66 read with Section 43 of the Information Technology Act, 2000.
Spyware also does activities which qualify as cybercrime under Section 66B of the Information Technology Act, 2000 dealing with stolen computer resources.
Further, spyware also attract various provisions of the Indian Penal Code, 1860.
In this context, the way going forward clearly is that lot of work needs to be done to ensure that illegal surveillance does not become the norm of the day.
As of now, individuals dissenting against the Government are pretty vulnerable to such surveillance. Further, surveillance is now becoming a legitimate tool in the hands of the Governments in today’s context. Hence, it is all the more necessary that the Indian Cyberlaw needs to be amended to make appropriate checks and balances on the misuse of surveillance technologies for interception purposes. Even the parameters for lawful interception under Section 69 of the Information Technology Act, 2000 are pretty broad.
Given the new technological advancements in surveillance techniques, it becomes even more necessary for inserting appropriate checks and balances under the current provisions of Section 69 of the Information Technology Act, 2000. The Information Technology Act, 2000 needs to be appropriately amended in this regard. Further, India also needs to have a dedicated cyber security law which can actually prevent the misuse of such technological advancements in surveillance techniques.
There is no denying the fact that interception and monitoring are important tools for the Government. However, the massive powers given to the Central Government for interception under Section 69 of the Information Technology Act, 2000 need to be read down. This is imperative to ensure that the Government of the day does not have the right to employ such surveillance techniques that do not serve any real purpose besides targeting opponents.
Further, the Government will have to wary while using such technologies like spyware based on interception and surveillance and monitoring as those technologies are distinctly illegal under the Indian Cyberlaw.
The said spyware technologies will continue to be illegal till such time, the Indian Cyberlaw is not amended and till such a new legislative framework does not come forward.
Given that today’s new surveillance techniques are extremely advanced and sophisticated, it is not even possible to explore all the scenarios of misuse of such surveillance techniques. Hence, it becomes all the more imperative that there needs to be appropriate checks and balances explicitly spelt out in law.
The Pegasus controversy is an event that has shaken all stakeholders who tend to take the internet and cyber security for granted.
This episode needs to be a wakeup call for all digital ecosystem stakeholders to come out from their deep slumber and to come up with more updated and appropriate strategies to deal with the constant challenges thrown up by the surveillance technologies and increasing cyber security breaches.
Time has come where not only an appropriate cyber legal frameworks needs to be amended and updated to limit the potential misuse of such surveillance technologies but also there exists a distinct need to strengthen the hands of the digital users in terms of effectively protecting their digital rights and liberties.
As I have already argued in my book “New Cyber World Order Post Covid-19”, the world is inching towards new cyberspace by the time it is victorious in its fight against the current and other subsequent waves of coronavirus infections. This New Cyber World Order will be an ecosystem where nation states will become more powerful and where there will be an increasing interference in the enjoyment of digital liberties and rights of the citizens.
I believe, going forward, we have to be mentally prepared. There is nothing known as absolute security. We are always going to be potentially targeted by cyber criminals. Our cyber security is going to be always under breach and attack. Therefore, the quicker we start adopting cyber security as a way of life, the quicker we start getting duly diligent and careful, while doing our activities concerning the electronic ecosystem, the better it will be in terms of protecting our data as also our digital present and digital future.
The new cyberspace is a constantly changing target. Hence, we need to update our awareness about new surveillance levels as also our digital skills to deal with the various complicated legal issues and challenges that are thrown up by the advent of this new era of cyberspace.
In the coming years, the cyber ecosystem is going to present numerous distinctive challenges. The advent of new technologies like Artificial Intelligence (AI), Internet of Things (IoT) and Blockchain now means that the avenues for monitoring would also be substantially enhanced. The threat surface which is itself under attack is constantly increasing.
Hence, countries like India need to take more holistic perspectives on how to prevent cyber security breaches and also to prevent the unauthorized misuse of surveillance and interception.
As time passes by, it will be imperative that the country as a whole must strive to achieve the golden balance between protecting the sovereign interests of the sovereign government on the one hand and also protecting the civil liberties and the rights of individuals on the other.
(The author Dr. Pavan Duggal, Advocate, Supreme Court of India, is an internationally renowned expert authority on Cyberlaw and Cybersecurity law. He has been acknowledged as one of the top four Cyber lawyers in the world. He is also the Chairman of International Commission on Cybersecurity Law. You can reach him at firstname.lastname@example.org. More about Dr. Pavan Duggal is available at www.pavanduggal.com.)