This episode highlights that the country’s surveillance systems are not robust enough to ward off and prevent such attacks in the future.
Illustration: Dominic Xavier/Rediff.com
The tug of war between Facebook-owned WhatsApp, the chat app, and the Indian government has raised many questions on the grey, dimly-lit areas of snooping and surveillance.
While the jury is still out and it is too early to lay the blame squarely either on WhatsApp or the central government, experts feel there needs to be more clarity on the laws surrounding surveillance by the state.
Recently reports surfaced that journalists and human rights activists in India were the targets of a surveillance program carried out using Israeli spyware Pegasus.
The report led to the government categorically denying it had anything to do with the spyware, or even hacking of the WhatsApp profiles of the targeted people.
On the other hand, WhatsApp said it had informed the government about a possible breach as early as May this year.
While both the parties could be right, herein lies the first grey area, noted Namita Viswanath, partner at IndusLaw.
“Today the way the law is there is an obligation on the intermediary to inform the government upon receiving actual knowledge (of breach).
"Now, what comprises this 'actual knowledge' has been much debated.”
The second problem, experts said, is that there is a severe lack of qualified surveillance and monitoring capacities with the government right now.
Add to that is the fact that there is “absolutely no judicial intervention at any stage of the surveillance process” available to Indian citizens whose devices have been compromised, said Mishi Choudhary, technology lawyer and managing partner at Mishi Choudhary & Associates.
“No provision of law talks about judicial oversight in any capacity.
"There currently exists no provision of law whereby users are notified when their communications are subjected to surveillance,” she said.
Though as a general rule, online surveillance by the state is allowed, subject to compliance with a defined process which mandates prior authorisation by an order issued by a competent authority, it can only be put in place with prior approval or in emergent cases with subsequent approval within three days from the commencement of surveillance.
The said surveillance can last up to a maximum of 180 days, said Ameet Datta, partner at Saikrishna & Associates.
Further, what makes this particular case complicated is: though WhatsApp, functioning in India as a social media intermediary, is bound to follow the laws of the land, it is unclear as to how Israel-based NSO Group -- the owner of the spyware -- will be held accountable.
The court case filed by WhatsApp against NSO in the California court shows that NSI intercepted content by installing the Pegasus ‘remote access trojan’ program on individual devices, using WhatsApp resources.
NSO recurved this material on servers set up and maintained by NSO which was subsequently provided to its clients, noted Datta.
“The onus will be on the Indian government to clarify that any surveillance of Indian citizens, if conducted at the behest of the Indian government, complied with the requirements of Section 69 of the IT Act and its rule,” he said.
This episode also highlights that the country’s surveillance systems are not robust enough to ward off and prevent such attacks in the future, experts said.
“Upcoming surveillance systems, such as the CMS and NETRA, are demonstrably among the most invasive in the world,” Choudhary said.
Even under the current laws, the committee which authorises interception must review its decision every two months and the surveillance permission needs to be renewed.
Non-renewal of such permission is an offence, said NA Vijayashankar, founder of cyber laws portal, Naavi and cyber law expert.