Pegasus Spyware Scandal: Laws on Surveillance and Phone-Tapping

The framework for governing surveillance in India is incorporated under two laws: (i) Telegraph Act, 1885 ("Telegraph Act") and (ii) the Information Technology Act, 2000 ("IT Act"). While The Telegraph Act deals with the interception of calls, the IT Act deals with interception of electronic data.

Telegraph Act

Section 5 of the Telegraph Act, commonly known as wire-tapping clause, gives authority to any authorized public official to intercept communications in the situation of any public emergency or in the interest of public safety. However, such interception has to satisfy the following ground: (i) sovereignty and integrity of India; (ii) the security of the State; (iii) friendly relations with foreign states; (iv) public order; or (v) preventing the incitement to the commission of an offence. It is interesting to note that the proviso to Section 5 puts further restriction on the interception of the 'press messages' of the journalists who are 'accredited to the Union government or state government'.

However, due to the broad and subjective grounds, the Supreme Court in the case of People's Union for Civil Liberties v Union of India, laid down certain guidelines^[1] on interception by the government agencies while noting that tapping is a serious invasion on the individual's right to privacy. Later on, the guidelines became the basis of the procedures for interception enshrined in Rule 419A of Telegraph Rules, 2007. Rule 419 A of the Telegraph Rules, 2007 provides that a Secretary to the Government of India in the Ministry of Home Affairs can pass orders of interception in the case of Government of India, and a Secretary to the State government in-charge of the Home Department can issue directives in the case of a state government. In unavoidable circumstances, such orders may be made by an officer, not below the rank of a Joint Secretary to the Government of India, who has been duly authorised by the Union Home Secretary or the state Home Secretary.

In KS Puttaswamy v. Union of India, the Supreme Court held that right to privacy is fundamental right under Article 21 of the Constitution of India and surveillance should be legally valid and serve a legitimate aim of the government. Furthermore, the means adopted by the government should be proportional to the need for surveillance, and there should be clear guidelines to check any possible abuses.

IT Act

Section 69 of the IT Act and the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 are the relevant laws under the IT Act that governs digital surveillance. Section 69 of the IT Act allows for the interception, monitoring and decryption of digital information in the interest of the sovereignty and integrity of India, of the defence of India, security of the State, friendly relations with foreign nations, public order, preventing the incitement to the commission of any cognizable offense relating to the above, and for the investigation of an offense. It is broader in nature than Section 5 of the Telegraph Act in two ways:

Even for the investigation of an offence, the surveillance can be undertaken by the government. It is important to note that there is no requirement of having a reasonable basis to resort to the method of surveillance as long as the government officials are doing for the purpose of investigating an offence

The requirement of satisfying public emergency or public safety is conspicuous by its absence in Section 69 of the IT Act.

The detailed procedure is enshrined in Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 which, inter alia, provides the following safeguards:

1. Recording of reasons for interception of any information.

2. Direction for interception shall not exceed 60 days from the date of its issue. It could be further renewed but the period shall not exceed the total period of 180 days.

3. Destruction of records of information obtained from such interception with 6 months unless such information is required for functional needs.

4. There is a confidentiality obligation on the intermediaries not to disclose any information obtained to third-party.

However, in the case of Pegasus spyware, there is a use of spyware to hack into the mobile phones of the citizens of the country . Section 43 of the IT Act does not allow hacking of mobile phones by any person without the permission of the owner and any person who dishonestly or fraudulently hacks the mobile phone then he or she shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both under Section 66 of the IT Act.

References