The following article written by Mr. Anuj Kumar Kashyap (Advocate, Delhi High Court) based on extensive research, gives an overview about a spyware known as Pegasus which has been in news lately and discusses whether it has violated the fundamental right of privacy guaranteed by the Constitution of India, 1950. If yes, then what laws have been legislated by the parliament and what precedents have been set-up by the High Courts and Supreme Court of India in this regard.
The Following article is very important for the aspirants of Judiciary, UPSC and state civil exams from the point of view of mains examination. However, it is equally important for the common masses, as the pegasus spyware has threatened the right of privacy of every citizen.
1. About Pegasus
- It is a spyware developed by the Israeli cyber arms firm NSO Group Technologies.
- It is a type of malicious software or malware classified as a spyware.
- It mainly uses exploit links, clicking which installs Pegasus on the target’s phone.
- It is designed to gain access to devices, without the knowledge of users, and gather personal information and relay it back to whoever it is that is using the software to spy.
- Pegasus has been developed by the Israeli firm NSO Group that was set up in 2010.
- The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
- The list contains 50,000 telephone numbers of people identified as potential targets via Pegasus between 2016 and June 2021. The names include at least 65 business executives, 85 human rights activists, 189 journalists and over 600 politicians and government officials, including heads of state, prime ministers, cabinet ministers, diplomats, military and security officers.
- Over 300 people in the list were Indian politicians, activists, business persons and journalists. It is yet to be ascertained who put the numbers on the list or why.
Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.
- Citizen Lab which has investigated several cases of Pegasus infections showed through its research that social engineering is a very common strategy to deliver the most sophisticated spyware.
- Pegasus does so by exploiting vulnerabilities in the phone’s operating systems (OS).
- Lookout, which is a cybersecurity company, had partnered with Citizen Lab to investigate Pegasus and found that it had exploited three zero-day vulnerabilities in iOS to successfully attain all the user access of the phone.
- A zero-day vulnerability is a flaw in a software or hardware that is previously unknown to the party responsible.
- Facebook has sued NSO Group in the US for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with a zero-click exploit.
- In WhatsApp case, a specially crafted call was used to trigger a buffer overflow, which in turn was used to take control of the device.(WhatsApp sued Israeli technology firm NSO Group, accusing it of using the Facebook-owned messaging service to conduct cyberespionage on journalists, human rights activists and others.)
2. What is "Pegasus" & why in News?
- Pegasus is a hacking software or spyware that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either on iOS or Android operating systems.
- Recently, it has been reported that Pegasus, the malicious software, has allegedly been used to secretly monitor and spy on an extensive host of public figures in India.
- The Israeli spyware, revealed to have been used to target hundreds of phones in India, has grown less reliant on clicks. Pegasus can infect a device without the target’s engagement or knowledge.
3. Targets:-
- Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm.
- Indian ministers, government officials and opposition leaders also figure in the list of people whose phones may have been compromised by the spyware.
- Facebook has sued NSO Group in the US for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with a zero-click exploit.
- In 2019, WhatsApp filed a lawsuit in the US court against Israel's NSO Group, alleging that the firm was incorporating cyber-attacks on the application by infecting mobile devices with malicious software.
4. Recent Steps Taken in India by Central Govt:-
1. Cyber Surakshit Bharat Initiative:- It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
2. National Cyber security Coordination Centre (NCCC):- In 2017, the NCCC was developed to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.
3. Cyber Swachhta Kendra:- In 2017, this platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
4. Indian Cyber Crime Coordination Centre (I4C):- I4C was recently inaugurated by the government.
5. National Cyber Crime Reporting Portal has also been launched pan India.
6. Computer Emergency Response Team - India (CERT-IN):- It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
5. Legislation:-
1. Information Technology Act, 2000:-
- It elaborates on offenses, penalties, and breaches.
- It outlines the Justice Dispensation Systems for cyber-crimes.
- It provides for the constitution of the Cyber Regulations Advisory Committee.
- The Information Technology Act is based on The Indian Penal Code, 1860, The Indian Evidence Act, 1872, The Bankers’ Books Evidence Act, 1891, The Reserve Bank of India Act, 1934, etc.
2. Personal Data Protection Bill, 2019:-
- In August 2017, the Supreme Court held that privacy is a fundamental right, flowing from the right to life and personal liberty under Article 21 of the Constitution. The Court also observed that privacy of personal data and facts is an essential aspect of the right to privacy. In July 2017, a Committee of Experts, chaired by Justice B. N. Srikrishna, was set up to examine various issues related to data protection in India. The Committee submitted its report, along with a Draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology in July 2018. The Statement of Objects and Reasons of the Personal Data Protection Bill, 2019 states that the Bill is based on the recommendations of the report of the Expert Committee and the suggestions received from various stakeholders.
6. Judicial Precedents:-
(Case No.1)
7. Types of Cyber Attacks:-
1. Malware:- It is short for malicious software, refers to any kind of software that is designed
to cause damage to a single computer, server, or computer network. Ransomware, Spy ware,
Worms, viruses, and Trojans are all varieties of malware.
The malware infects both ios and Android devices and grants access to all information stored
in a smartphone.
2. Phishing:- It is the method of trying to gather personal information using deceptive e-mails
and websites.
3. Denial of Service attacks:- A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.
DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
7. Others:-
1. Spyware usage is tantamount to hacking of a communication device. It performs activities like copying data, sending data to outside device, all without the permission or knowledge of the concerned person. These are classical offences under Section 66, 43 of the Information Technology Act.
2. Supreme Court lawyer and cyber law expert Pavan Duggal says that spyware cannot be brought within lawful interception under Section 69 of the IT Act.
Nice information👍
ReplyDeleteThank you ma'am
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThank you so much Ma'am
ReplyDeleteThank you
ReplyDelete