The recent NSO spyware scandal comes as an eye opener for the government and people. WhatsApp accounts of number of Indian activists and journalists were snooped into, as part of a surveillance programme, using an Israeli spyware platform. Opposition parties have levelled charges of snooping on the government, which denied the allegation. The government which sought an explanation from WhatsApp on the matter has expressed its dissatisfaction over the response from it.
Anju Grover for Indian Currents spoke to noted cyber law expert Pavan Duggal to know legal options available for action against illegal surveillance and if India is equipped to deal with such attacks in future. Duggal said that it was a gross violation of the Fundamental Right to privacy. He demanded strict action against WhatsApp and NSO under provisions of the Information Technology Act 2000 as the spyware amounts to hacking.
He said that it is a wake-up call for the government to have dedicated stringent cyber laws for data protection and privacy of citizens. Duggal expressed surprise over the fact that no FIR has been registered in the case till date (Nov 8). Also no law enforcement agency took suo motu cognizance of the matter. He demanded an independent probe by police or CBI or court. He suggested that internet users in India should be vigilant to prevent stealing of data from their digital devices.
IC: As a legal expert how do you look at the recent cyber-attack involving vulnerability in the video call feature where WhatsApp accounts of number of Indian activists and journalists were snooped into as part of a surveillance programme using an Israeli spyware platform?
Pavan Duggal: It has come as no surprise. It was disaster waiting to happen. I would say that India is still not fully prepared to deal with these kinds of security breaches. There is no dedicated cyber security law which can provide effective security to internet users. This is in complete contrast to countries like China, Singapore and Vietnam which have got dedicated laws on cyber security. Incidents like these tell the authorities to wake up and come up with cyber security law. These cyber security breaches will become new normal. Hacking takes place on a daily basis. In this uncertain world where hacking and cyber security breaches are new normal, the focus now has to be on legal preparedness to deal with cyber security challenges. We need to have effective legal framework in the context of cyber security.
IC: The breach has shaken the confidence of lakhs of internet users who would easily share personal information on digital devices like mobile phone or laptops for one or the other reason.
It is a wakeup call for internet users in India. There is nothing like absolute security. We will have to evolve cyber security as an integral part of day to day lives. We have to be careful while using Apps, ways to deal with devices, storage processing and transmission of data.
IC: How do you look at the role of government in this case?
The government needs to strengthen its data breach notification laws. On Jan 4 2017 it did come up with a notification which mandates every network service provider to report to the government on 10 different kinds of security breaches. Details of how it has to be reported and the manner of reporting have not been clearly defined. Violators often take advantage of grey areas to their benefit. Data breach notifications should not be in the form of an advisory. In snooping scandal WhatsApp should have given details of all the 121 users to the government whose cyber security was breached.
IC: The government has accused WhatsApp of not disclosing the seriousness of the snooping attack, but the encrypted messaging platform pointed to its earlier communication in May and September to the Computer Emergency Response Team-India. The government official said that it was difficult to ascertain who is behind the attack, as a foreign government, corporations or individuals could have used it to conduct surveillance. Your comments.
India needs to strengthen its cyber security capacity building processes so that stakeholders can be questioned in cases of violation.
IC: Can an action still be taken against WhatsApp or NSO?
An action can be taken under the IT Act and Indian Penal Code. For doing so an FIR has to be registered. It is surprising that neither an FIR has been registered by any law enforcement agency nor any step taken to investigate the matter. Both networks (WhatsApp and NSO) are service provider intermediaries under section 21 W of IT Act. Under section 79 these intermediaries are mandated to exercise due diligence. The NSO has a clear knowledge of how its Pegasus software is going to breach cyber security of devices of users and copy data. However action can be taken under section 66 and section 67 of the IT Act. Section 75 of IT Act says that if your services are available on computers or mobile phones in India then you are duty-bound to comply with the Indian cyber law.
IC: Was WhatsApp spyware row a ‘Gross violation of human rights?
This episode was a gross violation of people’s right to privacy. Privacy is a part of fundamental right to life under article 21 of the Constitution. When software sneaks into mobile phone and indulges in illegal surveillance then it hinders at your capability to lead a dignified life. It leads to a violation of fundamental right and civil liberties. The government is answerable for these violations. Those affected persons can file a writ petition in courts.
IC: BJP leaders say that if companies like WhatsApp have servers in India, it will be easily for the government to stop such kind of surveillance and take action.
The government is within its powers to take action against WhatsApp because latter is bound to comply with Indian law. The government should take stringent action without delay to send message across the country that no one is above law. The fact is that data of Indians is valuable information. It will always been targeted by foreign-based service providers for a variety of vested interests. The IT Act is different from Data Protection law. Unfortunately we do not have a data protection law. There is a need for political will to take action against all offenders
IC: Is proposed Data Protection Bill stringent enough to deal with cases of hacking?
The proposed bill will deal with protection of personal data only, whereas people will require protection of all kinds of data.
IC: The payment feature the Facebook-owned platform is planning to launch in India? Your reaction.
You should not be in a hurry to grant new licences or permission to WhatsApp without being satisfied with its adherence to cyber-security norms, international best practices and Indian laws. For instance, is WhatsApp complying with the rules and regulations of the RBI?
IC: In the light of this scandal, don’t you think that road ahead for internet users in India is not going to be smooth?
Internet users have to be ready for a bumpy road ahead in the wake of snooping scandal. They are always going to be targeted in terms of data and other sensitive data. There will be urgent need for users to come out of complacency and start learning how to deal with cyber security challenges. India needs to have a relook at cyber security. The National cyber security policy of 2013 has been a paper tiger as it has not been implemented properly. The government is working on a new national strategy on cyber security. We will have to wait for it. The government should increase budgetary allocations for cyber security and cyber hygiene. The government should launch an awareness campaign on cyber safety. Children should be sensitized about cyber security at school level.(Published on 18th November 2019, Volume XXXI, Issue 47)