In November2019, several lawyers and human rights activists had been targeted by spyware that allowed attackers’ unfettered access to information stored on victims’ phones leading to frightening compromise of their privacy and pointing fingers towards excessive state surveillance
Pegasus is spyware that can be installed on devices running some versions of iOS, Apple’s mobile operating system, as well on devices running Android.
- It was developed by the Israeli cyber arms firm, NSO Group.
- It was Discovered in August 2016 after a failed attempt at installing it on an iPhone belonging to a human rights activist
- The mobile espionage software was meant for use by governments that could purchase it on a per-licence basis. However, time and again, it has been suspected to be involved in illicit practices.
- Same Pegasus software was used by Saudi Arabia to spy on murdered journalist Jamal Khashoggi
- Pegasus is capable of reading text messages, tracking calls, collecting passwords, tracing the location of the phone, accessing the target device’s microphones and video cameras, and gathering information from apps.
Pegasus Attack methodology
It exploits three vulnerabilities
- Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel’s location in memory.
- Kernel Memory corruption leads to Jailbreak –that allow the attacker to secretly jailbreak the device and install surveillance software
- Memory corruption in the Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
The Panopticon is a disciplinary concept brought to life in the form of a central observation tower placed within a circle of prison cells.
- From the tower, a guard can see every cell and inmate but the inmates can’t see into the tower. Prisoners will never know whether or not they are being watched.
- This was introduced by English philosopher Jeremy Bentham.
- It was a manifestation of his belief that power should be visible and unverifiable.
- Through this seemingly constant surveillance, Bentham believed all groups of society could be altered.
- Morals would be reformed, health preserved, industry invigorated, and so on – they were all subject to observation.
The Panopticon today
- Today, we can to identify panopticism in new technologies than in prison towers.
- Philosopher and psychologist Shoshanna Zuboff highlights what she calls “surveillance capitalism”.
- Zuboff outlined the PC’s role as an “information panopticon” which can monitor the amount of work being completed by an individual.
- Employers can get programs to covertly track keystrokes of staff working from home to make sure they really are putting in their hours.
- Parents can get software to monitor their children’s mobile phone
- Governments around the world are passing laws so they can collect internet data on people suspected of planning terror attacks.
- Public transport cards can be used to monitor physical movements of citizens.
- This sort of monitoring and data collection is particularly analogous with the Panopticon because it’s a one-way information avenue.
- In modern academic literature on social media, terms like lateral surveillance, social searching, and social surveillance are employed to critically evaluate the effects of social media.
Surveillance in India
The government derives some of its powers to conduct electronic surveillance from Section 69 of the Information Technology (IT) Act.
- The procedures for such surveillance are defined in the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009.
- It is these rules, and not the parent Act that define the terms “interception” and “monitoring” as “acquisition of the contents of any information through the use of any means” and “to view or to inspect or listen to or record information”, respectively.
- These all-encompassing definitions seemingly permit authorized law enforcement agencies to use Pegasus-like tools.
- However, the IT Act also penalises unauthorised access to computers without the owner’s permission.
- These provisions, namely section 43 and 66, do not carve out an exception for law enforcement agencies.
- Therefore, no law enforcement agency can “hack” devices, though they may “intercept” or “monitor” through other means.
- Additionally, the Supreme Court’s privacy verdict held any invasion of privacy by the state must be based on a law.
Issues with spyware surveillance
- The use of spyware gives the state access to private conversations, including privileged communications with lawyers.
- Such an infringement of rights may be justified for militants suspected of actively planning an armed attack.
- For academicians and human rights activists, the use of broad surveillance without any evidence or anticipation of such activities is unfathomable in a democracy.
- This may lead to infringement of the fundamental rights of speech and expression
- It also may be used to silence criticism of the ruling government
- It is crucial to ensure that state agencies run surveillance operations only with statutory authority.
- There is a need to introduce judicial and parliamentary oversight.
- Depending on the concerns of law enforcement, it may be necessary to enact legislation permitting “hacking” into devices on extremely limited grounds.
- Justice Srikrishna Committee’s recommendations and the Data Protection Bill to guarantee the privacy and security of Indians.
- Use of surveillance spyware must be based be backed by concrete facts and not as a means to muzzle criticism of the executive