Pegasus Spyware: An Invisible Threat To People’s Privacy In India

M Drushika


Every person’s right to privacy is inalienable and intrinsic. It is the right to be left alone, devoid of intrusion or disturbance. The Oxford English Dictionary defines privacy as “a state in which one is not observed or disturbed by other people” or “the state of being free from public attention.” The Right to privacy is protected by Article 21 of the Indian Constitution, which is an extension of the Right to life and personal liberty.[i] However, with the advent of complex applications of data storage and management, the operation of these rights has become increasingly complex as technology rapidly advances.

Spyware is one such hazardous technology that may invade a person’s privacy. Spyware is a malicious software that infiltrates a person’s computer, mobile device, or other devices to collect data about that person and forward it to a third party without their consent. Such malicious spyware is created to profit from stolen data. Spying is an incursion on an individual’s privacy, dignity, and freedom to exercise civic and political rights by having almost complete control over his or her life. Spyware in its most basic form dates from the early 1990s and has now become a thriving business with tens of thousands of players.[ii] Presently, Pegasus is the most used and viable spyware in the world. Pegasus is a proprietary surveillance software developed by the NSO Group (NSO stands for Niv, Shalev, and Omri, the company’s founders’ names), which is an Israel based company.[iii] Such proprietary software does not respect the freedom of its users as it gives its creator or owner control over its user devices.[iv]

Typically, spyware infects a device remotely or physically installing the spyware on the target device by downloading an app from an untrustworthy source or viewing pirated content on the internet. It may also infect a computer by using insecure internet connections or Wi-Fi networks, as well as by clicking on malicious email attachments. Pegasus, on the other hand, may penetrate users’ devices without requiring them to click on a malicious link.[v] In 2016, researchers found that Pegasus penetrated phones via a spear-phishing approach, which includes sending emails or messages to a target that misleads them into clicking on a malicious link. However, NSO’s attack abilities have advanced since then. Today, the Pegasus virus can be transmitted via so-called“zero-click”attempts, which do not necessitate a user’s interaction to succeed.[vi] These will typicallytake advantage of“zero-day”exploits, which are flaws or defects in software that thephone’s developer is uninformed of and so unable to remedy.  Pegasus malware is still being deployed, according to a worldwide collaboration dubbed “Pegasus Project” by a collection of 17 media organisations in July 2021, as part of Pegasus Project discoveries and an investigation by Amnesty International.[vii]

What makes Pegasus antithetical to Privacy?

When spyware is installed on a device, it instantly begins capturing photos, videos, and other digital material to deliver to the perpetrator. It can even record calls and monitor a target’s position while operating the mobile’s microphone and camera independently and surreptitiously. With this functionality, the attackermay listen to private and sensitive conversations and relaying them back to the user.[viii] Even a missed WhatsApp call might set in motion a chain of events leading to the device being compromised. This underlines that popular claims of end-to-end encryption and security are illusory and fanciful.

In the guise of combatting international crime and terrorism, NSO Group insists on only licencing its spyware to approved government clients.[ix] To accomplish this, the firm signed its first agreement with Mexico in 2011, while former President Felipe Calderon was in office, and offered the government its flagship product Pegasus to track drug gangs.[x] In 2016, Pegasus assisted in the arrest of a prominent Sinaloa Cartel drug kingpin, Joaqun Guzmán alias El Chapo, by obtaining access to his phone and tracking his movements.[xi] The fact that this malware is being utilized to apprehend criminals and terrorists is a positive thing. However, according to reports from 17 media organizations, the NSO-made Pegasus spyware was allegedly used to try to hack into the phones of political leaders, including heads of state, lawyers, activists, and journalists, in countries such as India, the United Arab Emirates, Saudi Arabia, Mexico, Morocco, and Hungary.[xii] There has been proof of Pegasus’s abuse in the past. It was linked to the crown prince of Saudi Arabia’s suspected hacking of Jeff Bezos’ and Journalist Jamal Khashoggi’s phones in 2018.[xiii]

The following year, it was discovered that a Pegasus assault via WhatsApp had targeted many Indian attorneys and activists.[xiv] The Citizen Lab issued a study in 2018 that found 45 nations where Pegasus was being deployed.[xv] Pegasus has been connected to the monitoring of around 300 Indian phone lines, including those belonging to opposition leaders such as Rahul Gandhi and top journalists, according to the Pegasus Project.[xvi] Amnesty International conducted forensic examinations on 22 of these phones, which were then peer-reviewed by the Citizen Lab at the University of Toronto.[xvii] Ten of these were firmly identified as Pegasus targets, while the remaining eight were inconclusive. According to The Wire, over 40 journalists, three significant opposition leaders, one constitutional authority, two sitting ministers in the Narendra Modi administration, current and past chiefs and officers of security organisations, and hundreds of businesspeople are among those in the database.

Privacy and Surveillance Related Laws in India

Personal data and information provided or acquired are not protected by a distinct personal data protection law in India. Most of the safeguards are scattered among a multitude of legislation, standards, and recommendations. The Information Technology Act of 2000 (IT Act, 2000) contains the most important provisions. In India, IT Act, 2000 is the main law that essentially deals with electronic commerce and cybercrime. Some of the important provisions of the IT Act, 2000 are as follows:

  • A person who accesses or secures access to a computer, or any other computer network without the consent of the owner or it’s in charge, extracts, copies or downloads any data from it, is subject to a penalty under Section 43 of the IT Act, 2000.[xviii]
  • Anyone who deletes destroys, or modifies any information existing in a computer database, decreases its value or utility, or by affecting it through any other means to cause or know that it is likely to cause wrongful loss or harm to the public is considered a hacker, according to Section 66 of the IT Act, 2000. Hackers may face a three-year prison sentence, a fine of up to two lakh rupees, or both, according to this section.[xix]
  • Concerning India’s integrity or sovereignty, the State’s public order, friendly relations with foreign states, or security, or to prevent provocation to commitacognizable offence, Section 69 of the IT Act, 2000 directs any government agency to interceptdata channelled through any computer network, provided the reasons are recorded in writing. The government, on the other hand, is not permitted to install spyware or hack a mobile device under this clause.[xx]  Section 5(2) of the Indian Telegraph Act, 1885 is similar to this section.[xxi]

However, the IT Act’s only explicit provision dealing with privacy and breach of confidentially is Section 72. Section 72 of the IT Act, 2000 stipulates that anybody who discloses the contents of any electronic record, register, book, or another item without the consent of the person involved, will suffer a two-year jail sentence, a fine of one lakh rupees, or both.[xxii]

Data Protection Bill: The need of the hour

When sensitive information falls into the wrong hands, awful things can happen. For instance, a security breach at a government institution could provide access to sensitive information. When it comes to data privacy, it appears that users have every option except the one they desire, which is control over their data. The Data Protection bill involves understanding who collects data, where it is held, how it is used, and what can be done if the data is misused. There have been far too many occasions when personally identifiable information, whether anonymized or not, has been misused.[xxiii] According to research by analysis firm Canalys, the data of almost three-quarters of the nation’s adult population has been in jeopardy since 2017. The bulk of these attacks occurred while India advanced its IT reforms, digitizing different documents, and the danger of more incursions is likely to rise.[xxiv]

What is the Data Protection Bill?

In December of 2019, the Minister of Electronics and Information Technology introduced the Personal Data Protection Bill, 2019 (PDP Bill) in the Lok Sabha. The PDP Bill’s objective was to protect people’sprivacy concerning their personal data as well as to establish a Data Protection Authority of India for these purposes and matters of an individuals’ personal data. The PDP Bill regulates the processing, collecting, use, disclosure, storage, and transfer of personal information, among other things. The bill regulates the processing of personal data acquired, released, shared, or otherwise processed on Indian soil by the Indian government, citizen or any corporation established under Indian law. The bill also applies to non-Indian data processors if the data is processed in conjunction with any commerce conducted in India, or any activity of providing products or services to data principals in India. It will not, however, apply to data that is anonymized in which personal data is converted into a form that makes it impossible to identify a data principal and complies with the authority’s criteria of irreversibility.

The bill establishes a Data Protection Authority that has the authority to safeguard individual interests, prevent abuse of personal data, and verify that the Bill is followed. It will include a chairperson and six members, all of whom have at least ten years of experience in data security and information technology. The bill also categorizes data into Personal Data, Sensitive Personal Data, and Critical Personal Data, and also imposes limits on the transfer of Personal Data. With the rise of user-generated data and the ever-increasing industrial value of data, it is more important than ever for governments to defend individual’s data rights. Individual’s personal data is protected by data-protection laws, which govern the collection, use, transfer, and disclosure of such data. They also provide individual’s access to their data and impose accountability standards on businesses that collect personal data, as well as enabling remedies for unauthorized and harmful processing.

However, there are major drawbacks to this bill. The PDP Bill establishes a monopoly in which the state and its agencies will have access to all data, both personal and non-personal. While it protects Indians personal data by giving them primary rights, it also grants the central government exemptions that go against the principles of processing personal data.This bill protects people’s fundamental rights, such as the right to privacy and the right to data protection, but it also allows the government to process even sensitive personal data as necessary without the data owners’ express consent.

Privacy a Fundamental Right: Courts’ Verdicts

In 1962, the Supreme Court (SC) in Kharak Singh v. the State of U.P., evaluated the impact of police monitoring in the form of domiciliary visits, which involved police entering the appellant’s residence at night as infringing his privacy.[xxv] In People’s Union for Civil Liberties (PUCL) v. Union of India, the SC upheld that telephone tapping violated the basic right to privacy, thereby highlighting the right to privacy.[xxvi] The SC unanimously affirmed the right to privacy as a basic right under Articles 14, 19, and 21 of the Constitution in a historic judgment of K. S. Puttaswamy and Anr. v. Union of India and Others in August 2017. [xxvii] In this historic judgement, the SC ruled that privacy is a cornerstone and critical component of the judicial fights to come over the government’s surveillance powers.

In Vinit Kumar vs. CBI, the Bombay High Court held that monitoring a businessman’s phone calls constituted an infringement of his right to privacy.[xxviii] The Bombay High Court further opined that wiretapping and intercepting phone calls are not justified unless there was a threat to the public or a need for public safety and ordered that any material collected through the interception be deleted.


India is a democratic country, and its people are at its core. Citizens’ essential fundamental rights are violated when events like Pegasus spying occur. Surveillance is an infringement on personal rights in and of itself and therefore violates both Article 14 and Article 19 of the Constitution. Such an intrusion has a chilling effect on the populace, causing people to practise self-censorship in case someone is listening. Monitoring places psychological constraints on citizens obstructs intellectual privacy and inhibits citizens from expressing controversial ideas for fear of repercussions.

The PDP Bill has been impacted by geopolitical events and the nation’s constitutional principles. The PDP Bill was drafted in response to the acknowledgement of the right to privacy as a constitutionally recognised basic right. Its dual aims are to safeguard personal data while also allowing the data economy to flourish. The PDP Bill does, however, have certain significant flaws such as the government’s exclusive control of data and the risk of exploitation by the Government. As a result, it is critical to guarantee that every individual has the right to exercise control over his or her personal data and is able to govern his or her own life, which includes the right to control his or her own life and online presence.

[i] India Const. art. 21.

[ii] Christian Kemp, Spyware: Why the booming surveillance tech industry is vulnerable to corruption and abuse, TECH XPLORE (22 July, 2021, 2:24 PM), <;.

[iii] Cyber Intelligence for Global Security and Stability, NSO Group,  <> .

[iv] Proprietary Software Is Often Malware, GN, <;.

[v] Akarsh Verma, Pegasus spying: how Pegasus is installed on phones, what it does, and how to get rid of it, INDIA TODAY (18 July, 2021, 12:28 PM), <; .

[vi] Nandagopal Ranjan, Explained: Pegasus uses ‘zero-click attack’ spyware; what is this method?, THE INDIAN EXPRESS (3 August, 2021, 1:40 PM), <;.

[vii] Howie Shia, Forensic Methodology Report: How to catch NSO Group’s Pegasus, AMNESTY INTERNATIONAL (18 July, 2021, 5:00 PM), <;.

[viii] David Peg & Sam Cutler, What is Pegasus spyware and how does it hack phones? THE GUARDIAN (18 July, 2021, 7:00 PM), <;.

[ix] NSO Group, NSO Group Transparency and Responsibility Report,

<> .

[x] Bhanukiran Gurijala, What is Pegasus? A cybersecurity expert explains how the spyware invades phones and what it does when it gets in, THE CONVERSATION (9 August, 2021, 10:26 PM), <;.

[xi] Sidney Fussel, The Spyware That Brought Down El Chapo’s Drug Empire, THE ATLANTIC (15 January, 2019), <;.

[xii] Paul Lewis et al., Revealed: leak uncovers global abuse of cyber-surveillance weapon, THE GUARDIAN, (18 July, 2021, 7:01 PM), <; .

[xiii] Stephanie Kirchgaessner, UN experts demand US inquiry into Jeff Bezos Saudi hacking claims, THE GUARDIAN, (22 January, 2020, 6:03 PM), <;.

[xiv] Krishnadas Rajgopal, Allegations of snooping using Pegasus mere ‘conjectures and surmises’: Government, THE HINDU, (16 August, 2021, 11:59 PM), <;.

[xv] Bill Marczak et al., Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries, THE CITIZEN LAB, (18 September, 2018), <;.

[xvi] Joanna Slater & Niha Masih, The spyware is sold to governments to fight terrorism. In India, it was used to hack journalists and others, THE WASHINGTON POST, (19 July, 2021, 7:00 AM), <;.

[xvii] By Bill Marczak et al., Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware, THE CITIZEN LAB,(31 October, 2019, 8:58 PM), <;.

[xviii] Information Technology Act, 2000, § 43, No. 21, Act of Parliament, 2000 (India).

[xix] Information Technology Act, 2000, § 66, No. 21, Act of Parliament, 2000 (India).

[xx] Information Technology Act, 2000, § 69, No. 21, Act of Parliament, 2000 (India).

[xxi] Indian Telegraph Act, 1885, § 5(2), No. 13, Act of Parliament, 1885 (India).

[xxii] Information Technology Act, 2000, § 72, No. 21, Act of Parliament, 2000 (India).

[xxiii] Krishnanand Tripathi, India’s Nightmare: Threat of large scale misuse of Aadhar data is real, FINANCIAL EXPRESS, (17 April, 2019, 11:06 PM), <>; Michael Hill & Dan Swinhoe, The 15 biggest data breaches of the 21st century, CSO INDIA (16 July, 2021, 2:30 PM), <;.

[xxiv]  Rishi Ranjan Kala, Data of 80% of adult Indian users compromised in last 4 years: Canalys, FINANCIAL EXPRESS (5 May, 2021,  3:30 AM), <;.

[xxv] Kharak Singh v. State of U.P.,1963 AIR 1295.

[xxvi] People’s Union for Civil Liberties (PUCL) v. Union of India, AIR 1997 SC 568.

[xxvii] K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Others, (2019) 1 SCC 1.

[xxviii] Vinit Kumar vs. Central Bureau of Investigation, 2019 SCC OnLine Bom 3155.

M Drushika is a 2nd year law student at Symbiosis Law School, Hyderabad.

Image Credits:  Matthew Henry on Unsplash


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Up ↑

%d bloggers like this: