Much like our representation to the Standing Committee on Home Affairs, we sent across a few concerns on the Pegasus Spyware incident to the Standing Committee on IT that we thought needed addressing at their meeting on November 20, 2019. Our primary ask has been that the Committee invite those affected by the hacking to provide testimonials!
If you haven't caught up with the ongoings of India's recent cyber-security incident, here's a statement we put out on the issue in case you need a bit of catching up to do (Read here for more). In brief, relying on spyware supplied by an Israeli cyber-intelligence firm, which was installed through a missed call on Whatsapp after which an attacker would gain complete access to a smartphone, individuals in India were found to have been targetted.
Specific asks of the Committee
Our representation covered the lack of legality, the violation of privacy and the unavailability to remedy, as we did with the Committee on Home Affairs. However, the most significant of the asks we made of the Committee lies in the request that the victims of the hacking be given the stage to provide testimonials before the Committees. A number of these individuals have even put out a statement asking the Government to reveal information on the issue (Read here for more) and have even expressed willingness to depose before the Committee (Read here for more). It is important that these first hand human experiences be provided to fully demonstrate the patently criminal surveillance they have been subjected to.
In light of all of this, here's an interesting titbit, Isreali law requires that an export permit is granted for the sale of this software (there's a whole licensing process), therefore, the software supplied by the NSO Group is regulated under this. So, we thought it was important for the Committee to consider inviting the Israeli government to appear before the them to shed some light. Further, in Facebook's civil complaint in the California Court, an annexure of a contract between the NSO Group and Ghana indicates that the 'System Provider' which is the NSO Group shall receive a certificate which would also contain the identity of the 'end user'. This would be particularly interesting information to happen upon in order to establish identity in the attacks in India.
Looking at the bigger picture, we did touch upon broader concerns of India cyber-security with these suggestions for consideration.
- Need for updation: India’s National Cybersecurity Policy has not seen any amendments since 2013 and while the new National Cybersecurity Coordinator has indicated that his office is seeking to ensure India has a new Cybersecurity Strategy in 2020, Parliament must act to ensure that this is openly consulted on, drawing on inputs from security researchers and other Indians who can provide their expertise to ensure a stronger National Cybersecurity Strategy that has widespread public support and awareness.
- Lack of guidance: The time for a permanent advisory body is now more than ever. There is need for continuous counsel on matters of advancing technology and we have encouraged the Committee to ask the Government on how it can form a standing Digital Security Advisory body with stakeholders beyond civil servants, particularly as existing statutory bodies such as the Cyber Regulation Advisory Committee - mandated by the Information Technology Act - appear to be dormant.
While the heat of these events begins to fade, we hope that the Committee considers our suggestions to ensure it is made fully aware of the incident and its hit to India's cybersecurity.
- Representation to the Parliamentary Standing Committee on Information Technology dated 20.11.2019 [link]
- Statement on the Pegasus Spyware hack [link]