In the first part of a series analysing the legal questions surrounding the Pegasus Project revelations,NIPUN SAXENAexamines Pegasus developer NSO Group’s contractual policy regarding the spyware to uncover some complex constitutional questions, and asks: can the right to carry out surveillance, which is otherwise permissible in only exceptional circumstances, the sovereign right of the State and permissible only in exceptional circumstances, be contractually performed by a private foreign entity?
GREEK mythologies have an unusual flair for being strikingly prescient. The story of the mythical omnipotent winged horse Pegasus is no exception.
According to Greek myths, Pegasus was in service of Zeus, albeit briefly. Bellerophon, an ambitious man who would harness the powers of Pegasus through a bridle given to him by Athena herself, turned too ambitious for his own good and attempted to ascend to the heavens on the horseback of Pegasus. This greatly angered Zeus, which led to Bellerophon being unsaddled and suffer a fateful fall from the sky, permanently maiming him.
This mythical story came true almost a millennia after the modern-day Pegasus has been the cause of a possible unsaddling of various countries, which at various points of times tried to harness the technology employed by the namesake spyware to snoop on potential threats to the sovereignty of their regime.
Pegasus has courted its own fair share of controversies, the most recent of which is popularly referred to as the Pegasus Project: an international media consortium that launched a collaborative investigation into spying on thousands of individuals across the world being done through the spyware developed and sold by Israeli technology firm NSO Group.
The Pegasus Project identified that a leaked database of about 50,000 individuals, which included about 300 Indians, reveal that Pegasus was used to infiltrate these phone numbers, many of which belonged to prominent journalists, human rights defenders, civil society members, and lawyers worldwide.
Forbidden Stories, a Paris-based media house reported yesterday that they had accessed the database and revealed that at least 180 journalists from all over the world were being spied by their Governments using the Pegasus software. Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).have been reported to have employed the services of Pegasus for carrying out surveillance.
International human rights NGO Amnesty International’s Security Lab maintains that the level of infiltration by Pegasus is highly sophisticated but fatally intrusive. The contents of the phone along with the microphone, audio, video interface, camera and all of the date across different applications can be accessed by the snooping tool. Amnesty International also claims that the spyware has the capability to operate and remotely access the microphone and camera of the phone.
Dissection of Pegasus Policy and Contractual Excerpts
Interestingly, NSO Group, in the ‘Governance’ section of their official website, has remarked that the company licenses its products only to Government intelligence and law enforcement agencies for the sole purpose of preventing terror and serious crime.
NSO Group, in its first Transparency and Responsibility Report of 2021, released on June 30, 2021, has revealed that the NSO Group only licenses the software to sovereign nations and their agencies, and claims that it does not operate Pegasus. It is interesting to note that the licenses to Nation States are distributed under the supervision of the Defence Export Controls Agency (DECA) of the Israeli Ministry of Defence which carries out a further assessment on the viability of a potential candidate.
Furthermore, the company has claimed that it does not store data that is collected through the use of Pegasus, nor does it have any visibility on the activities of its customers. The company also maintains that the functionality of Pegasus is only limited to tracing and carrying surveillance on specific individuals through their phone numbers and therefore in many ways, the Pegasus follows the traditional wire-tapping model.
What makes Pegasus highly effective is its ability to infiltrate various applications without breaching their encryption algorithms which are employed by social media messaging applications, which makes it possible for it to trace and hunt down individuals who have gone in “dark mode”. Since the company only issues the license, the prerogative to choose the person who is a proposed subject of snooping solely and exclusively vests in the Government. In fact, it claims no liability whatsoever on being cognizant of any actionable information which has lead to a particular subject being identified as a “potential terror risk”.
The company also maintains that it takes effective steps to curb misuse of its product by limiting the number of instances in which it can be used, which also reduces the risk of mass surveillance. However, it has flagged as a potential risk of its product Pegasus in the following words:
The potential misuse of our products against people and groups that act to promote or protect human rights in a peaceful manner (“human rights defenders”). These include (i) journalists; (ii) members of civil society organizations; (iii) lawyers; and (iv) political parties, candidates and supporters.
It will also not be out of place to mention that the terms and conditions of the use of the software Pegasus is merely contractual, and while the consequences of breach may have a permanent devastating effect on human rights, the redressal under any municipal contractual remedy that may be available to the NSO Group against the erring nation state would only be discontinuance, black listing or liquidated damages.
Another glaring incongruity that stems from the apparent conflict in the Pegasus policy is a pre-condition for the client government to make a request along with evidence calling upon the need to carry out surveillance on a specific person. This is a contractual condition between the State/customer and NSO Group:
“2. To the extent not otherwise set forth by law, End-User shall formulate and strictly abide by a surveillance procedure or protocol for use of the System. Such procedure shall follow the details setout in the training materials provided to the End User and shall include, at minimum, the provisions regarding the following:
Legitimate surveillance request supported by evidence; Suspected crimes; Surveillance duration and renewals; Retention period; Approval to be granted in writing by a duly authorized independent oversight authority in accordance with local laws.” [emphasis added]
What remains unanswered is an apparent conflict: while on one hand, the company maintains that it has nothing whatsoever to do with who is the subject of surveillance, how is the person identified, what material was relied upon before ear-marking a specific individual, and most importantly whether it was an act which was duly authorized in accordance with local laws, it nonetheless makes it mandatory for the client State to produce surveillance request supported by evidence.
If that be the case, for the claim of “targeted surveillance” to succeed, it would have to be established that the government had actionable and credible information supported by evidence against all those who have been named. It would also have to be assessed that such credible evidence against the individuals named was in relation to the prevention of commission of a crime or a terror-related offence. The company would also have to answer to the charge whether the actionable information along with the surveillance request supported by evidence that formed the basis of such request for surveillance was, in fact, independently assessed and verified by the company, which thereafter proceeded to allow such request.
The question has critical constitutional underpinnings as well. If NSO Group is not merely a platform that provides a product license, but also independently assesses the material on the basis of which the client government submits its surveillance request, and on the basis of its independent subjective opinion proceeds to grant such a request for surveillance against a specific individual, then it would mean that the mighty State is carrying out a ‘co-surveillance activity’ with a foreign corporate entity which continues to wield control on who should under surveillance.
This has all the recipes for a constitutional catastrophe and goes against the very objective of preserving the sovereignty of a nation, the fundamental premise on the basis of which the surveillance is sought to be carried out.
Judicial Response to instances of infiltration using Pegasus in various countries
Article 17 of the International Covenant on Civil and Political Rights, which is worded in a similar fashion as Article 12 of the United Nations Declaration on Human Rights, clearly entails that a person cannot be subjected to “arbitrary interference” with the privacy, family, or home, or other correspondence. This principle is also couched in similar terms in Article 8 of the Charter of the European Commission of Human Rights.
In its landmark judgment in the case of Big Brother Watch vs. United Kingdom (2018), the European Court of Human Rights (ECHR), in the context of surveillance, stated that in reference to emerging sophisticated technologies of surveillance, it is essential to have clear, detailed rules on secret surveillance measures, especially as the technology available for use is continually becoming more sophisticated. The domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measure.
These ingredients culled out by the ECHR have developed over a long-standing line of judicial decisions. If the same is true, then was it not important for all the countries availing the services of Pegasus to, under a mandatory international obligation, lay down rules and conditions under which such surveillance was to be carried out in coordination with Pegasus, assuming that Pegasus exercises a greater degree of control and oversight into individual requests of surveillance, as is revealed from its own contractual terms?
There have been previous instances where Amnesty International has locked horns with the NSO Group. In 2020, Amnesty International filed a suit against NSO before the District Court at Tel Aviv praying for revocation of the security export license by the Israeli Defence Ministry to export Pegasus to other countries. It was alleged in the suit that an employee of Amnesty International was being spied upon via Pegasus.
The suit, filed with the support of the Global Justice Clinic, was dismissed on July 13, 2020, by the Tel Aviv District Court holding that adequate compliances were in place and there was no material on record to establish that NSO was in fact engaged to carry out surveillance. The court further held that Amnesty International has failed “to prove the claim that an attempt was made to track a human rights activist by trying to hack his cell phone” or that it was hacked by NSO using Pegasus.
In a second and a rather serious legal battle before the US District Court for the Northern District of California, a motion was brought out by Whatsapp and Facebook against NSO for infiltrating into their encryption systems meant to safeguard the privacy of its customers, by using Pegasus. The suit asserted that spyware developed by NSO Group had been used to infect 1,400 mobile devices between April and May 2019, enabling the surveillance of the communications of a targeted group of WhatsApp users. It was specifically averred by Whatsapp that the technology employed by Pegasus circumvented its end-to-end encryption in order to gain remote access and control of information, including calls, messages, and locations, on users’ mobile devices.
Amnesty International, along with seven other human rights and press freedom groups, had filed an amicus brief supporting the lawsuit.
NSO made a motion for rejecting the suit, contending that since its customers were sovereign states, the District Court of California had no jurisdiction to try the suit on account of a statutory bar under the Foreign Sovereign Immunities Act (“a foreign state shall be immune from the jurisdiction of the courts of the United States and of the States”, subject to exceptions).
The court, through its order dated July 16, 2020, rejected NSO’s submission that it had a limited role in the surveillance of the plaintiff’s users. Rather, the court held that NSO Group “retained some role” in the operation of its Pegasus spyware, “even if it was at the direction of their customers.” This clearly demonstrates that on a prima facie examination, the court was convinced that NSO Group did not merely act as a seller of its software, but in fact retained some degree of control over the mode and manner of such surveillance.
On the second ground of challenge, the court held that merely because Pegasus had sovereign States as customers did not necessarily mean that it could claim sovereign immunity. NSO neither had the status-based immunity nor conduct-based immunity to fall within the ambit of the Foreign Sovereign Immunities Act.
The Court further rejected the NSO Group’s argument that it merely provided “technical support” to its clients. The court held that NSO retained a role in the conduct of the intentional act, even if it was at the “direction of their government customers.”
A new question of significant public interest has now emerged, which was hitherto presumed to be within the sole and exclusive domain of the Sovereign. Can the right to carry out surveillance, which is otherwise permissible in only exceptional circumstances, and is the sovereign right of the State, be contractually performed by a private actor, a body corporate registered in a foreign territory?
This question and its answers in the Indian context shall be examined in the next part.
[Nipun Saxena is an advocate at the Supreme Court of India. The views expressed are personal.]