India’s First Metadata Case and Pegasus - Part 2 | Gopal Krishna

[Part 1 of the below article ’India’s First Metadata case: Supreme Court’s Constitution Bench to decide illegitimacy of Aadhaar Act amid Great Data Robbery | Gopal Krishna’ appeared in the Mainstream, VOL 61 No 45 November 4, 2023]

India’s First Metadata Case and Pegasus - Part 2

“For the first time he perceived that if you want to keep a secret you must also hide it from yourself” with the government spying on its people, Winston struggles to conceal old feelings from Big Brother. –-p. 162, part 3, chapter 4, 1984, George Orwell, quoted at p.1 of the verdict in Writ Petition (Criminal) No. 314 of 2021 on Pegasus by 3-Judge Bench of Chief Justice of India N.V. Ramana, Justices Surya Kant and Hima Kohli on October 27, 2021

“George Orwell created a fictional State in ‘Nineteen Eighty-Four.’ Today, it can be a reality. The technological development today can enable not only the state, but also big corporations and private entities to be the ‘big brother’.” —p.12 of Justice S.K. Kaul’s concurring verdict as part of 9-Judge Constitution Bench (part of 547 page long verdict) in Fundamental Right to Privacy/Aadhaar case, Writ Petition (Civil) No. 494 of 2012

The court’s consent for the use of operational control with the most invasive technical means, similar to Pegasus software, should be granted by a three-judge panel, with special oversight over the acquired, obtained, or edited data. In the Commission’s opinion, consent to use such operational control against individuals holding high public office (enumerated in the law, e.g., politicians, parliamentarians, government members, the Commissioner for Human Rights, judges of the Constitutional Tribunal and the Supreme Court) should be granted by the Supreme Court, in a designated, unchanging (specialized) three-judge panel. The proposed training for judges and prosecutors should cover the importance of obtaining metadata for the activities of special services.” —p.32 of the 35 page long Report of the Extraordinary Commission to clarify cases of illegal surveillance, their impact on the electoral process in the Republic of Poland, and the reform of special services

Unlike Indian Parliament, the legislature of the Republic of Poland, by resolution of January 12, 2022 established an "Extraordinary Commission to clarify cases of illegal surveillance, their impact on the electoral process in the Republic of Poland, and the reform of special services" to probe "how the spyware Pegasus was used in Poland". Indian public institutions including the Supreme Court are yet to conclusively ascertain how spyware Pegasus is being used in India. The findings of Poland’s Extraordinary Commission has relevance for India’s first metadata case. Notably, in both the cases pertaining to Pegasus and Aadhaar Act in the Supreme Court, the focal ministry in India is Ministry of Electronics and Information Technology (MEITY). The Information and Technology Act, 2000 and the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and duties) Rules, 2013 have been cited in both the cases.

In its report, the Extraordinary Commission highlights the need to abandon projects that involve creating specialized departments and courts to avoid pressures or other types of actions, such as selecting available individuals through the use of an overt, duty-based system for assigning judges who rule on applications for operational control.

It is noteworthy that under Section 33F of the Aadhaar Act no civil court shall have jurisdiction to entertain any suit or proceeding in respect of any matter which an Adjudicating Officer, someone who is not below the rank of a Joint Secretary to the Government of India or the Telecom Disputes Settlement and Appellate Tribunal created under the Telecom Regulatory Authority of India Act, 1997 which is empowered by the Aadhaar Act to determine, and no injunction shall be granted by any court or other authority in respect of any action taken or to be taken in pursuance of any power conferred by or under this Act. It is apparent that contrary to recommendations of the Poland’s Extraordinary Commission, the Aadhaar Act creates specialized departments and courts to avoid pressures or other types of actions, such as selecting available individuals through the use of an overt, duty-based system for assigning judges who rule on applications for operational control.

Significantly, the West Bengal government had established the Justice Madan Lokur and Justice Bhattacharya Commission to inquire into the Pegasus surveillance of prominent figures in India on July 26, 2021, under Section 3 (1) and (2) of the Commission of Inquiry Act 1952. The Commission must give a report to the West Bengal government on its findings within six months or more. The Pegasus Inquiry Commission had issued a public notice asking for information from the public. According to the public announcement, the West Bengal government established the Pegasus Inquiry Commission Several English and regional language media published the public notice con August 3, 2021 seeking submissions by September 2, 2021. The Inquiry Commission had several terms of reference. These were to enquire into:

i) any incidences of reported interception have occurred;
ii) the state and non-state actors who were involved in such reported interception;
iii) the mechanism and/or spyware and/or malware that were being used to effectuate such reported interception;
iv) whether any software such as Pegasus of NSO Group Technologies located at Herzliya, Israel, and/or any spyware and/or malware of any other organisation had been in use and/or currently being used to conduct such reported interception;
v) the events leading to the occurrence of the incidences of interception, and the information that has been collected, altered, stored, or used and the possession, storage, and further collection and use, of such information pertaining to such interception in the hands of state actors and non-state actors;
vi) the circumstances including provocations, instigation from any persons/group of persons, if any, leading to the reported interception;
vii) the details of the victims and/or persons affected;
viii) the role of other authorities and/or State and/or non- State actors in such interception; and
ix) if state/ non-state actors can carry out interception without any legal/ statutory backing or any judicial oversight, and if such interception infringes the right to privacy of the affected individuals.

But the West Bengal Inquiry Commission could not conclude its work because on 17 December 2021, the Commission was "ordered to be impleaded as a respondent” in the Pegasus case in the Supreme Court and "all the proceedings pending before the Commission” were stayed, just ahead of the due date for submission of its report. This Inquiry Commission was to submit its report in six months. It worked from July 26, 2021 till December 17, 2021. The answers to the questions raised in the terms of reference of the Justice Lokur Commission will be found when the stay on its work is vacated but the questions themselves reveal the character of the State which allows itself to be overwhelmed by commercial czars.

While hearing over a dozen petitions including ones from the States of West Bengal and Kerala, Supreme Court constituted a Technical Committee headed by Justice R.V. Raveendran, former Judge, Supreme Court to be assisted by Alok Joshi, former Chairman, National Technical Research Organisation (NTRO), Sundeep Oberoi, from the Advisory Board of Cyber Security Education and Research Centre at Indraprastha Institute of Information Technology, Delhi. The three members Technical Committee comprised of Naveen Kumar Chaudhary, Professor (Cyber Security and Digital Forensics) and Dean, NationalForensic Sciences University, Gandhinagar, Gujarat, Prabaharan P., Professor (School of Engineering), Amrita Vishwa Vidyapeetham, Amritapuri, Kerala and Ashwin Anil Gumaste, Institute Chair Associate Professor (Computer Science and Engineering), Indian Institute of Technology, Bombay. Virender Kumar Bansal, Officer on Special Duty/Registrar, Supreme Court of India, was directed to coordinate between the Committee, the learned overseeing Judge and the Central/State Governments. After retirement in October 2011, Justice Raveendran has been engaged in Arbitration & Mediation. He was given SKOCH India Law Award in May 2022.

The terms of reference of the Supreme Court’s Committee was to enquire, investigate and determine:

i. Whether the Pegasus suite of spyware was used on phones or other devices of the citizens of India to access stored data, eavesdrop on conversations, intercept information and/or for any other purposes not explicitly stated herein?
ii. The details of the victims and/or persons affected by such a spyware attack.
iii. What steps/actions have been taken by the Union of India after reports were published in the year 2019 about hacking of WhatsApp accounts of Indian citizens, using the Pegasus suite of spyware.
iv. Whether any Pegasus suite of spyware was acquired by the Union of India, or any State Government, or any central or state agency for use against the citizens of India
v. If any governmental agency has used the Pegasus suite of spyware on the citizens of this country, under what law, rule, guideline, protocol or lawful procedure was
such deployment made
vi. If any domestic entity/person has used the spyware on the citizens of this country, then is such a use authorised and to make recommendations:
i. Regarding enactment or amendment to existing law and procedures surrounding surveillance and for securing improved right to privacy.
ii. Regarding enhancing and improving the cyber security of the nation and its assets.
iii. To ensure prevention of invasion of citizens’ right to privacy, otherwise than in accordance with law, by State and/or non-State entities through such spywares.
iv. Regarding the establishment of a mechanism for citizens to raise grievances on suspicion of illegal surveillance of their devices.
v. Regarding the setting up of a well-equipped independent premier agency to investigate cyber security vulnerabilities, for threat assessment relating to cyberattacks and to investigate instances of cyber attacks in the country.
vi. Regarding any ad hoc arrangement that may be made by this Court as an interim measure for the protection of citizen’s rights, pending filling up of lacunae by the Parliament.

Justice R.V. Raveendran headed Committee submitted an Interim Report. Upon its request for extension of time for submission of the final report, its time was extended till June 20, 2022 by the Court by its order dated May 20, 2022. The Court’s order of August 25, 2022 records that “the Technical Committee and the Overseeing Judge have submitted their Reports in sealed covers. The same are taken on record. The sealed covers were opened in the Court and we read out some portions of the said Reports. Thereafter, the Reports were re-sealed and kept in the safe custody of the Secretary General of this Court, who shall make it available as and when required by the Court.” The oral proceedings of the Court revealed that the committee examined 29 phones and found that five phones were affected by some malware. It did not get required cooperation from the government. Justice Raveendran Committee report and the redacted report of the technical committee has not been published on Court’s website despite Chief Justice Ramana’s oral observation to this effect.

At the time of the submission of the reports, Sanjeev Sudhakar Kalgaonkar was the Supreme Court Secretary General of the Supreme Court. He was selected as the Secretary General of the Supreme Court through an interview conducted by then Chief Justice Ranjan Gogoi. He served for a period of three years from November 2018 to November 2021 and was reappointed to the post in November, 2022. He was appointed as a judge of the Madhya Pradesh High Court in April 2023. In August 2022, the Pegasus matter was directed to be listed after four weeks for further hearing but it is yet to happen although more than one year has passed since the submission of the reports on Pegasus matter. The three part Pegasus Reports are in the safe custody of Atul Madhukar Kurhekar, the current Secretary General of the Supreme Court of India. Prior to this he was the Registrar (Legal and Research), Bombay High Court and Member (Processes), e-Committee, Supreme Court of India since July 2020.

The three reports of the Court appointed Committee on the Pegasus surveillance of prominent figures in India has been made confidential despite Court’s observation seeking its publication, but the 35 page long report of Poland’s Extraordinary Commission for Clarifying Cases of Illegal Surveillance, Their Impact on the Electoral Process in the Republic of Poland, and Reforms of Special Services has been published after its adoption on September 6, 2023. The Commission was formed with the support of 52 legislators in the face of opposition from 45 legislators. It examined how the spyware Pegasus was used. The Senate of the Republic of Poland assigned the Commission the tasks of clarification of disclosed cases of illegal surveillance using, among other things, spyware software like Pegasus, and violations of the law during the use of operational control by special services. evaluation of the impact of disclosed cases of illegal surveillance on the electoral process, development, submission, and participation in the Senate’s consideration of legislative initiatives reforming the activities of special services. The Commission was established to clarify cases of surveillance of public figures. These cases were reported by both domestic and international media.

The reports of Supreme Court’s Committee on Pegasus surveillance is in darkness but the relevant questions which have far reaching implications for the existence of India as a democratic country have seen the light of the day.

Like Indian Supreme Court’s Committee, the Polish Commission examined what is Pegasus spyware and how does it work. But unlike it it has made its report public. The term "Pegasus" refers to spyware software that can be installed on electronic devices using iOS and Android operating systems. Pegasus is produced by the Israeli company NSO Group Technologies Ltd. Installing Pegasus software on a device is done remotely, without the user’s knowledge, and it grants the infecting/surveillance entity unlimited access to the device. It allows, among other things: access to email and SMS messages and internet messengers, tracking the device’s location (GPS), access to device settings, stored files, and browsing history, internet, saved contacts, social networks, browsing calendar entries, access to the device’s camera and gallery, phone calls, and applications installed on the device. Simultaneously, the software allows for installing its own files on the device, modifying existing files, adjusting the device’s technical settings (including network access), making phone calls, sending messages, taking photos, videos, and screenshots, recording audio, as well as retrieving files from the device, including deleted ones. The infecting entity thus has the capability for virtually unlimited interference with the device and the data stored on it, far exceeding the lawful user’s capabilities, who can only perform operations permitted by the operating system and the accompanying software. Infecting a device with Pegasus provides the infecting entity with near-total control over the device, with the ability to actively control the device and modify its stored content.

It emerged from the probe that Pegasus is treated not as an operational tool (for collecting data on crimes) but as a weapon (a tool for influencing the behavior of other individuals). Pegasus software is a versatile spyware tool. It can "turn your phone into a sort of bug" or steal authentication data or tokens used through the phone to access online accounts." The Polish Commission has established and confirmed that the purchase of Pegasus software was illegal and contrary to the law. Its illegitimacy and legality is in question in India as well.

It also emerged that officials who made decisions about the purchase and then the use of Pegasus must have been aware of the mechanism of operation of this tool, including the very high probability of foreign intelligence services gaining access to the acquired data. Therefore, the acquisition and use of this system can be classified as ’acting on behalf of foreign intelligence’. The conclusion regarding the state of affairs in India in this regard is likely to be the same.

The Polish Commission has recommended enactment of a comprehensive law regarding the principles of conducting operational and intelligence activities (similar to the law on direct coercive measures) and to precisely define the technical means of operational control that each service can use. The most advanced means (software like Pegasus) should be reserved exclusively for special services, with the possibility of their use by police services only in cases of combating the most serious and specifically enumerated crimes. Preventing their use against minor or easily detectable and provable offenders is necessary. To increase the legal security of citizens, the Commission deems it appropriate to tighten criminal liability for officials authorized to conduct operational and intelligence activities and those with access to acquired information. This would limit the temptation to use available technical means for political or even personal purposes (e.g., surveillance of political opponents or life partners). It is necessary to create a precise conceptual framework in the legal system, taking into account technological advancements.

Notably, similar recommendations are part of the Intelligence Services (Powers and Regulation) Bill has been introduced in the Indian Parliament on three occasions in 2011, 2019 and 2021 aimed at regulating the function of the intelligence agencies which are operating without an appropriate statutory basis delineating their functioning and operations. Among other things, this tends to compromise operational efficiency and weakens the professional fabric of these agencies. It also results in intelligence officers not having due protection when performing their duties. The assessments and gathering of information by intelligence agencies are catalysts for law enforcement units to act, necessitating that these be reliable, accurate and in accordance with law. But this kind of efficiency has been hindered by obscured responsibilities that have plagued the functioning of the agencies. In compliance with Supreme Court’s verdict on fundamental right to privacy in the Aadhaar case and in the Peoples Union of Civil Liberties v. Union of India, there is a compelling need for proper legal framework to regulate surveillance using different technologies. The Bill seeks to enact a legislation to provide a legislative and regulatory framework for the Intelligence Bureau (IB), the Research and Analysis Wing (RAW) and the National Technical Research Organisation (NTRO). It provides for a designated Authority regarding authorization procedure and system of warrants for operations by these agencies. It proposes a National Intelligence Tribunal for the investigation of complaints against these agencies, a National Intelligence and Security Oversight Committee for an effective oversight mechanism of these agencies; and an Intelligence Ombudsman for efficient functioning of the agencies. The Bill was introduced by Manish Tewari, a legislator from the Indian National Congress both as a ruling part member and an opposition party member.

It is noteworthy that as a legislator Dr. Shashi Tharoor, former Chairman of the Parliamentary Standing Committee on External Affairs and on Informational Technology had asked India’s Ministry of Home Affairs a parliamentary question regarding extension of parliamentary scrutiny over intelligence agencies of the country such as NATGRID, Intelligence Bureau (IB), Research and Analysis Wing (RAW), and the Unique Identification Authority of India (UIDAI), which controls the UID/Aadhaar Number database and the related metadata. The ministry replied that the matter is sub-judice at present and the NATGRID and Unique Identification Authority of India (UIDAI) have not been declared as Intelligence Agencies, as yet. The legal declaration of an entity as an intelligence agency does not prevent it to function as an intelligence. This is demonstrated by the functioning of these agencies in India.

The associations of companies like Federation of Indian Commerce and Industry (FICCI) and Associated Chambers of Commerce and Industry (ASSOCHAM) have already underlined the link between NATGRID and UIDAI’s Aadhaar data grid.

The 121-page 2009 report of the Task Force on National Security and Terrorism constituted by the undeclared undemocratic political party of pre-independence times - FICCI, argues for a secure e-network for connecting all district headquarters and police stations NATGRID under National Counter Terrorism Agency. It observes, "As Nandan Nilekani goes into operationalising the UIDAI, there is a case for factoring inclusion data, as part of the national grid to assist in counter terrorism." This is not the first time that NATGRID and UID link is underlined.

Another joint report of the ASSOCHAM, an undeclared political party of companies and KPMG, Swiss Consultancy titled "Homeland Security in India, 2010" had revealed this link as well. ASSOCHAM’s joint report of June 2011 with Aviotech, an initiative of the promoters of the Deccan Chronicle Group titled "Homeland Security Assessment India: Expansion and Growth" refers to the "The requirement in Biometrics for all the subsequent programs under the National Census will become significant." This shows where the NPR program which is linked to UID/Aadhaar National Population Register (NPR) is headed. NPR is implemented by Regisrar General of India. Census Commissioner happens to be ex-officio Registrar General of India.

Notably, Capt Raghu Raman who is currently working with Adani Group as a Leadership Consultant used be the Chief Executive Officer (CEO) of Home Ministry’s NATGRID. His tenure as CEO of NATGRID ended on May 31, 2014. Prior to this, he was a CEO of a multinational security company, Mahindra Special Security Services Group, a subsidiary of the Mahindra Group. Raman was head of Subgroup on Industry Guidelines and Member, National Task Force on Internal Security, the Confederation of Indian Industry (CII).

Coincidentally, Neelkanth Mishra, the current Chairperson of UIDAI is a member of the CII’s Economic Affairs Council who has worked at Infosys, the company of the founder chairman of UIDAI. Mishra is the Chief Economist of Axis Bank and its whole time director. UIDAI had filed a police complaint on 15 February, 2017 against Axis Bank Ltd alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics.

In another coincidence, Nilesh Shah, a member of UIDAI Member is the Managing Director of Kotak Mahindra Asset Management Company Limited, a wholly owned subsidiary of Kotak Mahindra bank Limited has been named as member of UIDAI. Kotak Mahindra Bank launched 20th ’Aadhaar on Wheels’ Van in partnership with UIDAI. Mahindra Satyam, formerly Satyam Computer Services Limited merged with Tech Mahindra. France’s $13.5 billion Safran Group’s subsidiary Morpho had bagged a contract along with Mahindra Satyam from UIDAI. Rafale, the French medium multi role combat aircraft (MMRCA), which was selected by India for a $18 billion deal is related to UID/Aadhaar number database project. Rafale is manufactured primarily by a consortium of three French companies, Dassault, Snecma and Thales. Snecma which manufactures Rafale’s engine is a Safran group company. The French government has 30.2% stake in Safran. Safran bought L 1 Identities Soultion, a US company which had signed an Mou with UIDAI as part of Aadhaar database project. Safarn has signed a 30 year contract agreement with China. A joint venture of French group Safran and USA’s General Electric Company had won a multi billion-dollar deal to supply engines for China’s future C919 plane. In yet another coincidence, France is part of the World Bank’s eTransform Initiative launched along with L1 Identities Solution, IBM, Gemalto, Pfizer, Intel, Microsoft and South Korea since April 2010. The Aadhaar Number database projects is being bulldozed as part of World Bank’s eTransform Initiative.

The findings about surveillance using “versatile spyware tool” Pegasus and electronic-biometric identifiers like unique identification (UID)/Aadhaar numbers raises legitimate concern about the rule of law not only in Poland but also in India due to emergence of an unlimited government-beyond the limits of a democratic constitution and the principles of constitutionalism.

In this backdrop, it is germane to recollect that Indian parliament was not allowed to examine the extent of Pegasus surveillance in India on the ground that Court is examining it. In the aftermath of Bhopal disaster too Justice N K Singh judicial inquiry commission was constituted for probe. The central and state legislature was not allowed to examine the cause and accountability of the disaster on the ground that the inquiry commission was already examining it. Subsequently, the inquiry commission was not allowed to complete its inquiry and it was wound up mid-way.

Given the fact that Justice Raveendran Committee’s reports are inconclusive and secret, there is a logical compulsion for the Supreme Court to vacate its stay on the proceedings of the West Bengal Inquiry Commission on the Pegasus surveillance of prominent figures in India for it complete its report which was almost ready. If it is not allowed to complete its inquiry, the announcement of judicial inquiry commissions will not inspire even an iota of confidence because their role is being de-legitimised and discredited. In any case as long as long as the report of the Supreme Court’s Justice Raveendran headed Committee on Pegasus is not published, it is only as important as Justice Lokur headed West Bengal Inquiry Commission. The citizens, legislators, political parties, media and academia have the freedom to read the terms of reference of the Committee and the Commission and draw their own inferences.

The characteristics of Pegasus spyware which can be installed on electronic devices revealed by the Parliamentary Commission of Poland shows its similarity with UID/Aadhaar number, the identifier. The latter too is operating like Pegasus by providing the controller of Central Identities Data Repository (CIDR) with near-total control over the data of Indians and their devices. This is happening in total disregard of Supreme Court’s operational verdict of September 2018 which states that no aspect of Aadhaar’s metadata cannot be stored for eternity and prohibited storage of such data by government and private authorities.

In the absence of the training of the judges and legislators in the face of the fast pace of technological developments, national asset like nation’s metadata and CIDR of present and future Indians is flowing towards foreign state and non-state actors. It is evident from the handling of the Pegasus case that judges seem enveloped in false technological consciousness, cognitive dissonance and ill-equipped to safeguard supreme national data interest. There has been an instance where a government official overwhelmed almost all of them as part of a 5-judge bench by a mere power point presentation. It is not surprising that their judgement has been found to be questionable by a subsequent 5-judge bench. Like discredited eugenics and biometrics, “jurimetrics” too can be overwhelming. The vendors and purveyors of big data technologies are paving a way for extracting judgments as prediction products. The findings of the Polish Commission provides insights for the 7-judge bench which is all set to adjudicate on India’s first metadata case. It is not a coincidence that the Pegasus case, the fundamental right to privacy case and the Aadhaar metadata case refer to the architecture for pervasive surveillance like an Orwellian State where every move of the citizen is constantly tracked and recorded by the State.

(Author: Gopal Krishna is a lawyer and a researcher of philosophy and law. His current work is focused on philosophy of digital totalitarianism. He had appeared before the Parliamentary Committee that examined the National Identification Authority of India Bill, 2010 that was withdrawn in 2016 and enacted later as Aadhaar Act 2016))