In July this year, fourteen news organisations, spread across the world, broke the story about the Pegasus scandal. Pegasus is the name of a surveillance software sold by a company called the NSO Group, based in Israel. The investigations essentially uncovered that the company had sold the software to numerous government clients across the world - clients who have been putting the tool to unethical and questionable use. Forbidden stories, an NGO for journalistic collaborations, was the first to access and identify a list of potential targets. The list is believed to have the phone numbers of those individuals chosen by clients of the Pegasus software. And, the fact that all these clients happen to be part of governments around the world raises urgent and critical questions with regards to data protection and privacy rights of all people.
About the scandal and the grim reality it points to, Arundhati Roy, the prominent Indian author, wrote: “This is no ordinary spying. Our most intimate selves are now exposed”. The way Pegasus works, it requires absolutely no action from the target to enable spying on their device. The software can spy on everything that is present on one’s device (including so-called encrypted messaging sent using WhatsApp and Signal), and all that is needed for it to be latched to one’s phone is a simple missed call. And unless forensic analysis of the phone is specifically carried out by experts, one can never know if they are being spied on. This essentially means that everyone with a smartphone, anywhere in the world, prominent or not, can be spied on at all times without their knowledge.
The NSO group defends itself by framing its services as means to help governments fight terrorism and bad actors. This is what it states as its motto on its website: “NSO creates technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”
But the uncovering and news reports from the past couple of months paint a totally different picture - of worldwide abuse of this surveillance technology; by governments who seem to be employing it against dissenters. The organisations part of the Pegasus project (undertaking these journalistic investigations) have found that the list of targets include people who are far from terrorists. Rather, they are people the governments might want to keep an eye out for, for the benefit of its own interest and political gain.
Highlighting the magnitude of the problem, Edward Snowden, the famous NSA whistleblower, said this in a recent Guardian interview: “(The Pegasus operations are) a knowing, intentional, wilful attack on critical infrastructure that everyone is relying on; it doesn’t matter what flag you live under; it doesn’t matter what language you speak. We all have skin in this game.” This is crucial since not only does it describe the scale of the issue (which goes beyond national boundaries), but it also brings to fore the need for serious consideration of data privacy laws and regulations at the international level.
The countries that have been identified as having bought this software include Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India and United Arab Emirates. Some of these countries are not democracies (like Bahrain, Morocco and Saudi Arabia), and many others, even if technically democracies, do not have the best record with upholding democratic rights (including a country like India which lately is seen to have a diminishing space for any government criticism and legitimate dissent).
According to International Law (with regards to the regulations laid out by the Office of the United Nations High Commissioner for Human Rights), data privacy regulations are a concern that are to be largely addressed by states (that is, national governments). Hence, the power of individuals and companies within nations who breach privacy regulations can be questioned (of course, subject to the fact that nations actually have legal frameworks for data protection). But what does one do in this case, wherein the supposed breach is by governments and allied agents themselves? What do we do about companies that operate across nations? The Pegasus case therefore points to a gap wherein the technological infrastructure being used to undertake surveillance and spying is operating on a global scale, while regulation is still limited to national laws (that too at best).
The OHCHR’s report on ‘The right to privacy in the digital age’ (2018) states that “the technological platforms upon which global political, economic and social life are increasingly reliant are not only vulnerable to mass surveillance, they may actually facilitate it”. In the case of Pegasus though, the technological product has been created for the explicit purpose of such mass surveilling. It indicates the presence of a whole technological sector that does not just facilitate but also actively builds dangerous digital infrastructure. Hence, this is an even direct threat to people’s privacy.
The issue here is two-fold in the sense that governments making use of Pegasus and similar surveillance tools cannot easily be held accountable for their actions under national laws (and the situation changes from country to country, worsening in the case of non-democratic states). And companies like the NSO group that build these tools, since they serve the ones in power (and in governance) and possess global infrastructures, are also let off the hook despite being party to major breaches.
The Pegasus scandal is therefore a major warning sign for us when it comes to designing frameworks to safeguard digital rights - especially the right to privacy. We require a comprehensive framework, and that too at a global level now.
On an extra-national level, there are few organisations and frameworks that protect digital rights. And most of them (like the General Data Protection Regulation in the EU) are concentrated in richer, Western nations. We need to look into the disparity when it comes to digital rights across nations too and concentrate on regions with less democratic forms of governments.
While digital rights are not directly part of the sustainable development goals, they still matter. The impediments to the sustainable development goals as well as the solutions being designed to resolve these issues are increasingly reliant on digital infrastructures. Therefore, an attack on digital rights means these could also be compromised at any time. We have already seen several governments that have demonstrated gross inaction and/or even resistance to adopting climate friendly practices. So, the presence of tools like Pegasus just give more power to such governments that could use the tools against activists, social workers and environmentalists who are rallying for change.