Guardrails of Privacy  

Source: Indian Express

Synopsis: The allegations of targeted surveillance have a chilling effect on personal and civil liberties that are crucial for a democracy to function.

Introduction:

• The recent allegations and reports by Arsenal Consulting and Amnesty International on targeted electronic surveillance of selected activists, politicians, journalists, businessmen, and even scientists are worrying.
• The sophistication of the attacks engenders a sense of resigned helplessness.

How the recent reports reveal the vulnerabilities?

1. First, as per Arsenal reports, in Bhima koregaon case there is clear evidence that the incriminating files were planted in the hard disks by unknown entities.
   • This was done even before the disks were seized.
   • The offending files were apparently injected by planting a Trojan malware called NetWire by orchestrating some kind of phishing attacks.
   • The presence of NetWire can apparently even be detected by some of the commonly available virus and malware scanners.
   • Given that such attacks are a reality today, governments and legal authorities need to ensure that digital evidence arising out of such forensic analysis is admissible in courts.
2. Second, the Pegasus attacks described in the Amnesty International report are significantly more sophisticated.
   • They are “zero-click” attacks that do not even require a mistake by a victim to be successful.
   • It is difficult to detect attacks like Pegasus because they frequently change methods and signatures.
   • Pegasus was apparently also designed to self-destruct on detection attempts.
   • But according to the Amnesty report, it did not entirely succeed and left traces.
3. Third, data protection law is not sufficient to help victims seek redressal and hold the perpetrators accountable, as suggested by Justice BN Srikrishna.
   • Stealth attacks are not only difficult to detect but are also difficult to prove and easy to deny, so ex-post redressal will always be uncertain.

Way forward:

• Data protection law is still required.
  • A framework is essential for defining the contours of lawful surveillance and data processing.
• Need surveillance reforms and data protection standards.
  • To analyze the proportionality of the surveillance requirements.
  • To address the operational aspects of the legal and technical standards necessary for an effective privacy protection architecture.
  • Clear standards for defining authorisation chains.
  • Maintaining tamper-proof logs, regulatory oversight, and audit.
  • Ensure ex-ante prevention rather than ex-post detection of violations.
• Opposition from within the organisations as well as strong public outrage and disapproval can be effective deterrents for misadventures like Pegasus.

Neither law nor technology can be of much help. However, the society has to repose faith in constitutional morality.