In 2019, widespread outrage erupted in India and other countries after WhatsApp confirmed that some of its users had been targeted with spyware. This breach affected a total of 121 users from India, including activists, scholars and journalists. The Pegasus spyware scandal in India has brought sharp focus to the vulnerabilities of citizens in an era where technology has become an integral part of every aspect of life. Pegasus’s zero-click capability makes it particularly dangerous as it can infiltrate devices without any action required from the user. Its ability to infiltrate devices without human intervention is typical of an increasing range of advanced cyber threats.

In addition to state-sponsored breaches, such as Pegasus, there are increasing rates of phishing attacks, mass data leaks, ransomware, and other cyber crimes nationwide. Such developments have raised a fundamental question about whether India’s legal structure can effectively handle such intrusions while protecting civil liberties, including privacy, free expression, and due process. This can only be answered by considering a case study about Pegasus, the current legal regime in India, the system’s shortcomings, potential methods of reform, and by learning from the experiences of global systems.

The Pegasus Controversy: A Case Study in Digital Espionage

Pegasus is a spyware designed by Israel’s NSO Group, and it is regarded as one of the most high-tech commercial spyware tools in existence. It can hack a smartphone without user intervention, allowing it to remotely access telephone calls, texts, encrypted messaging, emails, the camera, and the microphone. In 2021, the Pegasus Project, a cross-border investigation by journalists, published a leaked list of phone numbers, many of which belonged to Indian journalists, opposition politicians, activists, lawyers and even people associated with the judiciary. Forensic analyses confirmed that at least 10 mobile devices in India displayed signs of being targeted, with successful Pegasus infections on at least 7 of them. The disclosures raised concerns about the potential abuse of surveillance authority.

In October 2021, the Supreme Court of India responded by appointing an independent technical committee, overseen by a retired judge, to investigate allegations of Pegasus abuse. Civil liberties organisations have claimed that a lack of transparency betrays the trust and accountability of the people. Furthermore, unabated digital surveillance threatens to diminish the constitutional guarantees established in Justice K.S. Puttaswamy v. Union of India (2017), which recognised privacy as a fundamental right.

The Legal Landscape: India’s Cyber Security and Surveillance Framework

The surveillance apparatus in India relies on a complex network of regulations that are based on several statutes, many of which were drafted before the advent of the digital age. Currently, known as the Telecommunications Act, 2023, it repealed the Indian Telegraph Act, 1885, which had served as the legal basis for message interception under Section 5(2), citing reasons of national security, public order, or other public safety concerns.

The Supreme Court, in People’s Union of Civil Liberties v. Union of India (1997), also known as the wiretap case, highlighted that the original colonial-era drafting and broad interception powers could lead to the abuse of technical protections. The judgment is also critical, as it is where the Court held that the powers of law enforcement agencies (LEAs) to intercept telephonic communication must be informed by legally established procedures, since interception involves an incursion into the freedom of individuals to exercise rights granted under Articles 19 and 21 of the Constitution.

The Information Technology Act, 2000, is the primary legislation concerning digital communications. Section 69 authorises the government to intercept, monitor, or decrypt information on computers when deemed necessary for the purposes of national security or public order. According to the 2009 Interception Rules, written consent is needed; however, the executive branch primarily handles actual authorisation and review. Critics argue that this process lacks judicial oversight and independent scrutiny. Recent legislative efforts aim to update this framework. The Telecommunications Act, 2023, broadens government access to what it now calls telecommunication services, which now ambiguously include OTT platforms and grants the government the power to intercept on national security grounds with limited safeguards. The Digital Personal Data Protection Act, 2023, introduces consent-based processing and rules for cross-border data transfers, but also provides exemptions for certain states due to sovereignty and security reasons.

Challenges in the Current Framework

There are still serious challenges that have not been resolved despite some modernisation. The first one is the most basic; India’s fundamental interception capabilities revolve around a paradigm of landline telephone, not the advanced spyware that can control the device. Regulations such as the IT Act have undergone limited revisions to address zero-day clicks, long-distance machine investigation, and international cyber operations. Due to the lack of meaningful judicial or independent oversight and the concentration of discretion in the executive, international human rights groups have criticised India’s surveillance laws as providing “unchecked and vast powers of surveillance that are devoid of any meaningful safeguards, with no judicial authorisation or independent oversight.”

Platforms like WhatsApp, Apple, and Signal have contested government-interception demands, especially decryption/traceability mandates under the updated IT Rules, 2021, and new telecom laws, which threaten end-to-end encryption and user privacy. The executive’s control over the process of authorisation and review is another significant weakness, as ministries or security agencies take decisions without obligatory court intervention. There is little transparency: investigations into Pegasus, even by the Supreme Court, have yielded closed reports, leaving the public unaware of the extent, legal status, or frequency of such surveillance.

Litigation has been expensive and uncertainly effective in matters of remedying affected people, who have weak and ineffective remedies. Another issue is that the latest technologies, such as AI-facial recognition software, predictive policing tools, and mass metadata analysis, are being implemented by agencies without specific legal frameworks in place to mitigate the inherent abuse and bias of these technologies.

Comparative Jurisprudence: What India Can Learn from Others

The European Court of Human Rights has consistently held the view that laws concerning surveillance should be transparent, limited, and subject to essential, proportionate, and independent monitoring. In its 2022 report on Pegasus and other spyware, the Council of Europe recommends that states restrict the use of spyware to only those threats which are defined explicitly by the law, outlaw the direct or indirect acquisition of spyware, require independent pre-authorisation, constant supervision, as well as subsequent post-surveillance notification to individuals wherever possible. Judicial warrants are usually mandatory for interception in the EU, and oversight is the responsibility of special bodies that report to legislatures at regular intervals.

Although permitting general intelligence collection as put forth in acts like the Foreign Intelligence Surveillance Act of 1978 (FISA), the United States has added further checks and balances after NSA surveillance scandals that include the issuance of court orders by the Foreign Intelligence Surveillance Court (FISC) and the release of some communications reporting by service providers. India may prefer hybrid systems that include robust judicial pre-authorisation, independent review commissions, annual parliamentary reporting, and specified restrictions on usage.

Solutions

India ought to have a comprehensive, standalone surveillance law that will not only provide security but also recognise the rights of individuals, along with delivering on the fragmented structure currently in place. This kind of law should entail defining the grounds on which surveillance is allowed, the need for prior authorisation by a judge or independent body, and the application of proportionality and necessity tests. The oversight systems must provide an independent body, which may be accountable to Parliament, capable of auditing surveillance orders, conducting a classified review of the agencies’ activities, and publishing reports on these activities. Accountability would increase with victim notification, except in cases involving threats to national security or other sensitive matters.

Precisely, the spyware requires special rules, necessitating transparency in procurement rights and restricting its implementation to terrorism or severe organised crime scenarios, with an independent technical review of its application. Any privacy principles advocated in the DPDP Act should be incorporated into the practice of surveillance, which must be data-minimising, purpose-limiting, and securely deleted. To evaluate the impact on human rights, regulations should be established before the deployment of emerging technologies. Lastly, associating cyber resilience through enhanced phishing detection, creating awareness, and obliging government agencies to report their incidents would help consider broad-scale cyber security threats and targeted surveillance reform.

Conclusion

Therefore, Pegasus and other joint efforts by spyware have highlighted the shortcomings of India’s current cyber security and surveillance laws. Although recent regulations, such as the Telecommunications Act, 2023, and the DPDP Act, acknowledge the issue of digital privacy and security, these reforms fail to address the unregulated authority to intercept data or the lack of transparency in the institutional framework that enabled Pegasus.  With minimal legislative checks and balances, warrants, independent supervision, and accountability, the national security versus civil liberties paradigm will continue to be skewed in favour of national security. It is the right time for India to adopt a comprehensive surveillance law that not only addresses emerging challenges but also safeguards constitutional freedoms. Such a rights-sensitive legal framework is the only means to guarantee that the state guardianship obligation does not create an opportunity for interference.