Pegasus has been developed by the Israeli firm NSO Group that was set up in 2010. The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link. Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.

• Pegasus, in the very basic form, can infect devices that are connected to the internet. Some updated versions can also infect phones even without the victim clicking on any links or messages.
• Most spyware and stalkerware apps disguise themselves as anti-theft applications that can be used to track stolen or lost devices. 
• While viruses and malware can be detected by anti-virus software, spyware & stalkerware apps disguise themselves as useful and send out stolen data to central servers without the knowledge of users.
• The software can, based on instructions from a remote server, automatically turn on the camera and the microphone and look into chats, access the calendar and read SMS-es and emails.

• Upon installation, Pegasus contacts the attacker’s command and control (C&C) servers to receive and execute instructions and send back the target’s private data. This data can include passwords, contact lists, text messages, and live voice calls (even those via end-to-end-encrypted messaging apps).
• The attacker can control the phone’s camera and microphone, and use the GPS function to track a target.
• To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server.
• The spyware can evade forensic analysis and avoid detection by anti-virus software. Also, the attacker can remove and deactivate the spyware, when and if necessary.

• Researchers discovered the earliest version of Pegasus in 2016. This version infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
• In 2019, WhatsApp blamed the NSO Group for exploiting a vulnerability in its video-calling feature which secretly transmitted malicious code in an effort to infect the victim’s phone with spyware without the person even having to answer the call.
• In 2020, a report showed government operatives used Pegasus to hack phones of employees at Al Jazeera and Al Araby.

• Human Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm. Indian ministers, government officials and opposition leaders also figure in the list.
• In India, several opposition leaders including Rahul Gandhi were on the leaked potential targets’ list.
• Smartphones of Politicians, Journalists were hacked for gathering confidential information.
• This is the first time in the history of this country that all pillars of our democracy — judiciary, parliamentarians, media, executives and ministers — have been spied upon.
• The Indian government has denied any wrong doing or carrying out any unauthorized surveillance. However, the government has not confirmed or denied whether it has purchased or deployed Pegasus spyware.

• Section 92 of the Criminal Procedure Code (CrPC)
• Rule 419A of the Telegraph Rules, and
• The rules under Sections 69 and 69B of the IT Act

• In 2014, the Ministry of Home Affairs told Parliament that nine central agencies and the DGPs of all States and Delhi were empowered to conduct interception under the Indian Telegraph Act.
• In 2018, 9 central agencies and 1 State agency were authorised to conduct intercepts under Section 69 of the IT Act.
• The Intelligence Organisations Act, which restricts the civil liberties of intelligence agency employees, only lists four agencies. However, the RTI Act lists 22 agencies as “intelligence and security organisations established by the central government” that are exempt from the RTI Act.

• The K.S. Puttaswamy judgment, 2017, made it clear that any invasion of privacy could only be justified if it satisfied three tests:
  1. The restriction must be by law;
  2. It must be necessary (only if other means are not available) and proportionate (only as much as needed);
  3. It must promote a legitimate state interest (e.g., national security).

• The judgement held that privacy concerns in this day and age of technology can arise from both the state as well as non-state entities. As such, a claim of violation of privacy lies against both of them.
• The Court also held that informational privacy in the age of the internet is not an absolute right and when an individual exercises his right to control over his data, it may lead to the violation of his privacy to a considerable extent.
• It was also laid down that the ambit of Article 21 is ever-expanding due to the agreement over the years among the Supreme Court judges. A plethora of rights have been added to Article 21 as a result.
• The court stated that Right to Privacy is an inherent and integral part of Part III of the Constitution that guarantees fundamental rights. The conflict in this area mainly arises between an individual’s right to privacy and the legitimate aim of the government to implement its policies. Thus, we need to maintain a balance while doing the same.

• In 2010, then Vice-President called for a legislative basis for India’s agencies and the creation of a standing committee of Parliament on intelligence to ensure that they remain accountable and respectful of civil liberties.
• The Cabinet Secretary in a note on surveillance in 2011 held that the Central Board of Direct Taxes having interception powers was a continuing violation of a 1975 Supreme Court judgment on the Telegraph Act.
• In 2013, the Ministry of Defence-funded think-tank published a report which recommended that the intelligence agencies in India must be provided a legal framework for their existence and functioning; their functioning must be under Parliamentary oversight and scrutiny.
• In 2018, the Srikrishna Committee on data protection noted that post the K.S. Puttaswamy judgment, most of India’s intelligence agencies are “potentially unconstitutional”. This is because they are not constituted under a statute passed by Parliament — the National Investigation Agency being an exception.

• Scale of usage: The allegations here are not new. What is new is the scale of the targeting of innocent people that’s allegedly taking place. Nearly 200 reporters from 21 countries have their phone numbers on this list. 
• Attack on Dissidents: It reflects a disturbing trend with regard to the use of hacking software against dissidents and adversaries. In 2019 also, Pegasus software was used to hack into HR & Dalit activists.
• Violation of Fundamental Rights: The very existence of a surveillance system, whether under a provision of law or without it, impacts the right to privacy and the exercise of freedom of speech (Article 19) and personal liberty (A-21).
• Endangers Safety of journalists: In the absence of privacy, the safety of journalists, especially those whose work criticises the government, and the personal safety of their sources is jeopardised.
• Declining Press Freedom: World Press Freedom Index produced by Reporters Without Borders has ranked India 142 out of 180 countries in 2021 (India’s ranked 133 in 2016)
• Leads to Self-Censorship: The perceived danger, founded on reasonable suspicion that surveillance may happen, itself impacts their ability to express, receive and discuss such ideas.
• Dangers of Mass Surveillance: As spyware becomes more affordable and interception becomes more efficient, there will no longer be a need to target specific individuals. Everyone will be potentially subject to state-sponsored mass surveillance.
• Weak Legislative Protection: The proposed legislation related to the personal data protection of Indian citizens fails to consider surveillance while also providing wide exemptions to government authorities.

• • Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.
  • National Cyber security Coordination Centre (NCCC): In 2017, the NCCC was developed to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.
  • Cyber Swachhta Kendra: In 2017, this platform was introduced for internet users to clean their computers and devices by wiping out viruses and malware.
  • Indian Cyber Crime Coordination Centre (I4C): I4C was recently inaugurated by the government.
    • National Cyber Crime Reporting Portal has also been launched pan India.
  • Computer Emergency Response Team - India (CERT-IN): It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
  • Legislation:
    • Information Technology Act, 2000.
    • Personal Data Protection Bill, 2019.

• • International Telecommunication Union (ITU): It is a specialized agency within the United Nations which plays a leading role in the standardization and development of telecommunications and cyber security issues.
  • Budapest Convention on Cybercrime: It is an international treaty that seeks to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It came into force on 1^st July 2004. India is not a signatory to this convention.