In July this year, a large investigative project collaborated by journalists, agencies and researchers worldwide exposed how an Israeli company’s spyware was being used by governments to target and snoop on journalists, activists, politicians, and members of the judiciary. The initial list outed by The Wire had at least 300 such phones that were under surveillance. Created by the NSO group, and named ‘Pegasus’, the proprietary spyware is “is capable of remote zero-click surveillance of smartphones,” requires the Israeli government’s permission to be sold to its customers who can also only be governments. This also means the software is as good as an arms deal from the government.
While Typeright has already discussed in detail the issue surrounding the spyware, there have been some recent developments and responses.
An opinion piece from The Guardian puts focus on a group of academic researchers at the Munk School of Global Affairs and Public Policy at the University of Toronto, who run a project called the Citizen Lab, "an NSA for the civil society."
Maktoob, an online media based in Delhi had done an interview with Jaison Cooper, one of the human rights activists who were listed as being snooped using the spyware. Jaison, for one, says this was not unexpected from the government.
Now, almost half a year since the expose, there have been several investigations and responses by several governments. The Indian government had instantly denied all allegations, and claimed it was an agenda “to malign Indian democracy and its well-established institutions.” Even after disruptions in the houses of parliament and a supreme court ordered committee to look into it, the centre told the Rajya Sabha last week that it has no plans to ban the NSO group.
However, worldwide, other governments have taken this seriously.
The present government in Mexico seems to have been the most active. In November, there has been one arrest in connection to phone tapping and surveillance, and President Obrador had stated in July that the previous government had spent some $160 Million on the spyware. Mexico’s authoritarian past seems to correlate with the number of phone numbers from the country which had been found in the list.
In the US, after members of Congress demanded investigations and sanctions, this November, the Bureau of Industry and Security added the Israeli company NSO to Entity List for Malicious Cyber Activities, because it “developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.” Apple and WhatsApp (Meta) had also filed suits in US courts against the NSO group.
France also had ordered a series of investigations, later confirming the use of the spyware on its journalists. Ironically, the French government was in a process of signing a contract with the NSO group when revelations that the Prime Minister's phone was a potential target for the spyware had surfaced.
Digital Health: Privacy, and the fatality of lack of access
Twitter user and activist @jackerhack tweeted on Wednesday about receiving OTPs and vaccination certificates for other people in his number. Anivar Aravind (@anivar), digital activist and part of India's free software movement confirms that he has also been contacted regarding such issues many times over the past months.
Between May and August this year, the country held mass vaccination campaigns as it was reeling from one of the worst ever health crises in history. The second wave of the coronavirus pandemic had hit hard with severe shortages of oxygen supply, hospital beds and medical staff, resulting in the death of many. Several volunteers worked online, calling hospitals and suppliers, collating data on availability, and linking patients on SOS calls to these suppliers and vacant beds. Clearly, while there was criminal negligence in being underprepared, but at least more lives would have been saved with a better digital infrastructure.
And then, the digital divide literally meant life and death for many, as vaccines were only made available via the CoWIN portal. This instantly kept millions of citizens unable to book slots to get a dose of the vaccine, which might have been lifesaving.
Now, however, the government is claiming it has administered 100 crore doses of COVID-19 vaccines. This was also following large scale criticism by the public, civil society, and the supreme court.
Months later, on 27th September, the Prime Minister launched the Ayushman Bharat Digital Mission, to bring “revolutionary change in India’s health facilities.” With the Mission, the government has already created Unique Health IDs for every citizen- and many of these have already been done using the CoWIN portal, without consent from the users. The Mission comes from 2017 National Health policy which had planned to digitize india's healthcare system. It's blueprint says that "it seeks to build an ecosystem of integrated databases of patients, health records and hospitals." While the government claims the ADBM has "privacy by design", the reality was different during the vaccination drive. There are allegations that the vaccine drive was also a large scale data collection, with little to no informed consent from the citizen's end. It also hasn't been confirmed whether the Health ID is meant to be a confidential number, because such data is already being publicly demanded via vaccination certificates.
There has been concerns raised about how such large scale collection of data about people's health could be disastrous since the (also contentious) data protection bill is still being finalised in the parliament. The ABDM project is so far 'voluntary,' and without this legal basis for the ID, any data privacy compliance would be hard to enforce.
Anivar had also noted in his Facebook post and on Twitter how the Kerala government has already initiated such a scheme that mandated an Aadhar linked Health ID for online OP registrations. He alleges that the NHA is not a notified authority, nor does the Unique Health ID have any legal standing as of now.
With the advent of a new variant of the virus, there are fears of another looming health crisis. Volunteers from the second wave would confirm how a more systematic network, connectivity, and access might have connected more needy people to beds and oxygen and saved more lives. However, the push of a digital mission for the sake of harvesting personal data, without thought to either privacy or other infrastructure is contesteable.
In Other News
One of last week's most important news in human rights, was a ruling from Britain's High court on Friday, where the United States won their appeal asking for the extradition of Wikileaks founder Julian Assange.
In more news on surveillance, the Home ministry has answered questions on the validity of a national automated facial recognition system:
Sudha Bharadwaj, people’s lawyer and activist who was arrested over two years ago in connection to allegations of playing a role in the Bhima Koregaon incident, has been released on bail. She had recently spent her 60th birthday while still imprisoned.
In the light of the Pegasus expose, it needs to be remembered how she had mentioned that her digital data was not given any privacy, and how there have been reports of hackers planting files in the devices of the others accused in the same case.
Updates from DEF
DEF’s field assessment from Assam on "Advancing Digital, Financial Inclusion and Empowerment of the Farm Communities in Assam," which highlights the scope of digitisation in agriculture in the state.
Also from Assam, a DEF initiative on disability day saw hundreds of people being upskilled and equipped to become Soochnapreneurs.
Meta, in partnership with DEF hosted the third virtual roundtable discussion of #GraamShakti. Full updates from the conference can be found on DEF's twitter handle.
Till we meet next Monday, Ciao.