‘If You Believe Your Phone’s Not Been Hacked, You’re Living In A Fool’s Paradise’

India’s political firmament has been rocked by alleged use of military-grade private Israeli ­spyware Pegasus to target smartphones of top politicians, journalists and activists. The last time such large-scale ­surveillance was exposed was in 2010 when the National Technical Research Organisation was accused of using off-the-air GSM monitoring machines. Gopal Krishna Pillai, then Union home secretary, tells Bhavna Vij-Aurora that hacking and ­surveillance, both official and non-official, are widespread and rampant. Excerpts:

What do you think is the extent of Pegasus surveillance?

The timing seems motivated to suit the Parliament session, but it’s not just India. It is dealing with 40 other countries where larger violations have taken place. India has 300 cases, while Mexico has some 15,000 cases as per the report. That aside, we don’t have a data privacy law to protect citizens. Hacking and surveillance, both official and non-official, are widespread. Businesses do surveillance. If you believe your phone has not been hacked, you are living in a fool’s paradise. You have to assume that your phone is hacked or your mails are being read by people at various levels because access is available through a variety of sources and technologies, both ­private and government.

The Israeli company, the NSO Group, says it leases Pegasus only to governments to track terrorists and criminals.

It is not clear where the list of names came from. Anybody can put out any list on a ­website as some document and somebody can say it’s a list of phones being tapped or hacked. Both private parties and ­governments can play mischief; Amnesty International can play mischief. So can Greenpeace. Even ­authorised phone-tapping need not be done only through service ­providers like Jio or Airtel. The government can do it using the software of Pegasus or any of the hundreds of ­agencies peddling their wares like Cambridge Analytica. Everybody is doing it—the ­governments of the US, Britain, China, Russia. President Obama was tapping Angela Merkel’s phone and she was upset when that came out. With technology improving so much, they will do it in some way. Till somebody leaks out something.

ALSO READ: Politicians, Journalists, Activists…Pegasus Spares None, Hears Them All

What is the process of authorised phone surveillance?

In the central government, only the home secretary can authorise phone-­tapping. The requests come from 10 ­authorised agencies. Permission is granted after looking at the ­reasons for the request, and it is valid for 60 days. An oversight ­committee comprising the cabinet secretary and the law secretary scrutinises the permission. After 60 days, the req­uest may come back for renewal. This one is more stringent and is granted in cases involving criminals, terrorists or money launderers. Unauthorised tapping has no ­evidentiary value as the transcript of any ­conversation put in a chargesheet needs to be backed by the home secretary’s order. During my time as home secretary (2009-11), there were about 4,000 cases of phone surveillance.

ALSO READ: Opinion: As Pegasus Flies In, It’s Time To Rethink Our Cyber Laws

How does one understand the Pegasus project?

I don’t understand why the government ­cannot say we have seen this report and are probing whether anybody in India other than us is doing it in an unauthorised manner. If the government is doing it without proper ­authorisation, then there will be no trace as the software will get outsourced to somebody else, who’ll do the hacking. The ­deniability is always there.

ALSO READ: More Questions Than Answers In Pegasus Whodunnit

If any government agency is using Pegasus, and targeting any phones, then it has to be done with the home secretary’s authorisation. Suppose a request for tapping Rahul Gandhi’s phone is put up, in normal cases the home secretary is unlikely to clear it. And we don’t allow any journalist’s phones to be tapped ­unless there is very specific evidence. At least in my two years I don’t remember even a single request to tap a mediaperson’s phone. But then there are many other ways to do it. That is where the data privacy law is so ­important. If I know, I can file a case and have an independent regulator examine if someone else is doing it privately.