Introduction
The Pegasus spyware controversy of 2021 exposed, with unusual clarity, the structural inadequacies of India’s surveillance oversight framework. When the Forbidden Stories consortium and Amnesty International’s Security Lab published analysis of a leaked list of over 50,000 phone numbers, revealing that Indian journalists, opposition politicians, lawyers, constitutional functionaries, and activists appeared among potential Pegasus surveillance targets, the revelation raised fundamental questions: who in the Indian government authorised this surveillance, under what legal authority, and through what oversight mechanism?
The Indian government declined to confirm or deny the use of Pegasus, citing national security. The Supreme Court appointed a technical committee to investigate; that committee’s report, submitted in August 2022 and partially disclosed in October 2023, found that it could not conclusively determine whether Pegasus had been deployed by the government because no cooperation was received from the Union of India. The result was the worst possible outcome for public trust: not a confirmation of lawful surveillance with demonstrated oversight, nor a clear denial with credible evidence, but an opaque non-answer that left the legal questions entirely unresolved.
This article examines the legal framework governing interception and surveillance in India, the structural deficiencies that the Pegasus controversy exposed, the minimal safeguards provided by the current framework, the comparative insufficiency of Indian oversight against the standards developed by the European Court of Human Rights, and the specific reforms that would bring India’s surveillance governance into alignment with constitutional principles.
Legal Framework
India’s surveillance law is divided between two principal statutes: the Indian Telegraph Act, 1885 and the Information Technology Act, 2000. Their combined coverage reflects the historical accident of two legislative regimes governing different communication technologies, only partially integrated since the IT Act’s enactment.
Section 5(2) of the Telegraph Act authorises the government to take possession of any telegraph established, maintained, or worked by any person licensed under the Act, and to intercept messages passing by those telegraphs, in the interests of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order, or preventing incitement to commission of an offence. The procedural requirement is an order by the Secretary to the Government of India in the Ministry of Home Affairs (for central agencies) or the Secretary to the State Government in charge of the Home Department (for state agencies).
Section 69 of the IT Act provides a broader authority specifically applicable to digital communications, authorising interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource in the interests of the sovereignty and integrity of India, defence, security, friendly relations with foreign states, public order, or preventing incitement to commission of a cognizable offence. The authority to issue interception orders under Section 69 rests at the same level as under the Telegraph Act: the Secretary of the Home Ministry at the central level.
The procedural rules under these provisions, the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, establish a review mechanism. A Review Committee, chaired by the Cabinet Secretary at the central level and the Chief Secretary at the state level, is required to meet every two months to review all interception orders. The Review Committee can revoke orders it finds to have been issued without sufficient cause, but there is no public reporting, no parliamentary scrutiny, and no independent judicial involvement at any stage.
The absence of judicial pre-authorisation is the defining structural feature of India’s surveillance framework. An executive officer can authorise surveillance against any individual for any of the broadly stated grounds, without any judicial review before the surveillance begins. This contrasts fundamentally with the position in the United States (where court warrants are required for most surveillance under the Fourth Amendment, and the Foreign Intelligence Surveillance Court provides specialised judicial oversight for national security interception), the United Kingdom (where the Investigatory Powers Act 2016 requires Judicial Commissioners to double-lock certain interception warrants), and European Convention member states (where the ECHR requires that surveillance be “in accordance with law” with adequate safeguards against abuse).
Judicial Developments
The People’s Union for Civil Liberties v. Union of India (1996) remains the foundational Supreme Court decision on surveillance. The Court held that the right to privacy includes the right to hold a telephone conversation without interception, and that interception orders must be issued by authorities of the rank specified, must be limited in duration (60 days, renewable), must be reviewed by a Review Committee, and must satisfy the necessity requirement. The Court specifically held that the intercept order must record the reasons for which it is issued, and that this record must be available to the Review Committee.
In practice, these guidelines, repeatedly affirmed by the Supreme Court and embedded in the 2009 Rules, have been honoured largely in form rather than in substance. The Review Committee operates without independent legal representation for the individuals under surveillance, without public reporting of its outcomes, and without any mechanism for individuals to know they have been or are under surveillance and to challenge it. The protections are entirely ex ante from the perspective of the subject: they have no right to know about the surveillance, no right to contest it before or during its operation, and no effective remedy after the fact.
The Pegasus litigation reached the Supreme Court as Manohar Lal Sharma v. Union of India (Writ Petition (Crl.) No. 314 of 2021). The petitioners included journalists, the editor of The Wire, and opposition politicians who believed their phones had been infected with Pegasus. The Supreme Court, in an October 2021 order, expressed dissatisfaction with the government’s response to the allegations and constituted a Technical Committee of three cybersecurity experts under the supervision of a Retired Justice to investigate. The Committee examined 29 phones submitted by petitioners but could not conclusively identify Pegasus malware on them, partly because the malware is designed to self-delete. The Committee noted that the government provided no information or cooperation.
In its final judgment in October 2023, the Supreme Court declined to make a definitive finding on whether Pegasus had been deployed but expressed concern about the absence of an adequate legal framework for surveillance oversight, directing the government to frame a policy on surveillance within the existing legal framework. The government’s response to this direction remained minimal as of early 2026.
Contemporary Issues and Analysis
The Pegasus spyware represents a qualitative escalation in surveillance technology beyond what the drafters of the Telegraph Act or even the IT Act envisioned. Traditional wiretapping intercepts communications in transit; Pegasus infects the device itself, enabling the operator to read all stored and incoming communications, activate the microphone and camera remotely, track geographic location, and access encrypted messaging applications by reading the messages before they are encrypted (on-device) or after they are decrypted. No communication on the device is secure against Pegasus infection: end-to-end encryption, the privacy technology relied upon by millions of users of WhatsApp, Signal, and similar applications, provides no protection against an adversary with device-level access.
India’s legal framework for interception does not address spyware at all. The Telegraph Act and the IT Act contemplate interception of communications at the network level: obtaining the content of messages as they pass through communication infrastructure. Device-level intrusion through commercial spyware deployed against a specific individual’s device is not addressed by any Indian statute. This creates a troubling legal gap: if the government or any actor deploys Pegasus-like spyware against an Indian citizen, there is no specific statutory provision authorising such deployment (beyond the broad and contested Section 69 authority), no procedural safeguard governing its use, and no specific remedy for the affected individual.
The situation is compounded by the commercial nature of surveillance spyware. NSO Group, the Israeli company that developed Pegasus, sells only to government customers, pursuant to Israeli government export controls. This means that any Pegasus infection of an Indian individual was necessarily the result of a government decision, either by the Indian government or by another government operating against Indian targets on Indian territory. The refusal of the Indian government to cooperate with the Supreme Court’s Technical Committee investigation effectively foreclosed judicial determination of which of these scenarios applied.
The Pegasus controversy connects to a broader global concern about the surveillance-for-hire industry. Besides Pegasus, commercial spyware products including Predator (developed by Intellexa), FinFisher (now defunct), and several others have been identified as tools of government surveillance against civil society. India has signed no international instruments specifically restricting the use of commercial spyware, and the domestic legal framework imposes no specific controls on government acquisition or use of such tools.
The absence of any form of parliamentary oversight of surveillance is a significant constitutional concern. In the United Kingdom, the Intelligence and Security Committee of Parliament receives classified briefings on surveillance activity and can conduct investigations. In the United States, the Intelligence Committees of the Senate and House of Representatives exercise statutory oversight of the intelligence community, including surveillance programs. In India, no parliamentary committee has jurisdiction over surveillance activities of the intelligence agencies, which function without statutory charters and outside the framework of parliamentary oversight available for most other government functions.
Comparative and International Perspective
The European Court of Human Rights has developed substantial jurisprudence on surveillance and Article 8 (right to private life) of the European Convention on Human Rights. The Klass v. Germany (1978) decision established that surveillance must be in accordance with law, pursue a legitimate aim, and be necessary in a democratic society. The Court identified minimum safeguards required by law: the nature of the offences which may give rise to an interception order, a definition of the categories of people liable to have their communications intercepted, a limit on the duration of interception, the procedure for examining, using, and storing the data obtained, the precautions to be taken when communicating the data to other parties, and the circumstances in which recordings may or must be erased.
In the aftermath of the Snowden revelations, the ECHR strengthened these standards in Szabo and Vissy v. Hungary (2016) and Centrum for Rattvisa v. Sweden (2021), holding that bulk surveillance programs must incorporate robust independent oversight, effective remedies for affected individuals, and strict necessity and proportionality controls. The Court has specifically held that executive review committees without genuine independence from the surveillance-authorising authority do not satisfy Article 8’s requirements.
India’s PUCL (1996) guidelines, while analogous in aspiration to the Klass framework, lack several of the Klass safeguards: there is no independent judicial review, no effective remedy for surveilled individuals, no parliamentary oversight, and no transparency reporting. The Supreme Court’s repeated affirmation of the PUCL guidelines without enforcing their effective implementation has produced a framework whose formal requirements coexist with substantial non-compliance.
The United Kingdom’s Investigatory Powers Act 2016, while itself criticised by civil liberties groups, represents a more structured approach: it distinguishes between different types of warrant (targeted interception, targeted examination, bulk interception, equipment interference), requires different levels of authorisation for each, and introduces Judicial Commissioners who must approve certain warrants before they are acted upon. Equipment interference warrants, which cover device-level access comparable to spyware deployment, require both executive authorisation and Judicial Commissioner approval.
Practical and Policy Implications
For journalists, lawyers, civil society organisations, and opposition politicians in India, the Pegasus controversy has had a demonstrable chilling effect. The knowledge that communication devices can be compromised without any prior judicial authorisation and without any subsequent notification has led many individuals in these communities to change their communication practices, use air-gapped devices for sensitive communications, and limit the digital information they handle. These adaptations represent a functional constraint on press freedom, legal privilege, and political opposition that the law should prevent.
For technology companies, the spyware question intersects with their obligations to protect user data and communicate vulnerabilities. Apple notified several Indian users in late 2023 of “state-sponsored attackers” potentially targeting their iPhones, triggering a political controversy. Technology companies’ willingness to notify users of potential government surveillance, and the government’s pressure on them not to do so, represents a frontier conflict between corporate duties to users and state claims of security prerogative.
Suggestions and Reforms
The most fundamental reform required is judicial pre-authorisation for surveillance. Interception orders and device-level intrusion warrants should require prior approval from a Surveillance Judge (a designated serving judge of the relevant High Court) except in genuine emergencies where post-hoc judicial ratification within 48 hours should be mandatory. This reform would align India with the international standard articulated in Klass and its successors.
Parliamentary oversight should be institutionalised through a dedicated Joint Parliamentary Committee on Intelligence and Surveillance with classified access to surveillance activity reports, the authority to investigate specific programs or incidents, and a public reporting obligation (without classified details).
A Surveillance Transparency Report should be mandated by statute, requiring the central and state governments to publish annually: the number of interception orders issued under the Telegraph Act and IT Act, the number of individuals subject to interception, the number of orders renewed, the number rejected by the Review Committee, and the categories of offences or grounds for which orders were issued. Aggregated statistical disclosure without identifying information is compatible with security interests and would provide meaningful public accountability.
Commercial spyware acquisition by the government should be regulated through a specific statutory framework that requires parliamentary committee notification of any contract for surveillance technology exceeding a defined value, an independent privacy impact assessment before deployment, and an annual report on the use of such technology to the Review Committee and the parliamentary oversight committee.
Conclusion
The Pegasus controversy did not resolve in the manner that constitutional principles demanded: a clear finding on whether the government violated the law, followed by accountability or exoneration. Instead, it revealed a legal framework so opaque, an oversight mechanism so captured by the executive, and a judicial investigation so hampered by government non-cooperation that accountability was simply unavailable. This outcome is a systemic failure, not an anomaly.
India’s surveillance framework, designed in the 19th century for telegraphy and imperfectly updated for the internet age, is fundamentally inadequate for the surveillance threats of the 2020s. Commercial spyware that operates at the device level, bypassing all encryption and communication security, requires a legal framework that did not exist when the IT Act was enacted. Building that framework requires legislative ambition, judicial courage, and executive willingness to accept oversight constraints that limit surveillance power. The constitutional commitment to privacy articulated in Puttaswamy demands nothing less.