Amnesty International and Citizen Lab have jointly published a report that nine Indian lawyers, activists, and journalists were targeted in 2019 in a coordinated malware campaign. The targets had been highly critical of police abuses.
The targeting in this campaign occurred between January and October 2019. Targets were sent emails disguised as important communications, such as official summonses, bearing links to malicious software disguised as important documents. If opened, targets’ computers would have been infected with NetWire, a piece of commodity malware.
Eight of the nine targets had worked on campaigns to free a group of jailed activists, popularly known as the Bhima Koregaon 11. The remaining target was involved in efforts to free a jailed academic.
Three of the individuals targeted in this incident were also targeted earlier in 2019 with NSO Group’s Pegasus spyware, as part of the NSO WhatsApp hack. This highlights a pattern of hacking attempts against Indian civil society, and signals troubling digital escalation of the growing attacks against the press and civil society.
In light of this campaign and the violations to legally enshrined human rights, the Citizen Lab and Amnesty International have made the following recommendations to Indian authorities:
- Conduct an independent, impartial, and transparent investigation into the unlawful targeted surveillance of the nine human rights defenders, including determining whether there are links between this spyware campaign and any specific government agencies
- Ensure that all surveillance meets the tests of legality, necessity, and proportionality as enshrined in international human rights standards and affirmed in the Supreme Court of India’s landmark judgement of KS Puttaswamy v. Union of India
- Ensure adequate and effective legal remedies are available for people to challenge violations of their human rights linked to surveillance
- Review Section 69 of the Information Technology Act and the 2018 order of the Ministry of Home Affairs that allows government agencies to intercept, monitor, and decrypt information without any judicial oversight and other procedural safeguards
- Implement domestic legislation that imposes limits on digital surveillance, ensuring that:
- Surveillance is governed by precise and publicly accessible laws
- Surveillance is only against specified persons, authorized by a competent, independent, and impartial judicial body with limitations on time, manner, place, and scope of surveillance
- Authorized digital surveillance is subject to detailed record keeping, in accordance with documented legal processes for a warrant, and targets are notified as soon as practicable without jeopardizing the purpose of surveillance
- Ensure that all digital surveillance is subject to public oversight mechanisms, including:
- Public notice and consultation for new surveillance purchases
- An approval process
- Regular public reporting
- Ensure that the Personal Data Protection Bill, 2019 is not enacted in its current form and is brought in line with international human rights standards