By Mishi Choudhary & Eben Moglen
India is witnessing a massive cyberattack against civilians. The civilians whose lives have been attacked include prominent rights advocates, politicians and journalists. It is, in short, a cyberattack upon individuals who incarnate democracy and the rule of law. Three points are salient: we are given to believe that this cyberattack comes from our own executive government; the tools used are part of an international trade in cyberweapons that governments including ours permit, encourage and fund; and, most importantly, under Indian law all of this is perfectly legal. As citizens, we are responsible for understanding and acting on these realities. If we fail to safeguard our future by legislating now, we will be responsible for losing our democracy.
Mobile phone operating software is far from satisfactorily secure. The hardware we carry around and are proud of is dangerously capable of being used to spy on us. It contains microphones, cameras and sensors more various and densely packed, gram for gram, than the most sophisticated spy satellites in orbit. So if our software is compromised, our smartphones turn into the most dangerous digital weapons possible. Now the same weapons that nations might use to spy on one another’s military, diplomatic and political officials are turned against civil society, judicial and legal advocacy organisations. Their independent digital defence capabilities are effectively nil: they depend on what the phone manufacturers, platform companies and app programmers do. They buy and use the products, and if those products are defective their individual lives and those of their families are at risk. Because they are the working fabric of democracy and the rule of law, our free society can be decapitated by whoever controls the software.
That has happened in India right now because a private cyberarms manufacturer in Israel, called NSO, sells a weapon to governments that compromises smartphones.
Taking advantage of a fault in the WhatsApp smartphone apps distributed by Facebook, NSO made it possible for buyers of its weapon to take over any phone completely—just by sending a single message or call to any chosen recipient, no matter what the recipient did with that message.
This is a fatal technical product defect that Facebook imposed on its users. In India, we have become overnight massively dependent on WhatsApp. That endangered society as a whole—not just all prominent individuals. It is right for Facebook to do both some explaining about precisely what went wrong and some significant apologising. But instead it has sued NSO, trying to shift all responsibility to the weapons manufacturer and away from itself. It will fix the problem that was exploited, and declare itself outraged and innocent. The law will not interfere with that charade of immunity.
This particular weapons manufacturer may shut down. But the international trade in cyberweapons will not be interrupted or inconvenienced. The people of the world want technology that increases their safety and protects their privacy. Governments want to have access to anyone’s mind and behaviour in real time, and to use big data tools to scrutinise and predict any segment of society, large or small, they choose. Platform companies want to collect all the information about everybody, by offering them “free” basic services like email and social sharing in return for comprehensively collecting all their behaviour using the spy-satellite capabilities of their smartphones. They will use this behavioural data about everybody to make unimaginable amounts of money by selling advertising.
Cyberweapons manufacturers can create software that will allow government to have what it wants and keep people from even knowing that what they want has been destroyed. The platform companies just have to keep making money by collecting everything and not preventing governments from using cyberweapons to destroy freedom.
In self-defence, democracies have to use the rule of law to break up this system. But our law contains no protections whatever against what is happening. The government is not legally prevented from using cyberweapons against civilians in this manner. The law governing surveillance as laid down in the Indian Telegraph Act, Information Technology Act, Rules framed under these Acts, Code of Criminal Procedure 1973 and service licences granted by the Department of Telecommunications to communications service providers—including but not limited to the Unified Access Service Licence, Internet Service Licence and Unified Licence all make it legally possible for the government to carry out surveillance.
There are no means of determining the extent and rigour with which these laws are observed in practice, since all of India’s communications surveillance is conducted within an extremely closed environment with no transparency or independent oversight. The concerned enabling Acts and Rules always stipulate the observance of strict confidentiality in the surveillance process, thereby significantly limiting the amount of information on surveillance practices that is available to the general public. Government authorities routinely assure citizens that surveillance is conducted only in accordance with law, yet this claim is questionable. That is why it does not matter what political party is in power.
On the contrary, instead of using Rule of Law to prevent the use of such cyberweapons, government of India continues to pressure Facebook to undermine the strong end-to-end encryption in WhatsApp that interferes with their broader ambitions to listen to everything, everywhere, all the time. They still have to target individual smartphones to gain complete access to all the calls and messages. But if governments could attack all WhatsApp messages and all other communications simultaneously by breaking encryption, big data despotism could attack people’s freedom wholesale. That way North Korean totalitarianism could be scaled up to work in China. Or India.
We are the democracy most vulnerable to this form of government war on freedom, and we are legally undefended. We need legislation immediately recognising the constitutional situation and providing for the defence of our freedom at each step in the cycle of cyberwarfare being waged against it.
The constitutional principle is that the government is responsible for protecting us against spying on the people, wholesale or retail, by outsiders, and must subject its own domestic digital surveillance to the Rule of Law. The first part means that we need laws against the cyberweapons trade and product liability law.
Such laws should ensure that platform companies pay for their negligence in pursuing their own business when they allow cyberattacks on their customers because of design and construction defects in their products. The second part means that we need legislation requiring the government to justify its use of public money to purchase cyberweapons that will be used against citizens. Such legislations should subject all such uses to judicial oversight to verify the legitimate national security interests involved.
We also need to harden our societal defence against such attacks. We must legislate to regulate behaviour collection by the platform companies and telcos. We need laws protecting individuals against market practices that over-collect behaviour data and over-empower a few companies that concentrate such data on their platforms. This cannot be fixed by a simplified notice and consent or data protection; we need people protection laws.
Only such legal steps at all levels of the system that is failing us will ensure that the current controversy results in effective defence of freedom. No one should underestimate the seriousness of the threat to democracy or what is at stake.
Choudhary is a technology lawyer and managing partner at Mishi Choudhary & Associates; Moglen is professor of Law and Legal History at Columbia Law School, New York