Beyond Interception: Pegasus, Privacy and the Indian Constitution

This paper argues that Pegasus-type zero-click, full-device spyware cannot be justified under India’s present interception framework and fails constitutional proportionality. We first distinguish endpoint device takeover from interception “in transit,” then map spyware capabilities (live mic/camera, keystrokes, file access) against Section 5(2), Indian Telegraph Act, 1885; Section 69 and Section 69B, Information Technology Act, 2000; and the 2009 interception/decryption rules. Using Articles 14, 19(1)(a) and 21 of the Constitution of India and the four-part test in Justice K.S. Puttaswamy (2017)—legality, legitimate aim, necessity/least-restrictive means, and safeguards—we show that executive-only authorization and departmental review are structurally inadequate for on-device surveillance. We integrate Section 17, Digital Personal Data Protection Act, 2023 to demonstrate how broad state exemptions erode foreseeability and accountability. We then specify evidentiary and procedural conditions: chain-of-custody and certificate requirements under Section 65B, Indian Evidence Act, 1872, and audio-video recording of seizure under Section 105, Bharatiya Nagarik Suraksha Sanhita, 2023. While noting the Supreme Court’s R.V. Raveendran Committee reported no conclusive proof of government use, we argue the constitutional questions remain live given credible threat notifications and the capability–law gap. The paper proposes a remedies kit: mandatory judicial warrants (or a “double-lock” with judicial commissioner review), strict minimization and retention limits, ex-post user notice when safe, independent audits and public reporting, an exclusionary rule for unlawfully obtained digital evidence, and calibrated constitutional tort damages.