Snoopgate: Govt in a bind as WhatsApp contradicts its version

After the storm, now comes the blame-game.

As the WhatsApp snooping scandal triggered widespread outrage, evoking fears of a dystopian world of unlawful surveillance, the NDA government appears to be caught in a bind. The Facebook-owned messaging company has contradicted the government’s version and asserted that it had notified the “relevant government authorities” about a privacy breach on its platform in May this year. It also said that it had reached out to the targeted users to alert them about the attempted snooping.

WhatsApp’s statement came a day after IT and Telecom Minister Ravi Shankar Prasad’s assertion that the government had sought an explanation from the company about the “kind of breach and what it is doing” to safeguard the privacy of millions of Indian citizens.

Also read | WhatsApp Snoopgate: The Orwellian world is here and now

Clearly, the government and WhatsApp are not on the same page as far as the sequence of events surrounding the snooping are concerned. This has created confusion over the protocols that were followed by them when a privacy breach of such a serious nature was noticed by the company.

“Our highest priority is the privacy and security of WhatsApp users. In May, we quickly resolved a security issue and notified relevant Indian and international government authorities. We agree with the Government of India that it is critical that together we do all we can to protect users from hackers attempting to weaken security,” a WhatsApp spokesperson told some select media outlets.

‘Pure technical jargon’

On its part, the government maintained that the notification given by WhatsApp in May was “too technical a jargon”. The Indian Express quoted official sources as saying that the messaging platform did not reveal that “privacy of Indian users had been compromised”. The information shared, the source said, was “only about a technical vulnerability but nothing on the fact that privacy of Indian users had been compromised”.

WhatsApp had reportedly sent information to the Indian Computer Emergency Response Team (CERT-IN) which was in “pure technical jargon” and contained no “mention of Pegasus (the spyware) or the extent of the breach”, the news agency ANI has reported.

A report in The Hindu, quoting a government official, also spoke about the shared information being only about a “technical vulnerability” but nothing on the fact that privacy of Indian users had been compromised.

Also read | India seeks explanation from WhatsApp over snooping row

It has now emerged that several opposition leaders, journalists, social activists, lawyers and human rights leaders were snooped upon through the spyware, Pegasus, developed by Israeli cyber intelligence firm NSO Group. Pegasus was used to target the mobile phones of about 1,400 WhatsApp users globally during a two-week period in April-May this year.

Following a communication from WhatsApp, CERT-IN had posted a vulnerability note in May but did not mention any security breaches.

There is also an argument that WhatsApp authorities were unwilling to share the whole information pertaining to the snooping because they were already under pressure from several countries, including India, United States, Britain and Australia, to be more accountable on the issue of traceability. For WhatsApp, its end-to-end encryption technology is non-negotiable and it holds key to its business growth.

Also read | First mail, then WhatsApp: How a ‘story’ captivated imaginations for a decade

During the meetings that Ravi Shankar Prasad had with WhatsApp’s Chief Executive Officer Chris Daniels in July and with Nick Clegg, vice-president for global affairs and communications at Facebook, in September, the issue of security breaches did not come up for discussion.

The Indian Express has quoted an unnamed official as having said that the messenger company’s unwillingness to be transparent about security matters maybe considered when the government has to approve WhatsApp payment services in India.

“WhatsApp was legally bound to disclose any cyber incident to the Indian Computer Emergency Response Team (CERT-In), and “this conduct raises questions” about their security at a time when the platform is facing regulatory clearance hurdles to bring WhatsApp Pay to India,” the official was quoted as having said.

Also read | What is WhatsApp spyware & why you should update the app

“The government is disturbed by the coincidence that WhatsApp is under global pressure for traceability and this legal case with the NSO Group (in a US federal court) is filed at the same time,” the official said.

In late September, almost four months after it first informed government agencies about the vulnerability in its service, WhatsApp informed authorities in writing that 121 Indian individuals were compromised by the NSO ‘spyware’, sources quoted by the daily said.

Earlier, Ravi Shankar Prasad had said that the government was concerned about the breach, and that state agencies have a well-established protocol for interception for clearly stated reasons in national interest.

Israel denies role

Meanwhile, the Israeli government has denied any involvement in the cyber- hack by surveillance firm NSO Group.

“NSO is a private player using capabilities that Israelis have. Thousands of people are in the cyber field, but there is no Israeli government involvement here. Everyone understands that this is not about the state of Israel,” Israeli security cabinet minister Elkin told 102.FM Tel Aviv Radio. If anyone had done anything “forbidden”, they could expect to find themselves in court, he said.

The NSO Group, which built and sold a hacking platform that exploited a flaw in WhatsApp-owned servers, is being accused of helping government spies break into the phones in a hacking spree whose targets included diplomats, political dissidents, journalists and senior government officials.

Amnesty sues Israel

In May this year, Amnesty International and New York University (NYU) had sued the Israeli Ministry of Defence (MOD) to get NSO Group’s export licence revoked.

The law suit was filed on May 14 in the District Court of Tel Avi and was accompanied by Amnesty’s affidavit signed by Danna Ingleton, the Deputy Director of Amnesty Tech. The case will be heard on November 7.

The legal action was supported by Amnesty as part of a joint project with New York University (NYU) School of Law’s Bernstein Institute for Human Rights and Global Justice Clinic, which seeks justice for human rights defenders targeted with malicious software.

Also read | WhatsApp confirms spyware attack, urges users to install latest version

“NSO Group claims it helps governments fight terrorism and crime, but has not credibly addressed mounting evidence linking the Pegasus spyware platform to attacks on human rights defenders. Although the company says it undertakes a rigorous review before sales of its products, it has failed to disclose its due diligence process except for veiled references to the existence of an ethics committee. It remains unclear what factors are taken into consideration before the company sells an inherently invasive product like Pegasus,” Amnesty said in its affidavit.

“Allowing NSO Group to continue selling the Pegasus spyware platform threatens the rights to privacy and to freedom of opinion and expression, in reach of Israel’s obligations under international human rights law,” Amnesty said.

In response to Amnesty’s queries last year, the Israeli company said: “NSO Group develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company. If an allegation arises concerning a violation of our contract or inappropriate use of our technology, as Amnesty has offered, we investigate the issue and take appropriate action based on those findings.”

How does Pegasus work?

In its lawsuit, WhatsApp gave a detailed insight into how NSO had allegedly seeded the Pegasus spyware in the target devices. The lawsuit claims that the defendants set up various computer infrastructure, including WhatsApp accounts and remote servers” and then “used WhatsApp accounts to initiate calls through Plaintiffs’ servers that were designed to secretly inject malicious code onto Target Devices”.

It then “caused the malicious code to execute on some of the Target Devices, creating a connection between those Target Devices and computers controlled by Defendants (the “remote servers”)”.

Also read | If Centre hired Israeli agencies to snoop, it’s gross violation of rights: Priyanka

The lawsuit claimed that between January 2018 and May 2019, NSO created WhatsApp accounts “using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands”. They also “leased and caused to be leased servers and internet hosting services in different countries, including the United States, in order to connect the Target Devices to a network of remote servers intended to distribute malware and relay commands to the Target Devices”.

NSO Group “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected — to Target Devices over WhatsApp servers”.

Congress ups the ante

Meanwhile, the Congress on Saturday (November 2) upped the ante against the NDA government on public surveillance through WhatsApp and sought to know which department purchased the Israeli software and who gave it permission to spy on journalists and activists.

“Israeli NSO sold spyware Pegasus only to governments. Before WhatsApp answers, our government must tell us: Which wing of government purchased Pegasus, at what price, who handled its operations, who gave instructions for snooping and which other platforms are compromised,” senior Congress leader Kapil Sibal tweeted.