Those targeted include journalists, lawyers, and Dalit and human rights activists.

The Centre has sought an explanation from messaging platform WhatsApp after the Facebook-owned company confirmed that some Indian users of its app came under surveillance using an Israeli spyware. Most targeted in India were journalists, Dalit and human rights activists and lawyers.

WhatsApp filed a complaint in a U.S. court earlier this week attributing the intrusion to NSO Group, an Israeli technology firm, which claims on its website that its products are used “exclusively” by government intelligence and law enforcement agencies “to fight crime and terror.” A WhatsApp spokesperson confirmed to The Hindu that Indian users were among those impacted by the spyware and contacted by the company this week to assist them.

Privacy safeguards

On Thursday, Information Technology Minister Ravi Shankar Prasad said the government has asked WhatsAapp to “explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens.”

He said government agencies had a well-established protocol for interception, which included sanction and supervision from highly ranked officials in Central and State governments, for clearly stated reasons in national interest.

In an attack on Opposition parties, including the Congress on the issue, Mr. Prasad pointed out to the incidents of bugging of former Finance Minister Pranab Mukherjee’s office during the UPA regime and spying on the then Army Chief Gen. V.K. Singh. “These are instances of breach of privacy of highly reputed individuals, for personal whims and fancies of a family,” he stated.

The Ministry of Home Affairs (MHA) said the government was committed to protecting fundamental rights of citizens and “reports of breach of privacy of Indian citizens on WhatsApp were attempts to malign the government and are completely misleading.” An MHA official said the government would take strict action against any intermediary responsible for breach of privacy of citizens.

“It is clarified that the government of India operates strictly as per provisions of law and laid down protocols. There are adequate safeguards to ensure that no innocent citizen is harassed or his privacy breached,” the official said.

Both the Ministries did not say if any government agency sought NSO’s services.

‘Not very secure’

Dr. Gulshan Rai, former National Cyber Security Coordinator in the Prime Minister’s Office, said that WhatsApp is not a very secure system. “It is accessed by millions of users the world over through different platforms and tools. Their systems are amenable to breaches due to their own weakness and also because of others. In the past there have been several instances of weakness in their systems. It is very evident that if NSO has exploited weaknesses in their system, their (WhatsApp) systems and checks are very weak,” Dr. Rai told The Hindu.

Meanwhile, in a response to an RTI request filed by activist Saurav Das on October 23, asking questions over whether or not the government has purchased Pegasus or intends to do so in the future, the MHA stated that it had no information in this regard.

The use of the spyware in question, named Pegasus, via WhatsApp was first identified in May this year. The spyware exploited a vulnerability in WhatsApp’s video-call feature that allowed attackers to inject the spyware on to phones simply by ringing the number of a target’s device.

The person did not even have to answer the call. Once Pegasus is installed, it can access the targeted users’ private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. Following this, the U.S.-based firm announced that it had addressed the vulnerability and issued an update for its application.

Mobiles hit

In the investigations that followed, WhatsApp found that a total of 1,400 mobile numbers and devices were impacted globally. These included attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

In its complaint filed with the federal court, WhatsApp has stated, “According to public reporting, Defendants’ [NSO Group] clients include, but are not limited to, government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities.”

Meanwhile, the Citizen Lab at the University of Toronto, which had volunteered to help WhatsApp identify cases where the suspected targets of this attack were members of civil society, such as human rights defenders and journalists, said it believed that at least 100 members of civil society, “which is an unmistakable pattern of abuse”, were targeted in these attacks globally.

This number may grow as more victims come forward, it added. These 100 members were spread across at least 20 countries in Africa, Asia, Europe, the Middle East, and North America.

In an opinion piece written for Washington Post, Will Cathcart, head of WhatsApp, said NSO Group has previously denied any involvement in the attack, stating, “Under no circumstances would NSO Group be involved in the operating … of its technology.”

“But our investigation found otherwise. Now, we are seeking to hold NSO Group accountable under U.S. state and federal laws, including the US Computer Fraud and Abuse Act,” he said.

Citizen Lab also pointed out that NSO Group claims it sells its spyware strictly to government clients only, and all of its exports are undertaken in accordance with Israeli government laws and oversight mechanisms. “However, the number of cases in which their technology is used to target members of civil society continues to grow,” it stated.

“NSO Group spyware is being sold to government clients without appropriate controls over how it is employed by those clients. They are, in turn, using NSO’s technology to hack into the devices of members of civil society, including journalists, lawyers, political opposition, and human rights defenders — with potential lethal consequences,” Citizen Lab said in its report on its website.