A number of Indian activists and journalists confirmed on Thursday that their WhatsApp accounts were being snooped into as part of a surveillance programme using an Israeli spyware platform. While it is not clear who benefited from the surveillance in India, disclosures made by WhatsApp seem to suggest that state actors could be behind it.

In May, WhatsApp announced that it had detected and blocked a new kind of cyberattack involving a vulnerability in the video-calling feature. A user would receive what appeared to be a video call. Once the phone rang, the attacker secretly transmitted malicious code to infect the victim’s phone with spyware. The person does not even have to answer the call. Now, after months of investigation, WhatsApp attributed the intrusion to a global technology company called NSO Group.

NSO claims it sells its spyware strictly to government clients only. It uses spyware called Pegasus, among some of the most sophisticated ones available in the market that can infiltrate both iOS and Android devices. It gives unauthorised access to the user’s private data, including passwords, contact lists, calendar events, text messages and live voice calls from popular mobile messaging apps.

According to experts, spyware like Pegasus get embedded into the phone’s operating system, after which it gets access to data stored in the phone. Over 1,400 users in multiple countries have been victims of this spyware on WhatsApp.

The scandal has highlighted the need for strong data protection laws in the country. According to advocate Prashant Mali, an expert on cyber law, the only law that the perpetrators can be prosecuted under is the Indian Penal Code. “The upcoming Data Protection Bill has some sections that acknowledge incidents like these,” he said.

The Chairman of Global Security Forum, Sai Krishna said that WhatsApp should be held accountable given that it is their customers who faced this problem “but, I don’t think our data privacy laws are strong enough for that.”

Farrhad Acidwala, a cybersecurity expert said, “From a corporate governance standpoint, what WhatsApp is doing is effective. At the most, they can be more proactive about their security.”

Lloyd Matthias, a tech expert and angel investor said, “Indian lawmakers will need to closely study spyware deterrents elsewhere in the world for starters.”

The Centre, meanwhile, has asked WhatsApp to submit a report on the surveillance programme by November 4. WhatsApp has filed a lawsuit in a California federal court against NSO Group. WhatsApp Head Will Cathcart said in a post: “Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”

Political storm

The issue turned political, with the Congress turning the heat on the Modi government. “Modi Govt caught snooping! Appalling but not Surprising! After all, BJP Govt- 1. Fought against our right to privacy...SC must take immediate cognisance and issue notice to BJP government,” tweeted the party’s chief spokesperson, Randeep Surjewala.

(The writer is an intern with BusinessLine Mumbai)

comment COMMENT NOW