WhatsApp spying row: We've sent notice to Israel's Pegasus, says Prasad

Govt has asked for an audit of WhatsApp security and systems, according to IT minister

The government has issued notice to the Israeli firm accused of misusing WhatsApp for snooping on Indian citizens, Ravi Shankar Prasad, minister of electronics and information technology, told the Rajya Sabha on Thursday.

Also, the Computer Emergency Response Team of India (CERT-In) has asked for an audit of WhatsApp security and systems, Prasad said.

Responding to the Opposition’s questions on whether the government bought spying software called Pegasus from Israel-based NSO Group, which claims to sell only to governments, the minister did not give a straight answer and said “we have sent a notice to NSO also”.

He was replying to a special mention by Congress Member of Parliament Digvijaya Singh on the use of the spyware against some Indians.

WhatsApp said on October 29 it was filing a federal complaint in the US against NSO Group for a cyberattack that exploited a vulnerability in the app’s video calling feature. That could compromise the target person’s device. Of the 1,400 people affected globally, 121 were Indians.

The CERT-In is the national nodal agency for responding to computer security cases as and when they occur, and is the one that has to be informed in the case of a cyber breach. 

CERT-In sought information, including a need to conduct an audit and inspection of the WhatsApp security system and processes, from the messaging app on November 9. WhatsApp responded on November 18, and additional details were sought on November 26, the minister added.

Singh asked the minister repeatedly if the government had purchased Pegasus. He wanted to know if an inquiry had been ordered against NSO and whether the government had established contact with Canada-based Citizen Lab, which worked with WhatsApp.

Singh asked if there was a formal data-sharing agreement between WhatsApp and other messaging companies and the government, which government agency had bought Pegasus and under what head the expenditure was made, and whether in the past three years any NSO representatives met state or Central ministers or senior police officials. In response, the minister said WhatsApp suing NSO Group was a “private battle”, which the Indian government should not get in to.

“We have constantly said there is a standard operating procedure … if they (government agencies) have to do anything for the safety and security of India, it will be done ... To the best of my knowledge, no unauthorised interception has been done,” he added.

In response to another question about the proposed data protection Bill, which is scheduled to be tabled in Parliament, Prasad said the law was in the works, and the ministry had the “widest consultation possible”, and it will be finalised soon. “India will never compromise on its data sovereignty,” he said. 

The issue has become political, with the government asking WhatsApp to explain the breach of Indians’ privacy and questions being raised about whether the government bought Pegasus software or not.

NSO Group is also known for selling software to authoritarian regimes, a charge it has denied in the past. 

On Tuesday, Google said about 500 users from India were among 12,000 people informed about being targeted by “government-backed attackers” between July and September this year. 

Cracking the whip

• WhatsApp had not shared a list of affected persons with govt
• Govt has been firm on demands for traceability of incendiary messages from WhatsApp
• Govt does not want the messaging platform to break its encryption 
• No affected person has filed an FIR against their privacy being breached by Pegasus