WHATSAPP BREACH
The recent WhatsApp breach targeting dissident Indians with spyware underlines the possibility of a wider vulnerability and points an accusing finger at the State
A privacy breach of the messaging app raises troubling questions about the Indian State’s pursuit of dissenting voices
Late in the evening on October 28, Delhi-based freelance journalist Rajeev Sharma received a phone call. The caller identified himself as John Hilton, a researcher from CitizenLab, a Canada-based internet research agency. Sharma was warned that his phone had been under surveillance for two weeks until May 2019. He was not alone. It turns out that the phones of several dozen Indian journalists, lawyers and activists were hacked using an invasive Israeli-developed malware. A lawsuit was filed against Israeli cyber intelligence firm NSO by WhatsApp and its parent company Facebook in a US court in California on October 29, accusing it of using their messaging platform to dispatch ‘Pegasus’, a hacking tool named after a winged horse from Greek mythology, to approximately 1,400 mobile phones and devices worldwide.
While India was not specifically mentioned in the complaint, several Indian activists and journalists came forward to confirm they had received messages warning that they had been under state-of-the-art surveillancein May. The list of individuals under surveillance reportedly included human rights activists active in Maharashtra and Chhattisgarh. The names reported by the website Newslaundry include Shalini Gera, Rupali Jadhav, Nihalsingh Rathod, Bela Bhatia, Degree Prasad Chauhan, Anand Teltumbde, Shubhranshu Choudhary, Saroj Giri, Vivek Sundara, Ashish Gupta and Ankit Grewal.
WhatsApp discovered the vulnerability in May and messaged its 1.5 billion user base to update the app. The software glitch allowed the Pegasus software to be installed on users’ phones via the phone and video call function on WhatsApp. The developer says it informed the Indian Computer Emergency Response Team, or CERT-In, about the hack. CERT-In, which operates under the Union ministry for elec
“USING MALWARE TO GAIN UNAUTHORISED ACCESS TO PHONES IS AN OFFENCE UNDER INDIAN LAW. USERS HAVE THE RIGHT TO TAKE LEGAL ACTION” N.S. NAPPINAI SUPREME COURT LAWYER AND CYBER LAW EXPERT
tronics and information technology, is the official Indian agency dealing with cyber attacks. In May, CERT-In published the warning about WhatsApp’s vulnerability on its website. But on November 2, four days after news of the US lawsuit broke, the warning was taken down from the website.
Evidence so far suggests the Pegasus malware attack was a sophisticated 21st century version of the Watergate complex bugging in 1972. Except here, the listening tools were allegedly planted from thousands of kilometres away. The snooper wasn’t an insecure US presidential hopeful trying to keep tabs on his opponents, but potentially a handful of regimes across the world wanting to spy on dissidents, activists and journalists. The break-in was reported by a Canadian research agency that has been tracking the rapacious malware’s worldwide reach.
The Indian government has denied it had anything to do with the attack. NSO, in a statement, said it sells only to governments and law enforcement agencies. India, with over 400 million users, is WhatsApp’s largest market, accounting for over a third of its users. “This is no ordinary breach,” says Rajeev Sharma. “The range of targets suggests it was a government-led Big Brother snooping programme.” Pegasus’s ‘target users’ included journalists, rights activists, political dissidents and foreign government officials in several countries, including Bahrain, the UAE and Mexico.
“The Indian government is concerned about the breach of privacy of citizens of India on WhatsApp,” IT minister Ravi Shankar Prasad tweeted on November 1. “We have asked WhatsApp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens.”
The breach raises multiple issues of security and privacy, not to mention the need for judicial oversight on Indian intelligence agencies. How this scandal will play out will depend on the course taken by the lawsuit in California and the action taken by the individuals snooped upon and the Indian government. The Pegasus issue is expected to figure prominently in the winter session of Parliament, beginning November 18. Congress leaders claimed on November 3 that Priyanka Gandhi, too, was snooped upon. The party’s Anand Sharma, who heads the parliamentary standing committee on home affairs, and Shashi Tharoor, who heads the parliamentary standing committee on information technology, issued statements that they will take up the issue in their respective committees.
The worrying questions, however, could tran
scend politics. Pegasus is expensive, reportedly costing $55 million (Rs 390 crore). Which agencies in India did NSO sell it to, and who were the targeted individuals? Only 10 central agencies can tap telephones in India—the Intelligence Bureau, the Central Bureau of Investigation, the National Investigation Agency, the Research & Analysis Wing, the Directorate of Signal Intelligence, the Delhi police commissioner, the Narcotics Control Bureau, the Enforcement Directorate, the Central Board of Direct Taxes and the Directorate of Revenue Intelligence. But they need a court order and approval from a designated authority, usually the Union home secretary, to do so. Even if these procedures were followed, the Information Technology Act of 2000 outlaws the use of malware.
In a written response to India Today TV on November 4, NSO said, “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists.” NSO cited “significant legal and contractual constraints” in being unable to reveal the targets of its spyware and the identity of its clients.
Since its discovery in the phone of a UAE human rights activist in 2016, Pegasus startled the cyber world with its capabilities. Developed to track down criminals and terrorists, it not just tiptoes into a target’s smartphone, but also transforms it into a listening device. NSO is now a global leader in providing cyber intelligence and analytics solutions to governments,
earning $250 million in revenues in 2018.
At some point, NSO’s clients in Africa and West Asia turned their focus towards monitoring political opponents and dissidents. The malware vaulted over every hurdle faced by phone-tapping agencies until now—end-to-end encrypted communication, targets changing their SIM cards, the need to engage with mobile phone providers, for targets to have to click on a link to download the malicious software. All it took for Pegasus to be inserted into smartphones was a missed call. Once a device had been breached, the malware tracked the movements of their hosts, sending files, photographs and documents to host computers. Pegasus barely used the battery, data and memory of target phones. The malware’s ability to self-destruct ensured it left no trail.
An intelligence official called Pegasus a ‘nuclear weapon of cyberspace’ for its ability to suck out virtually anything from smartphones. So alluring was its appeal that even the UAE and Saudi Arabia, countries with no diplomatic ties with Israel, reportedly purchased it. The malware is constantly improved to overcome software upgrades.
The WhatsApp hack again highlights how India’s intelligence agencies operate without judicial or parliamentary oversight. Intelligence officials say this is a fit case for setting up dedicated courts that will sanction such operations and hand out the warrants to snoop phones, should the need arise. “The fallout from the scandal might not be containable within Indian officialdom, and could throw up details that could embarrass the government and make security officials vulnerable to foreign blackmail,” says Pavithran Rajan, a Bengaluru-based cyber security expert. According to N.S. Nappinai, a Supreme Court lawyer and cyber law expert, “Service providers such as WhatsApp are amenable to multiple jurisdictions and subject to Indian laws and regulations. Injecting malware and using it for unauthorised access are offences under Indian law. Users in India have the right to initiate action—civil and criminal—for data protection violation.”
On November 4, RSS ideologue K.N. Govindacharya filed a suit in the Supreme Court against Facebook, the electronics and information technology ministry, NSO and the Union of India. In his petition, Govindacharya asked the government to notify the Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018, meant to tackle the misuse of social media. Govindacharya also accuses Facebook and WhatsApp of perjury—of lying before the court that they did not have the technology to decrypt messages on their platforms. WhatsApp had said as much in response to a recent case seeking the authentication of social media accounts with Aadhaar numbers.
Delhi-based constitutional lawyer Gautam Bhatia tweeted on November 4 that the “PIL route for a core civil rights issue is an invitation to delay, demur and dilute”. A better option, lawyers say, is for the Indian victims to file cases against NSO and WhatsApp. On November 4, Ghanem Almasarir, a London-based Saudi satirist, filed a case in the UK, seeking damages from NSO for its complicity in an August 2017 attack on his phone. “Privacy is a fundamental right. Those targeted by the breach can file criminal charges in Indian courts against WhatsApp and NSO,” says cyber security lawyer Pavan Duggal.
Last year, the government came out with the draft Personal Data Protection Bill, which calls for an independent regulator to oversee data protection and impose harsh penalties on violators. The bill is yet to be passed by Parliament. The WhatsApp hack might build pressure on political parties to do so now. But what hope will this offer if the State itself is the violator? ■
“PRIVACY IS A FUNDAMENTAL RIGHT. VICTIMS CAN FILE CRIMINAL CHARGES IN INDIAN COURTS AGAINST WHATSAPP AND NSO” PAVAN DUGGAL CYBER SECURITY EXPERT
“THIS SCANDAL COULD REVEAL INFORMATION THAT LEAVES INDIAN SECURITY OFFICIALS VULNERABLE TO FOREIGN BLACKMAIL” PAVITHRANRAJAN CYBER SECURITY EXPERT