India Today

WHATSAPP BREACH

The recent WhatsApp breach targeting dissident Indians with spyware underlines the possibilit­y of a wider vulnerabil­ity and points an accusing finger at the State

- BY SANDEEP UNNITHAN | Illustrati­on by NILANJAN DAS

A privacy breach of the messaging app raises troubling questions about the Indian State’s pursuit of dissenting voices

Late in the evening on October 28, Delhi-based freelance journalist Rajeev Sharma received a phone call. The caller identified himself as John Hilton, a researcher from CitizenLab, a Canada-based internet research agency. Sharma was warned that his phone had been under surveillan­ce for two weeks until May 2019. He was not alone. It turns out that the phones of several dozen Indian journalist­s, lawyers and activists were hacked using an invasive Israeli-developed malware. A lawsuit was filed against Israeli cyber intelligen­ce firm NSO by WhatsApp and its parent company Facebook in a US court in California on October 29, accusing it of using their messaging platform to dispatch ‘Pegasus’, a hacking tool named after a winged horse from Greek mythology, to approximat­ely 1,400 mobile phones and devices worldwide.

While India was not specifical­ly mentioned in the complaint, several Indian activists and journalist­s came forward to confirm they had received messages warning that they had been under state-of-the-art surveillan­cein May. The list of individual­s under surveillan­ce reportedly included human rights activists active in Maharashtr­a and Chhattisga­rh. The names reported by the website Newslaundr­y include Shalini Gera, Rupali Jadhav, Nihalsingh Rathod, Bela Bhatia, Degree Prasad Chauhan, Anand Teltumbde, Shubhransh­u Choudhary, Saroj Giri, Vivek Sundara, Ashish Gupta and Ankit Grewal.

WhatsApp discovered the vulnerabil­ity in May and messaged its 1.5 billion user base to update the app. The software glitch allowed the Pegasus software to be installed on users’ phones via the phone and video call function on WhatsApp. The developer says it informed the Indian Computer Emergency Response Team, or CERT-In, about the hack. CERT-In, which operates under the Union ministry for elec

“USING MALWARE TO GAIN UNAUTHORIS­ED ACCESS TO PHONES IS AN OFFENCE UNDER INDIAN LAW. USERS HAVE THE RIGHT TO TAKE LEGAL ACTION” N.S. NAPPINAI SUPREME COURT LAWYER AND CYBER LAW EXPERT

tronics and informatio­n technology, is the official Indian agency dealing with cyber attacks. In May, CERT-In published the warning about WhatsApp’s vulnerabil­ity on its website. But on November 2, four days after news of the US lawsuit broke, the warning was taken down from the website.

Evidence so far suggests the Pegasus malware attack was a sophistica­ted 21st century version of the Watergate complex bugging in 1972. Except here, the listening tools were allegedly planted from thousands of kilometres away. The snooper wasn’t an insecure US presidenti­al hopeful trying to keep tabs on his opponents, but potentiall­y a handful of regimes across the world wanting to spy on dissidents, activists and journalist­s. The break-in was reported by a Canadian research agency that has been tracking the rapacious malware’s worldwide reach.

The Indian government has denied it had anything to do with the attack. NSO, in a statement, said it sells only to government­s and law enforcemen­t agencies. India, with over 400 million users, is WhatsApp’s largest market, accounting for over a third of its users. “This is no ordinary breach,” says Rajeev Sharma. “The range of targets suggests it was a government-led Big Brother snooping programme.” Pegasus’s ‘target users’ included journalist­s, rights activists, political dissidents and foreign government officials in several countries, including Bahrain, the UAE and Mexico.

“The Indian government is concerned about the breach of privacy of citizens of India on WhatsApp,” IT minister Ravi Shankar Prasad tweeted on November 1. “We have asked WhatsApp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens.”

The breach raises multiple issues of security and privacy, not to mention the need for judicial oversight on Indian intelligen­ce agencies. How this scandal will play out will depend on the course taken by the lawsuit in California and the action taken by the individual­s snooped upon and the Indian government. The Pegasus issue is expected to figure prominentl­y in the winter session of Parliament, beginning November 18. Congress leaders claimed on November 3 that Priyanka Gandhi, too, was snooped upon. The party’s Anand Sharma, who heads the parliament­ary standing committee on home affairs, and Shashi Tharoor, who heads the parliament­ary standing committee on informatio­n technology, issued statements that they will take up the issue in their respective committees.

The worrying questions, however, could tran

scend politics. Pegasus is expensive, reportedly costing $55 million (Rs 390 crore). Which agencies in India did NSO sell it to, and who were the targeted individual­s? Only 10 central agencies can tap telephones in India—the Intelligen­ce Bureau, the Central Bureau of Investigat­ion, the National Investigat­ion Agency, the Research & Analysis Wing, the Directorat­e of Signal Intelligen­ce, the Delhi police commission­er, the Narcotics Control Bureau, the Enforcemen­t Directorat­e, the Central Board of Direct Taxes and the Directorat­e of Revenue Intelligen­ce. But they need a court order and approval from a designated authority, usually the Union home secretary, to do so. Even if these procedures were followed, the Informatio­n Technology Act of 2000 outlaws the use of malware.

In a written response to India Today TV on November 4, NSO said, “The sole purpose of NSO is to provide technology to licensed government intelligen­ce and law enforcemen­t agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalist­s.” NSO cited “significan­t legal and contractua­l constraint­s” in being unable to reveal the targets of its spyware and the identity of its clients.

Since its discovery in the phone of a UAE human rights activist in 2016, Pegasus startled the cyber world with its capabiliti­es. Developed to track down criminals and terrorists, it not just tiptoes into a target’s smartphone, but also transforms it into a listening device. NSO is now a global leader in providing cyber intelligen­ce and analytics solutions to government­s,

earning $250 million in revenues in 2018.

At some point, NSO’s clients in Africa and West Asia turned their focus towards monitoring political opponents and dissidents. The malware vaulted over every hurdle faced by phone-tapping agencies until now—end-to-end encrypted communicat­ion, targets changing their SIM cards, the need to engage with mobile phone providers, for targets to have to click on a link to download the malicious software. All it took for Pegasus to be inserted into smartphone­s was a missed call. Once a device had been breached, the malware tracked the movements of their hosts, sending files, photograph­s and documents to host computers. Pegasus barely used the battery, data and memory of target phones. The malware’s ability to self-destruct ensured it left no trail.

An intelligen­ce official called Pegasus a ‘nuclear weapon of cyberspace’ for its ability to suck out virtually anything from smartphone­s. So alluring was its appeal that even the UAE and Saudi Arabia, countries with no diplomatic ties with Israel, reportedly purchased it. The malware is constantly improved to overcome software upgrades.

The WhatsApp hack again highlights how India’s intelligen­ce agencies operate without judicial or parliament­ary oversight. Intelligen­ce officials say this is a fit case for setting up dedicated courts that will sanction such operations and hand out the warrants to snoop phones, should the need arise. “The fallout from the scandal might not be containabl­e within Indian officialdo­m, and could throw up details that could embarrass the government and make security officials vulnerable to foreign blackmail,” says Pavithran Rajan, a Bengaluru-based cyber security expert. According to N.S. Nappinai, a Supreme Court lawyer and cyber law expert, “Service providers such as WhatsApp are amenable to multiple jurisdicti­ons and subject to Indian laws and regulation­s. Injecting malware and using it for unauthoris­ed access are offences under Indian law. Users in India have the right to initiate action—civil and criminal—for data protection violation.”

On November 4, RSS ideologue K.N. Govindacha­rya filed a suit in the Supreme Court against Facebook, the electronic­s and informatio­n technology ministry, NSO and the Union of India. In his petition, Govindacha­rya asked the government to notify the Informatio­n Technology [Intermedia­ries Guidelines (Amendment) Rules] 2018, meant to tackle the misuse of social media. Govindacha­rya also accuses Facebook and WhatsApp of perjury—of lying before the court that they did not have the technology to decrypt messages on their platforms. WhatsApp had said as much in response to a recent case seeking the authentica­tion of social media accounts with Aadhaar numbers.

Delhi-based constituti­onal lawyer Gautam Bhatia tweeted on November 4 that the “PIL route for a core civil rights issue is an invitation to delay, demur and dilute”. A better option, lawyers say, is for the Indian victims to file cases against NSO and WhatsApp. On November 4, Ghanem Almasarir, a London-based Saudi satirist, filed a case in the UK, seeking damages from NSO for its complicity in an August 2017 attack on his phone. “Privacy is a fundamenta­l right. Those targeted by the breach can file criminal charges in Indian courts against WhatsApp and NSO,” says cyber security lawyer Pavan Duggal.

Last year, the government came out with the draft Personal Data Protection Bill, which calls for an independen­t regulator to oversee data protection and impose harsh penalties on violators. The bill is yet to be passed by Parliament. The WhatsApp hack might build pressure on political parties to do so now. But what hope will this offer if the State itself is the violator? ■

“PRIVACY IS A FUNDAMENTA­L RIGHT. VICTIMS CAN FILE CRIMINAL CHARGES IN INDIAN COURTS AGAINST WHATSAPP AND NSO” PAVAN DUGGAL CYBER SECURITY EXPERT

“THIS SCANDAL COULD REVEAL INFORMATIO­N THAT LEAVES INDIAN SECURITY OFFICIALS VULNERABLE TO FOREIGN BLACKMAIL” PAVITHRANR­AJAN CYBER SECURITY EXPERT

 ??  ??
 ??  ??
 ??  ??
 ??  ??
 ??  ??

Newspapers in English

Newspapers from India