New Delhi: The Narendra Modi government and WhatsApp on Friday pointed fingers at one another with regard to the recent Israeli spyware controversy.
The statements come just a day after the Centre asked the Facebook-owned platform to provide answers on what it was doing to protect the privacy of its users.
On Friday night a WhatsApp spokesperson noted, in an apparent response to the government’s request, that it had “notified relevant Indian and international government authorities” in May 2019 of a security vulnerability that allowed the NSO Group’s spyware to infect and snoop on phones across the world.
“In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users and asked U.S. courts to hold the international spyware firm known as the NSO Group accountable,” the statement noted.
“We agree with the government of India that it’.s critical together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide,” it added.
Also read | Israeli Spyware: Ask Not What Pegasus Does, But How Powerful Actors Operate in India
In a message disseminated to a handful of journalists and news agency ANI, who in turn attributed it to “government sources”, the Centre replied sharply, noting that the information that WhatsApp gave was “pure technical jargon”.
It added that no mention was made of a data breach or Pegasus, the NSO Group’s flagship spyware product.
“WhatsApp gave information to CERT-IN in May. It is a communication in pure technical jargon without any mention of Pegasus or extent of breach. The info shared was only about a technical vulnerability but nothing on the fact that privacy of Indians was compromised,” the response noted.
The information given out to senior journalists included an image of WhatsApp’s report to CERT-IN, the nodal government agency that deals with cyber-security threats like hacking or phishing.
WhatsApp’s report to CERT-In on the security vulnerability made public in May 2019. Credit: ANI
Government sources, according to ANI, added that the image made no mention of any specific threat to Indian citizens.
On Thursday, The Wire and other media organisations reported that many of the Indians who were targeted by the Pegasus spyware were activists, human rights lawyers and academics who have been associated with the Bhima Koregaon controversy.
The identity of the operator behind the spyware that was used to target these people is still unknown, although the NSO Group insists that it only sells its software to government agencies across the world.
Civil society demands probe
Meanwhile, in the last 24 hours, two civil society organisations have demanded more information and an independent inquiry into the Pegasus controversy.
AccessNow, a global human rights organisation that focuses on technology, has called for a probe, noting that surveillance practices need to be carried out in accordance with the Supreme Court’s ruling on the fundamental right to privacy.
“Unfortunately, the government’s statement on Pegasus does not clarify whether any government agencies have dealt with NSO Group or its agents, nor whether they are in any way involved in the use of spyware,” said Raman Jit Singh Chima, senior international counsel and Asia Pacific policy director at AccessNow.
“This is a crucial question for the government to answer, since NSO Group claims that it only transacts with governments and their agencies. If the government has not been involved, it must act to establish an independent inquiry into this incident and other related allegations of over-broad, illegal surveillance.”
Also read | Israeli Spyware: India Turns to WhatsApp For Answers, But What Should We Really Be Asking?
The New Delhi-based Internet Freedom Foundation has also said there is an “urgent need for official disclosure” on whether this spyware was used to hack into the phones of Indian citizens.
“The Government of India must issue an official public statement providing complete information. The Government must also clarify which law empowers it to install such spyware. To the best of our understanding and knowledge, no such power exists under Indian law, and the pre-existing surveillance powers available under the Telegraph Act, 1885 and the Information Technology Act, 2000 do not permit the installation of spyware or hacking mobile devices. Hacking of computer resources, including mobile phones and apps, is in fact a criminal offence under the Information Technology Act, 2000,” it said in a statement.