Countering the government’s claim that WhatsApp did not inform it about a privacy breach on the messaging platform, the company has responded to a notice issued by the Ministry of Information Technology two days ago, saying that besides notifying the government in May about a vulnerability in its service, it sent a letter in early September that 121 Indians were compromised by the Israeli spyware Pegasus, sources familiar with the matter told The Sunday Express.
While IT Ministry officials confirmed that they had received a letter in September from WhatsApp stating that personal data of Indians was likely accessed by the spyware, they said the letter, which is not in the public domain, was “still too vague.”
The information about the September letter comes amidst claims by government sources that they were “disturbed” that the company had not brought the privacy breach of Indian citizens to their attention during the two meetings with the minister earlier this year. On August 20, in the backdrop of lynchings traced to rumours on WhatsApp, IT Minister Ravi Shankar Prasad had urged WhatsApp head Will Cathcart to find a solution to malicious messaging on their platform. On September 12, Prasad discussed data sharing with Nick Clegg, Facebook vice-president for global affairs and communications.
On Thursday, The Indian Express had reported that WhatsApp, which sued Pegasus-developer NSO Group in a US court on Tuesday, has confirmed that Indian journalists and human rights activists were among targets of surveillance by operators using the Pegasus spyware.
Insisting that the September letter is “not very, very firm”, a source in the ministry said there are not enough details. “The letter says that it appears that some 121 people may have been affected but doesn’t specifically say what the impact was. It doesn’t tell who, what, where… the identities which have now come out in the media. They have been trying to reach out to (those affected) through a Canadian group. Nowhere has the Indian government been involved,” said a source in the ministry.
On Saturday, IT Ministry officials again said they were upset that WhatsApp had not brought up the issue of privacy breach during high-level meetings earlier this year.
“The government took up the issue of traceability with their international vice-president (Clegg) and CEO (Daniels) during formal structured meetings at the highest level of the ministry. They objected to it, suggesting their platform was safe. Not for once did they inform us about this privacy breach during those meetings at the highest levels,” said a source in the ministry.
A source closely associated with the matter, however, said, “WhatsApp has been keeping the Indian Government very much updated on what was going on. It was not possible to name the NSO Group in May because at that point, WhatsApp did not know.”
Sources said the both the vulnerability note of May and the September letter were sent to the Indian Computer Emergency Response Team (CERT-In), the nodal agency within the IT Ministry to deal with cyber security threats.
The company has attached the vulnerability note of May and the September letter in its response to a questionnaire sent to it on Thursday by the IT Ministry, which had sought a response from the company by November 4. The IT ministry official said they would respond to WhatsApp after deliberating on the company’s response.
On May 17, CERT-In posted WhatsApp’s “vulnerability note” on its website. It notified a “buffer overflow condition error” vulnerability in the WhatsApp messaging platform that could be exploited. “A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the affected system.”
On Friday, a source in the government told The Indian Express that the May notification was “too technical a jargon” and the platform did not reveal that “privacy of Indian users had been compromised”.
While WhatsApp did not officially link the security vulnerability at the time to NSO, news reports from May, including in the Indian Express, had made the connection. The May CERT-In notification has an attached link from a third party connecting the vulnerability to the NSO group.
The WhatsApp source said that even when the connections to NSO became clear in October, WhatsApp waited until this week to come public about it due to the decision to take NSO to court in November.
A government official had on Friday said the timing of WhatsApp’s lawsuit against NSO is “suspicious” given the ongoing drafting of new intermediary guidelines in India that would affect the company’s operations in India.