A day after the Ministry of Electronics and Information Technology sought an explanation from WhatsApp on the alleged surveillance of phones of more than two dozen people by operators using the messaging platform to install Israeli spyware Pegasus, government sources said they are “disturbed” that neither did WhatsApp nor its parent company Facebook bring the privacy breach of Indian citizens to their notice though they have had numerous meetings since summer.
Late Friday, WhatsApp, however, said it had “notified relevant Indian and international government authorities” in May about “a security issue” that it had “resolved” and had also tried to reach out to the targeted users.
An establishment source countered the WhatsApp response, suggesting that the May notification was “too technical a jargon” and the messaging platform did not reveal that “privacy of Indian users had been compromised”. The information shared, the source said, was “only about a technical vulnerability but nothing on the fact that privacy of Indian users had been compromised”.
To this, a WhatsApp source said that the issue was simply “a security issue in May” and was later found to be linked to Pegasus through work done with Citizen Lab.
Spotlight back on data access
WhatsApp has been resisting calls from governments to weaken end-to-end encryption. Arguments in the Supreme Court have raised questions of government access to WhatsApp data and encryption. The IT Ministry has said that they will update the IT Act with new Intermediary Guidelines by January 15.
The conflicting claims provide no clarity on the the privacy breach sequence and the nature of notifications between government authorities and WhatsApp.
Earlier in the day, a government official said WhatsApp is legally bound to disclose any cyber incident to the Indian Computer Emergency Response Team (CERT-In), and “this conduct raises questions” about their security at a time when the platform is facing regulatory clearance hurdles to bring WhatsApp Pay to India. Another government functionary said: “The government is disturbed by the coincidence that WhatsApp is under global pressure for traceability and this legal case with the NSO Group (in a US federal court) is filed at the same time.”
By evening, a response came from a WhatsApp spokesperson: “Our highest priority is the privacy and security of WhatsApp users. In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable. We agree with the government of India it’s critical that together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide.”
On May 17, CERT-In posted a “vulnerability note” on its website. It notified a “buffer overflow condition error” vulnerability in the WhatsApp messaging platform that could be exploited. “A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the affected system.”
It had highlighted that “a remote attacker could exploit this vulnerability by making a decoy WhatsApp voice call to a target user’s phone number and thereby sending specially crafted series of SRTCP packets to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker. Successful exploitation of this vulnerability could allow the attacker to access information on the system such as call logs, messages, photos, etc which could lead to further compromise of the system.”
Official sources pointed to “the timing” of WhatsApp’s case against the NSO Group. “The timing is full of suspicion and a lot of suspicious circumstances are there. How is it that they have picked up those elements who are most hostile to the government — Elgar Parishad, Bastar, Kabir Manch. How has WhatsApp picked them up selectively from some school in Canada? This is all too much of a coincidence. Select people who are anti-Modi government,” the government functionary said, referring to the list of rights activists, lawyers and journalists who were made alleged targets of surveillance.
On Thursday, The Indian Express reported that WhatsApp, which sued Pegasus-developer NSO Group in a US federal court Tuesday, had confirmed that Indian journalists and human rights activists were among targets of surveillance by operators using the Pegasus spyware.
That very day, Ravi Shankar Prasad, Union Minister for Law and Justice, Communications, Electronics & Information Technology, while expressing concern over the “breach of privacy of citizens of India”, asked WhatsApp to “explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens”. The Ministry of Home Affairs also warned of strict action against those found violating the law of the land.
Official sources said that a meeting on August 20, Prasad had urged Chris Daniels, the then WhatsApp CEO, to find a solution to malicious messaging on their platform, in the backdrop of lynchings traced to rumours spread on WhatsApp. On September 12, Prasad discussed data sharing with Nick Clegg, Facebook vice-president for global affairs and communications.
Asked if the government has had any interaction with the NSO Group, the sources denied any dealings with the company. The government, sources said, is not approaching the NSO with questions because Indian citizens “are being snooped upon through WhatsApp”.
The Pegasus method
To monitor a target, a Pegasus operator must convince a target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control servers to receive and execute operator commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity. In the latest vulnerability, the subject of the lawsuit, clicking the ‘exploit link’ may also not be required and a missed video call on WhatsApp will have enabled opening up the phone, without a response from the target at all.
Incidentally, the government and WhatsApp are engaged in dialogue over the traceability of messages in the messaging platform. While the government is demanding traceability of the originator of malicious messages, WhatsApp has been resisting the demand claiming that this would require decryption.
“We don’t want to know the content. We are not interested in breaking the encryption. We just want to know the original sender, the source of the malicious content. They are resisting that. They are claiming a privacy plea when we ask, and that same privacy plea is being breached by rogue elements,” the official said.