The government wants to conduct an audit of WhatsApp’s security systems following revelations of Israeli spyware exploiting its vulnerabilities, IT Minister Ravi Shankar Prasad said but refused to say if the government had bought the spyware.
The Indian Computer Emergency Team (CERT-In) “has clearly said that we want to audit your (WhatsApp) entire system… we have told them that we want to conduct an audit and inspection of WhatsApp’s security systems and processes,” Prasad said in reply to a short duration discussion in Rajya Sabha over the spying controversy.
He, however, did not give a direct reply to Congress leader Digvijaya Singh’s repeated query if the government had bought Pegasus spyware from Isreali firm NSO.
To Singh’s question on Home Minister having met WhatsApp officials, Prasad said WhatsApp representatives keep meeting government officials and they “may have met Home Minister as well. After all, WhatsApp has its biggest operations globally in India.”
WhatsApp, last month, sued Israeli surveillance firm NSO Group, accusing it of helping those buying its spyware Pegasus break into the phones of roughly 1,400 users across four continents.
The targets of the hacking included diplomats, political dissidents, journalists, along with military and government officials. In India, 121 users are believed to have been compromised.
Prasad said cyber security agency CERT-In had sought information from WhatsApp including need to conduct an audit and inspection of WhatsApp’s security systems and processes on November 9, and further clarifications and details have been sought on November 26, following response from WhatsApp on November 18.
Stating that WhatsApp CEO had made no mention of vulnerability in their system by Pegasus spyware during his meeting with the Ministry, Prasad also warned digital players that they must erect appropriate security walls, failing to which appropriate action would be taken.
“During the high-level engagements like meeting of CEO Will Cathcart and VP Policy Nick Clegg of Whatsapp that took place with the Ministry on July 26, 2019 and September 11, 2019, no mention was made by the high-level Whatsapp team regarding this vulnerability,” said Prasad in a statement.
The Indian cybersecurity agency has also sent notice to NSO group on November 26, 2019 seeking details about the malware and its impact on Indian users, he said.
According to Prasad, WhatsApp reported an incident to CERT-In, wherein it mentioned that it had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out the attack.
Moreover, he also said that the government along with USA, UK and Australia is in discussion with WhatsApp to identify the source of the message and videos which have violence.
“If there is provocation from any messages or communal violence happens, then you would have to tell the origin, who have started it. We are having discussions with them,” said Prasad asserting that they would have to tell the law enforcement agencies about the origin of the rogue message.
The minister also said that several of such messages originated from Pakistan.
“I want to inform you that several times, many things start from Pakistan. Due to security reasons, I would not be able to share details,” he said.
According to the minister, when the discussion was on, NSO espionage happened and this was a coincidence.
Prasad also said that the Supreme Court has upheld privacy as a fundamental right. However, the apex court has also stated that a terrorist and a corrupt person has no right to privacy.
He also said that there is a need to balance “competing interest of privacy and security” of the country.
“In the interest of the sovereignty and integrity of India, intercepts can be made of the people including their computer resource but this has to be authorised by the home secretary of the government of India,” he said.
The minister also informed the Upper House that the work on Data Protection law is on progress and would be introduced very soon in Parliament.
Senior Congress leader Anand Sharma asked as whether there has been any unauthorised intercepts by the Government agencies.
“Besides authorised, have the government agencies made unauthorised use of this Pegasus spyware. Do you have any information? If yes, then please share the information with the house,” Sharma asked.
Assuring him, the minister said that any violation of the established procedure in this is “actionable”.
“To the best of my knowledge, no unauthorised interception has been done,” Prasad said adding ” If anyone is having a problem, then let them file an FIR.”
The Minister also said that India would never compromise its data security.
Replying to the concerns raised by the members, Prasad said digital companies are welcome to do the business in India but they would also have to acknowledge and understand that safety and security of Indians are of prime importance.
Shanmugam of DMK said that it is a threat to privacy. While MD Nadimul Haque of AITC said that wanted to know that whether the government give permission to authorities to encrypt the WhatsApp messages.
K K Ragesh of CPI M alleged that the government is hiding information on that and asked the government to table a report.