Instant messaging application WhatsApp failed to inform the government of a breach of its system through an Israeli spyware despite being legally bound to do so under the IT Act, a highly placed government official said.
The official from the Ministry of Electronics and Information Technology, who did not want to be named, pointed out that the company’s CEO Will Cathcart had met Telecom and IT Minister Ravi Shankar Prasad in July, while Nick Clegg, vice-president for global affairs and communications at Facebook which owns WhatsApp, met Mr. Prasad in September.
“During the meeting, when the issue of traceability was discussed, the company representatives raised pleas of privacy... but failed to inform of a breach on their platform, particularly when Indians could have been affected , given that we are one of the biggest markets for them,” the official said.
The government is yet to take a call on whether any action will be taken against WhatsApp. “WhatsApp, being an intermediary in India, is governed by our laws. Hence, we have first asked them for information, citing media reports. Once their reply comes, we will see what needs to be done.”
Questioned about the Centre dealing with Israeli technology firm NSO Group, accused by WhatsApp of the said intrusion using Pegasus spyware , the official said the government doesn’t work with it. The NSO Group claims on its website that its products are used “exclusively” by government intelligence and law enforcement agencies “to fight crime and terror.”
The building housing the Israeli NSO Group, in Herzliya, near Tel Aviv. WhatsApp on October 29, 2019 sued the NSO Group, accusing it of using the Facebook-owned messaging service to conduct cyberespionage on journalists, human rights activists and others.
In fact, WhatsApp’s unwillingness to be transparent about security-related issues may be looked into when giving a nod for it to start payment services in India, as security is of utmost importance here, the official said.
WhatsApp’s conduct, the official said, had raised concerns over whether this was an attempt to blunt the growing demand for traceability and accountability from the U.S.-based firm, not just in India, but also the U.S., the U.K. and Australia.
The government Centre will stick to its demand for identifying the source of the malicious messages, the official added. The incident also comes close on the heels of the Supreme Court giving the Centre three months to come up with rules to curb misuse of social media in the country.
In a statement, WhatsApp said, “We agree with the government of India’s strong statement about the need to safeguard the privacy of all Indian citizens. That is why we’ve taken this strong action to hold cyber attackers accountable and why WhatsApp is so committed to the protection of all user messages through the product we provide.”
“Our highest priority is the privacy and security of WhatsApp users. In May we quickly resolved a security issue and notified relevant Indian and international government authorities. Since then we’ve worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable. We agree with the government of India it’s critical that together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide,” the statement said.
A screenshot from the website of CERT-In, the Indian Computer Emergency Response Team under the Ministry of Electronics and Information Technology. Photo: cert-in.org.in
However government sources said: “WhatsApp had given information to CERT-IN, a government agency...[however] it is a communication in pure technical jargon without any mention of Pegasus or the extent of breach. Thus the information shared was only about a technical vulnerability but nothing on the fact that privacy of Indian users had been compromised.”
