WhatsApp claims Israeli spyware snooped on Indian journalists: Here's all you need to know
Pegasus is installed in the mobile phone, without the knowledge or the permission of the user. Then it breaches the security features of the phone and sends back private data – passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps – to the Pegasus operator.
Facebook-owned WhatsApp, on October 31, revealed that it has been snooping on Indian journalists and human rights activists through Israeli spyware Pegasus, The Indian Express has reported.
In a lawsuit filed on October 29 in a US Federal Court in San Francisco, WhatsApp alleged that the Israeli NSO Group has targeted 1,400 WhatsApp users with Pegasus.
While WhatsApp declined to reveal the identities and the “exact number” of those who have been targets of surveillance, its spokesperson told the newspaper that WhatsApp was aware of the people who were targeted and had contacted each one of them.
What has WhatsApp claimed?
“Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number,” a WhatsApp spokesperson said.
The publication learnt that at least 24 Indian academics, lawyers, Dalit activists and journalists were contacted by WhatsApp and alerted that their phones had been under state-of-the-art surveillance for at least two weeks until May 2019.
WhatsApp, in its lawsuit, has claimed that NSO Group and Q Cyber Technologies have not only violated US and California laws, but also breached the app’s terms of service, which prohibit this type of abuse. WhatsApp claimed that smartphones were penetrated through missed calls alone.
“We believe this attack targeted at least 100 members of civil society which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward,” the lawsuit said.
What is NSO Group’s response?
NSO Group has denied the allegations levelled against it by WhatsApp. The newspaper has quoted it as saying, “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists.”
When doubts about this technology were first raised in May this year, NSO Group said that it put in place a ‘Human Rights Policy’, which “further embeds human rights protections throughout our business and governance systems.”
NSO Group has also claimed that it sells its product (Pegasus, in this case) only to “vetted and legitimate government agencies”.
Was this breach flagged earlier/elsewhere?
Canada-based cyber security group Citizen Lab told the newspaper, “We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries” including India.
The newspaper cites a 2018 report which goes on to point to an India link active from June 2017 to September 2018. “We identified five operators that we believe are focusing on Asia. One operator, Ganges, used a politically themed domain.”
The cyber security group was earlier approached by Arab human rights activists, who suspected that they were under surveillance. After the killing of The Washington Post journalist Jamal Khashoggi, when links to NSO Group’s spyware and its involvement in tracking Khashoggi’s movements emerged, NSO Group terminated its agreement with Saudi Arabia.
Sources in WhatsApp told the newspaper that while the communication on the app is encrypted and secure, the problem starts when a malware compromises the device itself.
How does Pegasus work?
To snoop on an individual, a Pegasus operator needs to convince him/her to click on an ‘exploit link’. Once the individual clicks on that link, Pegasus is installed in the mobile phone, without the knowledge or the permission of the user. Then it breaches the security features of the phone and sends back private data – passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps – to the Pegasus operator.
The operator can even remotely turn on the phone’s camera and microphone to capture the user’s activity and vicinity.
In the lawsuit, WhatsApp has claimed that the latest version of the software won’t even wait for the user to click on the ‘exploit link’, and will be enabled by giving a missed call on WhatsApp, requiring no response from the user whatsoever.
What is the response of the Indian government?
Union Minister of Information Technology Ravi Shankar Prasad, in a series of tweets, said that “Government of India is concerned at the breach of privacy of citizens of India on the messaging platform WhatsApp.”
“We have asked Whatsapp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens,” he added.
While taking potshots at Congress, Prasad said, “Those trying to make political capital out of it need to be gently reminded about the bugging incident in the office of the then eminent Finance Minister Pranab Mukherjee during UPA regime. Also a gentle reminder of the spying over the then Army Chief Gen. V. K. Singh.”