The rumours had floated around for years. As thousands of people in India switched to making encrypted WhatsApp calls as a way of avoiding government surveillance, which is pervasive and unregulated, many insisted that the authorities had found a way to listen in to those conversations too. Over the last few days, the rumours have been confirmed – and then some.
It turned out that a state-of-the-art piece of software called Pegasus, sold by an Israeli firm called NSO that generally retails to government clients, was able to use WhatsApp (as well as a number of other messaging services) to hack into phones with nothing more than a missed call.
One missed audio or video call on WhatsApp, usually from an international number, could compromise not just chats but an entire phone, including passwords, email messages and photos. The software could even then turn on the user’s camera and mic. Read an explainer about the software here.
Over the last few days, we have even been given some information about who it was used against. The software does not come cheap – a 2016 price list suggests it costs over $1 million dollars for the first 10 hacked accounts. This means that it doesn’t spread like regular viruses, but instead has to be used in a targeted manner.
Working with WhatsApp, the University of Toronto’s cyber-security group Citizen Lab has spent the last few days alerting certain people that they were targeted. In India, that included at least 17 people, primarily human rights activists, lawyers, scholars and journalists, who confirmed to Scroll.in that they received messages saying their phones had been compromised. Read more about them here.
The revelations prompt a certain number of questions.
Can the government confirm that it did not deploy this software?
Union Minister Ravi Shankar Prasad on Thursday said that the government is concerned about the security breach and that India has asked the Facebook-owned messaging service to explain itself. His statement also included a boilerplate line insisting that state agencies have a well-established protocol for interception of conversations in India for clearly stated reasons in the national interest. And then he used the opportunity to take potshots at the Congress, “gently reminding” the public about allegations of state surveillance by the previous administration.
That is not enough. Though NSO has denied specifics about this particular tool, it claims to only retail its software to government clients. The cost of the software is also prohibitive enough that only a few entities are likely to be able to deploy it, with governments coming at the very top of the list.
Moreover, the roster of those who have been targeted clearly suggests a pattern of those who work in the field of human rights, usually to expose the excesses of the Indian state. This gives the government an obvious reason to want to be listening in. Indian governments, past and present, do not have the best reputation on the matter of surveilling their own citizens. With that in mind, it is important that the government offer a categorical denial that it has not used this software to violate the fundamental right to privacy guaranteed to Indian citizens.
This holds true not just for the Union Government and its many departments, including the Intelligence Bureau and other agencies, but also the many state governments, which might also have decided to use this program. Can governments, Union and state, honestly tell the Indian public that they will not use spyware against their own citizens?
What is the government doing about it?
Let’s say it wasn’t the government’s doing, or at the very least not an action by the Union government. Will simply asking for an explanation from WhatsApp suffice? Members of the ruling Bharatiya Janata Party have already sought to question those targeted, rather than those doing the targeting, in this case, simply because the names that have emerged so far are likely to be critical of their politics.
This is unconscionable. The fundamental rights of Indian citizens are at stake here, no matter their personal politics. If an American company using illegal Israeli software are ferreting out personal information of Indian citizens, it represents a risk to India at several levels, whether governmental or individual.
In the past, the government has done little beyond paying lip-service to concerns about data breaches, such as its non-investigation into the impact of the Cambridge Analytica Facebook data dump. Will this time be any different?
News about the WhatsApp hack has come at the same time as details have emerged about a huge tranche of Indian credit and debit card details being sold on the dark web, as well as malware turning up on computers at a nuclear plant in India. Is the Indian government going to take data protection more seriously?
What will Parliament do about it?
Beyond the executive, the need of the hour is also immediate legislative action on this front. Indians – and the Indian Supreme Court – was told years ago that Parliament would pass a law explicitly aimed at protecting our data by now. Although a draft Personal Data Protection Bill has been around for a year now, there is no indication on when the government intends to bring it to Parliament. Moreover, the draft sidesteps all questions of surveillance, saying that should be left to another piece of legislation.
It is imperative then that Parliament, in its upcoming session this winter, make progress both on a law aimed at protecting the personal data of Indian citizens from all entities – private or governmental – while also moving forward on a law that will regulate the Indian state’s use of surveillance on its own citizens. It is important for the wider public to demand such protections from their legislators.
Cyber security, surveillance and data protection should move out of the realm of rumours. It is high time our authorities take concrete steps to protect the fundamental rights of Indian citizens.