WhatsApp snooping case | Focus must be to find out who spied on Indian citizens

Picture for representation

Spyware is cheap and easily available online. At least two are available on Google’s Play Store, according to researchers at Cisco who on October 30 published a study identifying 87 global vendors, all of whom sell their stuff online. Some cost nothing and are widely used by parents to monitor children, employers to track employees, and estranged couples to track one another or exes. Some others cost up to Rs 6,000 per month for some kind of support.

Then there is the NSO Group.

The Israeli company is truly in a league of its own. It charges millions of dollars for its sophisticated spyware. Four years ago, a government agency in Ghana paid $8 million for the NSO’s flagship Pegasus eavesdropping software, and an additional 22 per cent, or $1.76 million, for one year’s support.

NSO says it sells only to governments and government agencies, and its end use is restricted to fighting crime and terrorism. It also says the Israeli government bars it from identifying clients. Few believe its claims. The University of Toronto’s Citizen Lab, notably, has found that countries such as the United Arab Emirates, Saudi Arabia and Mexico use Pegasus to spy on their citizens.

Could India, the world’s biggest democracy, have joined a ‘rogue’ group of nations that buy spyware worth millions of dollars to spy on dissidents, political or ideological rivals, and journalists?

In 2018, the Citizen Lab named India among countries in which the Pegasus software was in use. However, just like the Cambridge Analytica scandal in India blew over, nothing much came of it, likely because nobody knew their phone had been hacked.

Last week’s turn of events promises to be different. It has swiftly moved since Facebook filed a lawsuit against the NSO Group. The messaging platform itself revealed that somebody using Pegasus software exploited a critical flaw in WhatsApp to hack the mobile phones of at least 121 Indians.

Of them, about 20 have acknowledged receiving notifications from Citizen Lab or WhatsApp about the compromise of their phones. Most are Left-leaning. Many are lawyers, human rights and Dalit activists linked, or seen as sympathetic, to the Bhima Koregaon case and some are journalists with no political agenda. There are some politicians too. Opposition politician Praful Patel is one. Congress leader Priyanka Gandhi may be among the victims, the party claimed nearly 72 hours after the news broke. It would be curious to know if WhatsApp can or will authenticate some of the claims based on its own privacy policies, given the possibility that many could arguably claim being targeted without any evidence.

Given NSO Group’s stated policy, and the nature of the targets, it’s hard to identify anybody other than government agencies that have both the financial means and the motive. Overseas governments could be a suspect, but the motive gets weaker. Still, this does not necessarily mean that the Union government is the only suspect. Many state governments and other central or state agencies, or intelligence outfits could be suspects, too. In fact, a media report in March suggested use of Israeli spyware in Andhra Pradesh. Intelligence agencies could be exempt from wiretapping laws, but others likely will not be.

The Modi government responded swiftly to the disclosures and demanded answers from WhatsApp, setting November 4 as a deadline. Already the messaging platform has revealed some information through leaks to the media. It has asserted that it revealed the fatal flaw in WhatsApp in May through India’s CERT, or Computer Emergence Response Team, a global system for sharing such intelligence. In September, it claimed providing a count of the targeted Indians.

According to WhatsApp, the entire hacking was carried out in a 12-day period between April 29 and May 10 — bang in the middle of the Lok Sabha elections. Weeks later, WhatsApp discovered a vulnerability in its video calling feature that allowed the infections, and issued the alerts to CERTs worldwide. By simply placing a video call, whether or not the receiver answered it, NSO Group’s Pegasus would be installed on the user’s phone and begin monitoring nearly everything a user did, and nearly every piece of data he or she received or sent.

The WhatsApp hack is by no means the only technique NSO uses to break into mobile devices. Like many cybersecurity companies, it searches for zero-day vulnerabilities — unidentified software flaws — and then builds ways to exploit them for spying. In July, for example, Financial Times said NSO Group had moved beyond the mobile and acquired capabilities to hack data stored in the cloud by the likes of Apple, Google, Facebook, Amazon and Microsoft. In September, Google revealed a zero-day flaw in Android devices and said NSO was likely exploiting it.

In short, WhatsApp is not the only attack vector for NSO Group. It goes after all software. Both WhatsApp and NSO deserve to be vilified for their several misdeeds. However, to single out WhatsApp, as the Modi government has done, is to miss the larger point as far as India is concerned. It’s time not to quibble over technicalities of reporting the hacking, but to find out who bought the NSO Group software to spy on Indians.

It is probable that WhatsApp has more information on the India hacks than it has revealed. In the US lawsuit, it submitted a lot of details including a contract between the Israeli company and Ghana’s National Communication Authority, but nothing about India.

The crucial question is: How much more will WhatsApp reveal publicly, or even in private to the Indian government? How much is it obligated to reveal under Indian laws? Would any of its disclosure impact its large client base in India, its biggest market? Or its bid to launch a payments platform, in testing stage for over a year now amid a row over local data storage? Could the Supreme Court be the spoiler, as a case appears imminent? Or maybe the parliamentary standing committee on information and technology headed by Congress’ Shashi Tharoor?

Bala Murali Krishna works for a New York-based startup. Views are personal.