WhatsApp, pushed onto the backfoot after a Israeli firm's spyware infiltrated the messaging service and compromised users' phones, has gone on the offensive with an assertive statement aimed at the government and the makers of phone software.
On November 5, the Facebook-owned company defended its 'end-to-end' encryption, suggesting pushback on another issue where it is locked in a battle with the government—the traceability of messages on social media.
WhatsApp also took a potshot at Google and Apple, saying that vulnerabilities in phone operating systems allowed the Pegasus spyware of Israel's NSO Group to gain complete visibility of infected phones. Most phones run Google's Android or Apple's iOS software.
"Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones," the statement said.
The spyware, Facebook says, was installed through a WhatsApp call routed by NSO over Whatsapp servers. This was accomplished by reverse-engineering Whatsapp and tricking the server into believing that spyware code was Whatsapp traffic. Therefore, technically, the end-to-end encryption feature was not broken.
The wholesale compromise of infected phones by Pegasus came to light after Facebook sued NSO Group in a US court. More than 1,400 phones and devices have apparently fallen victim globally, with 121 of them in India - the main targets being human rights activists, journalists and lawyers.
NSO says Pegasus is sold only to governments.
The pushback on end-to-end encryption is significant because the government has been insisting that Whatsapp and other messaging providers allow for traceability of messages so that government agencies can track down the origin of messages. This, the government says, is necessary for law-enforcement agencies fighting crimes like terrorism, child pornography or the propagation of hate speech.
But Facebook's position is that it is not possible to work traceability into its software without compromising on end-to-end encryption which ensures that only senders and receivers of messages have the keys to unlock and read those messages.
The Supreme Court has transferred to itself a number of petitions on the issue of traceability. Hearings are due to begin in January 2020.
On November 3, in its response to government questions, Whatsapp said that in May it was not certain that the attack was launched by the NSO Group. But, WhatsApp had found out the vulnerability on April 29, and informed the government in May.
"That time even WhatsApp was not aware that it was the NSO Group and Indians were affected," said a source at WhatsApp.
Echoing its lawsuit, Facebook has told the government that the NSO Group violated WhatsApp's terms and conditions.
WhatsApp in its US case filing, which was sent to the government, also mentioned that the NSO Group leased servers and internet hosting services in different countries, including the United States, in order to connect the target devices to a network of remote servers intended to distribute malware and relay commands to the target devices.
"This network included proxy servers and relay servers. The malicious servers were owned by Choopa, Quadranet, and Amazon Web Services (AWS), among others," it said.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
