New Delhi: A key assertion made by Ashwani Vaishnaw, minister for communication, electronics and information technology, on the floor of the Lok Sabha on Monday – “In the past, similar claims were made regarding the use of Pegasus on WhatsApp, those reports had no factual basis and has been denied by all parties…” – is flatly contradicted by replies his own ministry has provided to RTI queries and parliament questions in the past.
In November 2019, when news emerged that the smartphones of some Indian activists had been hacked by Pegasus spyware – the military grade surveillance tool sold by the Israeli company NSO Group to ‘vetted governments’ around the word – via WhatsApp, Venkatesh Nayak of the Commonwealth Human Rights Initiative filed a request for information about the incident with the Prime Ministers’ Office, home ministry and the ministry of communication, electronics and information technology (MEITY).
MEITY, to whom the PMO and MHA forwarded Venkatesh’s requests, replied to him on December 2, 2019 clearly acknowledged that WhatsApp had informed the Indian Computer Emergency Response Team (CERT-IN)– the government’s official body responsible for monitoring such hacking – of the Pegasus attack on May 20, 2019. WhatsApp provided further details to CERT-IN on September 5, 2019:
“On May 20, 2019 WhatsApp reported an incident to the Indian Computer Emergency Response Team (CERT-In) wherein it mentioned that WhatsApp identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attack.
“Further, WhatsApp wrote to CERT-In on September 5, 2019 mentioning update to the security incident reported in May 2019, that while the full extent of this attack may never be known, WhatsApp continues to review the available information.
“It also mentioned that WhatsApp believes it is likely that personal data within the WhatsApp app of approximately twenty users may have been accessed out of approximately one hundred and twenty one users in India of whose devices the attacker attempted to reach.”
It is hard to square the ministry’s written acknowledgment of WhatsApp’s complaint with Vaishnaw’s assertion in the Lok Sabha that there is “no factual basis” to the claim that Pegasus attacks had occurred via WhatsApp. Especially since a government minister provided the identical information to parliament in a written answer on December 11, 2019.
Vaishnaw, incidentally, is one of the individuals whose telephone numbers appear in the leaked database.
MEITY’s December 2, 2019, reply also makes it clear that it had acted on WhatsApp’s alert. In response to Nayak’s question seeking details of the “action taken till date to initiate any probe into the matter”, the ministry said:
“CERT-In published a vulnerability note regarding vulnerability in WhatsApp on May 17, 2019, advising countermeasures to users.
“Based on news and information in public and media on snooping of mobile devices of Indian citizens through WhatsApp by spy software Pegasus, CERT-In has sought submission of relevant details and information from WhatsApp.”
In other words, the government had not only received information that as many as 121 Indian WhatsApp accounts had been targeted and 20 actually hacked using Pegasus, but CERT-IN, acting on information that was already available in the public domain, had actually issued an alert three days before WhatsApp had written to it,
Vaishnaw’s decision to cover up the truth on what the government knew about the earlier Pegasus attack via WhatsApp may have been prompted by a desire to dismiss the latest revelations – published by The Wire as part of the Pegasus Project – that the number of Indians at risk of being hacked by the deadly spyware could be much higher than the figure of 121 identified by WhatsApp in its letter to CET-IN.
But his statement runs the risk of being called out for misleading parliament, a serious breach of privilege.
The Pegasus Project has revealed that over 300 verified Indian mobile telephone numbers, including those of over 40 journalists, figure in a leaked database of thousands of telephone numbers of likely surveillance targets listed by government clients of the NSO Group.
The ministry’s RTI reply also poses questions about what efforts the Modi government has taken to make those targeted in 2019 and prior to that aware about the threat to their personal data and security.
Six months had elapsed between the time CERT-IN learned of the threat posed by Pegasus and the IT ministry replied to Nayak’s queries but the details it provided on the “action taken” front was silent on any specific steps taken to either help the victims or identify the perpetrator of the spyware hacks.
As reported by The Wire, forensic testing has confirmed how two journalists, whose phone numbers appear in the leaked records obtained by the Pegasus Project, were among those who received messages from WhatsApp in 2019 that their phones were compromised. But in the case of most others, they were never officially informed by any agency about the spyware threat to them
Key question dodged RTI queries
In his RTI request, Nayak had also asked if any mobile phones used by constitutional authorities or officers of the armed forces, the intelligence agencies or public sector undertakings and commercial banks, had been targeted or infected by Pegasus, and what action the government had taken. The ministry said, “Matter not in the purview of CERT-In. Information from CERT-In is Nil.”
Curiously, the ministry cited the national security exception in the RTI Act – Section 8(1) – to avoid answering a request for details of any communication it had sent to other government departments or to any private entity requesting information or details of action in the Pegasus-WhatsApp matter.