Rights

Israeli Spyware: India Turns to WhatsApp For Answers, But What Should We Really Be Asking?

While the home ministry says reports have attempted to malign the Centre, we need to know who wanted to snoop on Indian targets and how successful they were.

New Delhi: The Narendra Modi government on Thursday sought a detailed response from WhatsApp over the issue of an Israeli spyware allegedly being used to target Indian journalists and human rights activists through its platform.

WhatsApp has been asked to submit a reply by November 4.

The IT ministry has written to WhatsApp seeking its response on the matter, a senior government official told news agency PTI.

A separate statement from the Ministry of Home Affairs said that media reports that have attempted to malign the government as being responsible for the breach are “completely misleading”. It also added that the Centre would take action against any intermediary for breach of privacy, in an indirect jab at WhatsApp.

On Thursday, Facebook-owned WhatsApp said Indian journalists and human rights activists were among those globally spied upon by unnamed entities using spyware made by an Israel surveillance firm called the NSO Group. 

The Wire’s own reportage indicates that at least 10 lawyers and activists have been potentially affected.

Also read: Meet the Indian Lawyers and Activists ‘Targeted’ Using Israeli Spyware Pegasus

Earlier this week, WhatsApp said it was suing NSO Group over helping unnamed entities hack into phones of roughly 1,400 users. These users span across four continents and included diplomats, political dissidents, journalists and senior government officials.

Is the Narendra Modi government’s response correct? What other aspects of this controversy should we consider? The Wire breaks it down.

Who used it to spy on Indian activists, lawyers and journalists?

This is a tricky question. WhatsApp’s lawsuit lashes out at both the NSO Group and its clients, which allegedly include government agencies around the world as well as private customers.

“Defendants’ clients include, but are not limited to, government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities,” the company’s lawsuit notes.

On its part, the NSO Group’s defence has consistently revolved around two claims. First, that the company doesn’t use its own snooping technology to target any subject. And two, that it sells its software to only government agencies; i.e, it does not have any private customers.

Who, then, would be using Israeli spyware to spy on Indian targets? Bear in mind that a significant chunk of the potential victims appear to be activists or lawyers associated with the Bhima Koregaon controversy.

The Narendra Modi government has tip-toed around this issue quite carefully: both the MHA and IT minister’s statements merely say that the Centre operates strictly as per the provisions of the law and follows established protocols of interception.

“Govt agencies have a well established protocol for interception, which includes sanction and supervision from highly ranked officials in central & state governments, for clear stated reasons in national interest,” IT minister Ravi Shankar Prasad has said.

The price of the NSO Group’s software isn’t cheap: Fast Company reported last year that the company charges its customers $650,000 (Rs 4.61 crore at current exchange rate) to hack 10 devices, in addition to an installation fee of $500,000 (Rs 3.55 crore).

Therefore, the first big question is who used the spyware to target Indian activists, journalists and lawyers? Merely asking for WhatsApp for information it has already disclosed publicly will not get the Indian government anywhere.

The government’s first course of action should be to declare that it is not a client of the NSO Group, which shouldn’t be a problem considering it says follows the law, and then order a probe into the matter. Any such inquiry would start with the Israeli company and determine which of their customers may have had interest in targeting a group of relatively low-profile Indian citizens.

Was the Pegasus spyware successful in its mission?

The NSO Group’s flagship product is called ‘Pegasus’ and is a form of spyware. The second most important question here is what kind of data was taken or snooped upon from the roughly two-dozen Indians who were targeted. We are in the dark here, primarily because WhatsApp hasn’t disclosed a whole lot of information.

In its message to the potentially affected, WhatsApp has been vague. It merely says that there is a possibility that “this phone number was impacted” and advises users to update the WhatsApp application.

If the affected updated their app quickly, it’s possible that only a  limited amount of data was impacted. Conversely, if this wasn’t done, then it’s likely that the spyware could have had a severely harmful effect.

The most curious actor in this entire sequence of events is a research organisation called ‘The Citizen Lab’, which works out of the University of Toronto. This lab has worked with WhatsApp to not only examine the effects of Pegasus, but also appears to have gone one step further and reached out to help potential victims across the world.

According to The Wire’s reportage, Citizen Lab has reportedly made a series of allegations in its conversations with those affected in India. These include claims that a massive amount of data could have been impacted by the attack and that it may have been carried out by the Indian government or by a powerful non-state actor.

Also read: Citizen Lab Lists Measures You Can Take to Protect Your Accounts From Spyware

Are Citizen Lab’s claims endorsed by WhatsApp? This could take us down an interesting rabbit-hole, because it’s possible that both WhatsApp and Citizen Lab have more information on who exactly was using the NSO Group’s spyware in India. Or at least enough information to help an investigation come to a conclusion. 

Is it in WhatsApp’s best interest to disclose this information though, considering it has business interests in India?

What should concerned Indian citizens be doing?

As the Internet Freedom Foundation has noted, there is no existing Indian law that allow the installation of spyware or hacking mobile devices.

Hacking of computer resources, including mobile phones and apps, as noted, is a criminal offence under the Information Technology Act, 2000.

This controversy therefore shows there is an urgent need for surveillance reform that protects Indians against the use of malware, spyware and the creation of vulnerabilities in technologies which offer privacy protection by design. 

“We call on the Government to stand by democratic commitments and reject the use of spyware in their pursuit of social objectives of policing and security. Legislative measures must be introduced in Parliament to uphold the 9 judge bench decision of the Supreme Court of India recognising privacy as a fundamental right. The use of legal or technical means to access data and intercept communications in India must be authorised only in emergency situations, under judicial control and oversight, and with other protections to safeguard our citizens,” the IFF has noted.

India’s political parties across the spectrum should push for these legal safeguards, a process that can be kick-started if enough people ask for them.