WhatsApp didn’t inform about vulnerability in system: Ravi Shankar Prasad
The government has issued notice to the Israeli firm accused of misusing WhatsApp for snooping on Indian citizens, Ravi Shankar Prasad, minister of electronics and information technology, told the Rajya Sabha on Thursday.
Also, the Computer Emergency Response Team of India has asked for an audit of WhatsApp security and systems, according to Prasad.
Responding to the Opposition’s questions on whether the government bought spying software called Pegasus from Israel-based NSO Group, which claims to sell only to governments, the minister did not give straight answer and said “we have sent a notice to NSO also”.
He was replying to a special mention by Congress Member of Parliament Digvijaya Singh on the use of the spyware against some Indians.
The CERT-In is the national nodal agency for responding to computer security cases as and when they occur, and is the one that has to be informed in case of a cyber breach. CERT-In sought submission of information from WhatsApp on November 9 including a need to conduct an audit and inspection of WhatsApp security system and processes. WhatsApp responded on November 18, and additional details were sought from them on November 26, the minister added. Singh asked the minister repeatedly if the government had purchased Pegasus. He also asked if an inquiry had been ordered against NSO, whether the government has established contact with Canada-based Citizen Lab which worked with WhatsApp, to find out more details about the attack?
“During the high level engagements like meeting of CEO Will Cathcart and VP Policy Nick Clegg of WhatsApp that took place with the ministry on July 26, 2019 and September 11, 2019, no mention was made by the high level WhatsApp team regarding this vulnerability,” Prasad said in a statement.
Singh also asked if there was a formal data sharing agreement between WhtasApp, other messaging companies and the government, which government agency had bought Pegasus and under what head was the expenditure made, and whether in the last three years, any NSO company representatives have met which state or Central governments, ministers or senior police officials?
In response, the minister said WhatsApp suing NSO Group was a "private battle" which the Indian government should not get in to.
“We have constantly said there is a standard operating procedure ... Whenever the government agencies which are authorised, if they have to do anything for the safety and security of India, it will be done ... To the best of my knowledge, no unauthorised interception has been done,” he added.
WhatsApp said on October 29 it was filing a federal complaint in the US against Israeli technology firm NSO Group for a cyberattack that exploited a vulnerability in the chat app's video calling feature that could compromise the target person's device. Of 1,400 people impacted globally, 121 were Indians.
In response to another question about the proposed data protection Bill, which is scheduled to be tabled in Parliament, Prasad said the law was in the works, and the ministry has had the “widest consultation possible,” and will be finalised soon. “India will never compromise on its data sovereignty,” he said.
The issue has become political, with the government asking WhatsApp to explain the breach of Indians' privacy and questions being raised about whether the government bought Pegasus software or not.
The NSO Group is also known for selling software to authoritarian regimes, a claim it has denied in the past.
On Tuesday, Google said about 500 users from India were among 12,000 people informed about being targeted by “government-backed attackers” between July and September this year.
Gloss