November 12, 2019

Who Used the Spyware?

THE news of the hacking of WhatsApp accounts of various activists, journalists and politicians in India through the use of the Pegasus spyware owned by an Israeli company NSO is disturbing and condemnable. The government of India has to explain how this hacking and breach of privacy had occurred and who was responsible.  While the government has not come out with any explanations, more facts that point at government complicity in the hacking and surveillance have now become public.

When the news of the hacking broke, the government had claimed that the instant messaging application, WhatsApp, had not given any information to any government agencies about the breach of privacy of many Indians.  WhatsApp, however, responded with the information, backed with documentation, that it had, in fact, alerted the government of India of the likelihood of such a breach having occurred.  It had done so in the month of May and then again in September.  In response to the government of India’s statement, WhatsApp attached both the vulnerability notes it had filed in May, 2019 and the letter it had sent to the government in September.

Subsequently, the government had to confirm that it did receive the September intimation in which the information of the Pegasus spyware having targeted 121 Indians, but, according to the IT ministry, the letter was ‘too vague’.

The response of WhatsApp giving details of information shared with the government, the government’s own inadequate and lame attempts at feigning ignorance and the names of the people targeted – all well known activists and journalists critical of the government and its policies – all serve to confirm suspicions that the government itself is complicit in using the Israeli spyware to hack the accounts of its critics. Many of the activists and lawyers defending the accused in the Bhima-Koregaon matter were the targets of hacking as per the information supplied by WhatsApp. These are very persons the security agencies have been hounding. The connection is quite clear.

The NSO company has issued a statement that it supplies the spyware technology only to governments and state agencies. It may also be mentioned that the spyware is exorbitantly expensive and is, therefore, out of the reach of any private organisation.

There has to be a thorough enquiry into the whole sordid affair. If government agencies are responsible for illegal hacking, those responsible must be punished. This episode highlights the urgency for a comprehensive data protection law to safeguard the rights and privacy of ordinary citizens.

(November 7, 2019)