Activists demand judicial probe into WhatsApp snooping

by KV Kurmanath — last modified Nov 15, 2019 12:53 AM
Calls for Parliamentary supervision over Government interception, legal hacking.

The article by K.V. Kurmanath was published in the Hindu Businessline on November 1, 2019. Sunil Abraham was quoted.

With reports of Israeli spyware being used to snoop on scores of WhatsApp subscribers, cyber security activists have appealed to the Supreme Court to take up the issue suo moto and order an inquiry. Kiran Chandra, a leader of the Free Software Movement of India, has said that the Government should rein in WhatsApp and mandate it to submit the source code, stating that the privacy of individuals is at stake.

Though reports of a breach of the WhatsApp network hit the headlines in the US six months ago, it is only in the last few days that the impact in India has become a burning issue.

“We, for long, have been arguing that the privacy of individuals on the Internet is at risk. The Government should have enough safeguards to ensure their safety,” said Chandra.

Sunil Abraham, Executive Director of the Centre for Internet and Society, has called for a dedicated law to ensure Parliamentary supervision for all Government interception and legal hacking programmes.  "The data protection law which is being contemplated by the current administration will not address the surveillance policy question in totality," he pointed out.

"It is a truly worrying development that members of civil society are being targeted using sophisticated surveillance technologies without proper legal basis and without any oversight," he said.

Cyber security and privacy experts took to social media to express concern about the vulnerabilities that expose people to potential risks.

Srinivas Kodali, a privacy activist, said the use of Israeli firm NSO Group’s Pegasus spyware to monitor human rights defenders and academics is a clear violation of their fundamental rights. “The Supreme Court judgement on right to privacy has been very loud and clear that Indians’ fundamental rights can’t be exempted under national security without defining it,” he said, responding to a query on the breach of WhatsApp subscribers’ privacy.

“The operations of national security agencies are completely hidden and are not subjected to any legislative or judicial oversight. This cannot continue as they misuse the powers bestowed on themselves without any law on surveillance from Parliament,” he said.

The Internet Freedom Foundation has expressed concerns about the breaches. It wanted the Government to explain on how this spyware was used in India to hack citizens.

“The Government must issue an official public statement providing complete information. It must also clarify which law empowers it to install such spyware,” it said in a statement.

The US-based social media platform has started sending messages to subscribers whose accounts may have been compromised. It contains information about the breach and a link with a to-do list to stay safe.

The victims of the attack, which purportedly took place in April-May 2019, included human rights activists, journalists and Dalit activists.

At least two victims of the spyware attack confirmed receipt of alert messages from WhatsApp. “I received a call (from abroad) in the first week of October. But I ignored it as it was from an unknown number. I received a message from WhatsApp, alerting me about a probable intrusion,” a civil rights lawyer said.

How it happened

“In May, we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices. There’s a possibility this phone number was impacted, and we want to make sure you know how to keep your mobile phone secure,” the message received by the victim said.

WhatsApp, a Facebook arm, sent these special messages to about 1,400 users who may have been impacted by the spyware attack. It is working with The Citizen Lab, a research group with the University of Toronto’s Munk School, to assess the impact of the attack on civil society.

In a statement, WhatsApp said: “We provide end-to-end encryption for all messages and calls by default. (But) This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones.”

WhatsApp moved a US court against the Israeli company NSO Group, and its parent company Q Cyber Technologies, alleging that they violated both US and California laws and WhatsApp’s Terms of Service, which prohibited such intrusions.

Filed under: