Accusing WhatsApp of committing perjury during the hearings of the Facebook transfer petition, RSS ideologue K.N. Govindacharya has filed a PIL (available below) against Facebook, WhatsApp, MEITY and Union of India on the Pegasus-NSO Group snooping row. He had filed a since rejected impleadment application in the Facebook transfer petition in the Supreme Court.

“WhatsApp and other foreign companies have the least respect for Indian legal and judicial system,” Virag Gupta, Govindacharya’s counsel told MediaNama.

What does Govindacharya ask for? 

  1. Perjury proceedings against WhatsApp for misleading the SC during the transfer petition “by claiming that users[‘] data is fully encrypted and no one including WhatsApp has the key”
  2. National Investigation Agency investigation and FIR against Facebook, WhatsApp and NSO Group under the Information technology Act, 2000, and Indian Penal Code, 1860.

As an interim prayer, given that the two above will take time to materialise, he wants:

  1. Government to stop any surveillance through Pegasus or other similar applications
  2. Government to notify Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018

Also, as per his letter to Ravi Shankar Prasad, the minister of electronics and information technology, cited in the petition, he wants “government accounts on private communication networks … removed to protect national security”.

What does the petition say?

  • WhatsApp committed perjury in the Supreme Court during the Facebook transfer petition hearings: Since WhatsApp “falsely claimed a protected system” and “failed to disclose about the NSO Hack” to the SC, WhatsApp committed perjury. The petition recalls the analogy of a locked room that was made during the last hearing, as per which even WhatsApp does not have the key to the locked room (end-to-end encrypted messages). Consequently, it contradicts the company’s own filing before the US District Court where it stated that it learnt about the hack in May 2019, the petition says. Gupta told MediaNama, “WhatsApp didn’t inform the SC about its system being compromised, and they suppressed this material fact from the highest court of India. Why, suddenly after 5 months, has WhatsApp woken up? They didn’t think to inform the judicial system — neither the Supreme Court nor the Madras High Court and have now filed a suit in District Court in California, USA.”
  • Government of India cannot surveil Indians illegally, must protect fundamental rights: The petition says that if the government is surveilling Indian citizens illegally, as is suggested by NSO Group’s claim that it sells its technology only to government agencies, “it shows the scant respect for rule of law by the instrumentalities of the State”. It also states that the government cannot allow private agencies to surveil Indian citizens as it “has a duty to protect the fundamental rights”.
  • Indian user data is stored on compromised servers: It says that WhatsApp has over 40 crore (400 million) users in India, including many government agencies and police. Since WhatsApp’s systems have been “compromised” by this “hack”, this “endangers national security”.
  • Facebook integrates users’ data across its services: As per submissions made before the US District Court, Facebook handles the digital security of its group companies and integrates users’ data for commercial gains. Gupta said, “Facebook is not only the owner, but also WhatsApp’s security service provider as per their suit in California. So, Facebook is also a Respondent in the criminal writ petition.”
  • Facebook’s repeated privacy woes: The petition cites operation PRISM, where top 9 internet companies of the world, including Facebook, shared user data with American intelligence agencies. It also mentions the Cambridge Analytica scandal though which Facebook’s systems were used to influence elections all over the world, including in India.
  • Indian government is taking too long to notify Intermediary Guidelines: Although MeitY informed the Supreme Court that the Intermediary Guidelines (Amendment) Rules 2018 are likely to be completed by January 15, 2020, the petition submits that “Government just cannot forever indulge in the consultative process, even as fundamental right of privacy of Indians is being violated with impunity”.

Lack of clear rules from the government: “Government is saying that WhatsApp did not inform them of the breach. Under which law is the government making an obligation for WhatsApp to inform the government? Their parent company is not a registered entity in India and they do not have any office or nodal officer in India. There might be Rule 3(9) of IT Intermediaries Rules for such obligations. But they can only be actually enforced once revised rules are notified. CERT says that if a system is compromised, you may lodge a complaint. That’s a right [for the company], not an obligation. How can a right be converted to an obligation?” Gupta said.

Need for new laws and jurisprudence: Calling the PUCL guidelines, and subsequent changes to the Telegraph Act, “redundant” in light of evolution of technology, Gupta said, “There is a need to make a new set of cyber jurisprudence so that neither private companies not government can compromise right to privacy of individuals.”

Why did Govindacharya file the petition? Govindacharya “served a representation” to the government of India and the secretary general of SC on November 2, 2019. Since they did not reply to him, or take any steps, he filed this petition.

What did WhatsApp say in response? In response to MediaNama’s queries, a WhatsApp spokesperson sent the following statement:

“WhatsApp provides industry leading end-to-end encryption to help protect user privacy and security. In May, our security team caught and stopped a cyber attack designed to send malware to mobile devices. Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones. Technology companies are constantly working to stay ahead of these kind of challenges through updates and patches. The safety and security of our users remains our highest priority, which is why in May we blocked the attack and have taken action in the courts to hold NSO accountable.”

Did WhatsApp commit perjury? While the merits of this application are for the court to decide, the claim that WhatsApp committed perjury is exaggerated, to say the least. The central question is whether or not end-to-end encryption was compromised. Even in their lawsuit against NSO Group in Northern District of California, WhatsApp has maintained that its end-to-end encryption remains secure, which is exactly what the company has claimed in Madras High Court and Supreme Court.

“Unable to break WhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messages and other communications after they were decrypted on Target Devices.” — WhatsApp’s lawsuit against NSO Group

In the case of Pegasus, it’s not as if the NSO Group had a decryption key to WhatsApp communications. There was a vulnerability in the app that the Israeli group exploited to compromise the device at large, not end-to-end encryption.