WhatsApp informed the Ministry of Electronics and Information Technology on September 5, 2019, that approximately 121 users in India may have been breached by Pegasus. MeitY revealed this in a written response (available below) to Lok Sabha MP Asaduddin Owaisi’s question raised in Parliament today. This completely undermines MeitY’s earlier statements that WhatsApp had not informed it about the scale of the breach. IT Minister Ravi Shankar Prasad’s earlier statement, wherein he sought a response from WhatsApp about the “kind of breach”, appears to be uninformed. MeitY’s answer also called reports about government purchasing Pegasus misleading and classified them as “attempts to malign the Government of India”.

Timeline of communication between MeitY and WhatsApp

Meity’s answer finally gives a timeline for the communication between the MeitY, Computer Emergency Response Team (CERT-In) and WhatsApp over the VoIP call vulnerability in WhatsApp that was exploited in May to plant Israeli spyware Pegasus in victims’ phones, which include 121 Indians:

  • May 17, 2019: CERT-In published a vulnerability note, advising users with countermeasures regarding the WhatsApp vulnerability.
  • May 20, 2019: WhatsApp reported the incident to CERT-In, stating that “WhatsApp had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attacks”.
  • September 5, 2019: WhatsApp updated CERT-In, informing them that “it is likely that devices of approximately one hundred and twenty one users in India may have been attempted to be reached” via the May 2019 security incident. Also told CERT-In that “the full extent of this attack may never be known”.
  • Post October 31, 2019: On the basis of media reports that Indians were targeted using Pegasus, CERT-In issued a formal notice to WhatsApp seeking submission of relevant details and information.

Clever use of language by MeitY in answer

The answer suggests that until media reports on October 31, 2019, MeitY did not know that the breach involved installing NSO Group’s Pegasus spyware. But Financial Times, which first reported the breach in May, categorically said that Pegasus was the malicious software that was installed. This use of sophistry by the Ministry is disheartening.

The answer also practically repeated Prasad’s earlier statement: “The Government is committed to protect the fundamental rights of citizens, including the right to privacy. The Government operates strictly as per provisions of law and laid down protocols. There are adequate provisions in the Information Technology (IT) Act, 2000 to deal with hacking, spyware etc.” It also said that the ministry is working on the Personal Data Protection Bill “to safeguard the privacy of citizens, and it is proposed to table it in Parliament”.