wordpress blog stats
Connect with us

Hi, what are you looking for?

Prasad gives details of communication between MeitY and WhatsApp in Rajya Sabha

As the Pegasus-WhatsApp issue was taken up by the Rajya Sabha for discussion on November 28, the Minister of Electronics and Information Technology, Ravi Shankar Prasad, gave more details about the communication between MeitY and WhatsApp. Even though some of these details had been given in a written answer in the Lok Sabha on November 20, the italicised details were shared by Prasad during the debate only yesterday.

  • May 14: Common Vulnerabilities and Exposures (CVE) Database in USA published a vulnerability note based on WhatsApp reporting to CVE
  • May 17: CERT-In published a vulnerability note (CIVN-2019-0080) regarding buffer overflow vulnerability in WhatsApp based on its vulnerability tracking process.
  • May 20: WhatsApp reported an incident to CERT-In, wherein it mentioned that WhatsApp identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attack. “As CERT-In had already issued the vulnerability note, no further action was deemed warranted,” Prasad said.
  • July 26: WhatsApp CEO Will Cathcart met MeitY, no mention of the vulnerability
  • September 5: WhatsApp updated CERT-In, informing them that “it is likely that devices of approximately one hundred and twenty one users in India may have been attempted to be reached” via the May 2019 security incident. Also told CERT-In that “the full extent of this attack may never be known”.
  • September 11: Facebook VP for Global Affairs and Communications, Nick Clegg, wrongly identified as VP of WhatsApp by Prasad, met MeitY; no mention of the vulnerability (this meeting, as per media reports, took place on September 12.)
  • October 29: WhatsApp files lawsuit against NSO Group in California
  • October 31: Media reports reveal that about two dozen Indians targeted by Pegasus using WhatsApp vulnerability
  • November 1: MeitY sent an email to WhatsApp, seeking a reply by November 4
  • November 2: WhatsApp sent MeitY an email giving details of the vulnerability and its exploitation by Pegasus, developed by the NSO Group; said that they had told CERT-In about this on May 20, 2019, after it was detected and fixed in mid-May 2019
  • November 9: On the basis of media reports, CERT-In sought information from WhatsApp, including a need to conduct an audit and inspection of WhatsApp’s security systems and processes
  • November 18: WhatsApp submits its response
  • November 20: WhatsApp said that it regretted that it did not meet “the government’s expectations on proactive engagement in this sensitive issue related to user privacy and security”
  • November 26: CERT-In asks for further clarifications and technical details; sends notice to NSO Group, seeking details of the malware and its impact on Indian users

Read more: Prasad brings Pegasus’s flight in Parliament to a grinding halt, denies ‘unlawful interception’

Unanswered questions

  • Belated action by MeitY: If MeitY, via CERT-In, had been informed by WhatsApp of the extent of the breach on September 5, why did it sit on the information for 2 months and then act ignorant about the extent of the breach? Is there no communication between different bodies of the ministry? Prasad’s statement on October 31 also suggested that he had no idea of what was going on.
  • MeitY didn’t bring up the issue with Clegg either: If MeitY treats Clegg, by virtue of being the VP of Facebook, responsible for WhatsApp too, why didn’t it raise this question during its meeting with him, which took a mere 6 days after WhatsApp had informed CERT-In that 121 citizens had been affected by the breach? Why did the government of India, which is responsible for and accountable to its citizens for protecting their rights, not bring up this issue and instead relied on a private American company to do so, that too on behalf of a subsidiary?
  • Late notice to NSO Group: Why did it take the Ministry almost three months to send a notice to the NSO Group even though media reports in May had said that NSO was behind the spyware, and WhatsApp’s lawsuit, filed on October 29 held the company responsible? This is even though MeitY had asked WhatsApp for answers in May itself. Putting media reports from May, WhatsApp’s communication to CERT-In on September 5, and its lawsuit against NSO on October 29 together, the November 26 notice to the Israeli group is a belated action, to say the least.
  • Reach out to Israeli government: Given that Pegasus’s sale is regulated by Israel’s Defence Export Controls Agency (DECA), part of the Israeli MOD, “under the same type of licensing requirements and export restrictions applicable to military weapons and national security systems” (revealed in Amnesty International’s lawsuit against NSO Group), why hasn’t this issue been escalated by MeitY to involve MEA, and answers from the Israeli government sought?

Read our extensive coverage on the WhatsApp-Pegasus-NSO row here.

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ