As the Pegasus-WhatsApp issue was taken up by the Rajya Sabha for discussion on November 28, the Minister of Electronics and Information Technology, Ravi Shankar Prasad, gave more details about the communication between MeitY and WhatsApp. Even though some of these details had been given in a written answer in the Lok Sabha on November 20, the italicised details were shared by Prasad during the debate only yesterday.

  • May 14: Common Vulnerabilities and Exposures (CVE) Database in USA published a vulnerability note based on WhatsApp reporting to CVE
  • May 17: CERT-In published a vulnerability note (CIVN-2019-0080) regarding buffer overflow vulnerability in WhatsApp based on its vulnerability tracking process.
  • May 20: WhatsApp reported an incident to CERT-In, wherein it mentioned that WhatsApp identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attack. “As CERT-In had already issued the vulnerability note, no further action was deemed warranted,” Prasad said.
  • July 26: WhatsApp CEO Will Cathcart met MeitY, no mention of the vulnerability
  • September 5: WhatsApp updated CERT-In, informing them that “it is likely that devices of approximately one hundred and twenty one users in India may have been attempted to be reached” via the May 2019 security incident. Also told CERT-In that “the full extent of this attack may never be known”.
  • September 11: Facebook VP for Global Affairs and Communications, Nick Clegg, wrongly identified as VP of WhatsApp by Prasad, met MeitY; no mention of the vulnerability (this meeting, as per media reports, took place on September 12.)
  • October 29: WhatsApp files lawsuit against NSO Group in California
  • October 31: Media reports reveal that about two dozen Indians targeted by Pegasus using WhatsApp vulnerability
  • November 1: MeitY sent an email to WhatsApp, seeking a reply by November 4
  • November 2: WhatsApp sent MeitY an email giving details of the vulnerability and its exploitation by Pegasus, developed by the NSO Group; said that they had told CERT-In about this on May 20, 2019, after it was detected and fixed in mid-May 2019
  • November 9: On the basis of media reports, CERT-In sought information from WhatsApp, including a need to conduct an audit and inspection of WhatsApp’s security systems and processes
  • November 18: WhatsApp submits its response
  • November 20: WhatsApp said that it regretted that it did not meet “the government’s expectations on proactive engagement in this sensitive issue related to user privacy and security”
  • November 26: CERT-In asks for further clarifications and technical details; sends notice to NSO Group, seeking details of the malware and its impact on Indian users

Read more: Prasad brings Pegasus’s flight in Parliament to a grinding halt, denies ‘unlawful interception’


Unanswered questions

  • Belated action by MeitY: If MeitY, via CERT-In, had been informed by WhatsApp of the extent of the breach on September 5, why did it sit on the information for 2 months and then act ignorant about the extent of the breach? Is there no communication between different bodies of the ministry? Prasad’s statement on October 31 also suggested that he had no idea of what was going on.
  • MeitY didn’t bring up the issue with Clegg either: If MeitY treats Clegg, by virtue of being the VP of Facebook, responsible for WhatsApp too, why didn’t it raise this question during its meeting with him, which took a mere 6 days after WhatsApp had informed CERT-In that 121 citizens had been affected by the breach? Why did the government of India, which is responsible for and accountable to its citizens for protecting their rights, not bring up this issue and instead relied on a private American company to do so, that too on behalf of a subsidiary?
  • Late notice to NSO Group: Why did it take the Ministry almost three months to send a notice to the NSO Group even though media reports in May had said that NSO was behind the spyware, and WhatsApp’s lawsuit, filed on October 29 held the company responsible? This is even though MeitY had asked WhatsApp for answers in May itself. Putting media reports from May, WhatsApp’s communication to CERT-In on September 5, and its lawsuit against NSO on October 29 together, the November 26 notice to the Israeli group is a belated action, to say the least.
  • Reach out to Israeli government: Given that Pegasus’s sale is regulated by Israel’s Defence Export Controls Agency (DECA), part of the Israeli MOD, “under the same type of licensing requirements and export restrictions applicable to military weapons and national security systems” (revealed in Amnesty International’s lawsuit against NSO Group), why hasn’t this issue been escalated by MeitY to involve MEA, and answers from the Israeli government sought?

Read our extensive coverage on the WhatsApp-Pegasus-NSO row here.