In a first, the Ministry of Electronics and Information Technology (MEITY) categorically denied that “the government or any of its agencies have access to the data and voice messages circulated through WhatsApp”. In response to a question by Lok Sabha Congress MP D.K. Suresh (Bangalore Rural), IT Minister of State Sanjay Dhotre also said that no restrictions have been imposed by the government on WhatsApp and Facebook in the last one year.

This is the first time that the government has explicitly answered a yes/no question about its access to WhatsApp communications. It usually tends to obfuscate on the issue, or at least on the issue of purchase of Israeli spyware. In response to a similar question raised by DMK MP Dayanidhi Maran (Chennai Central) in November 2019, Home Minister of State G. Kishan Reddy had quoted Section 69 of the Information Technology Act, Section 5 of the Indian Telegraph Act, and related rules. He had not answered the question asked: “whether the Government does Tapping of WhatsApp calls and Messages in the country [sic]”.

Government’s ambivalent stance on purchase of spyware

The frequency of these questions has risen dramatically in the last three Parliament sessions (including the current one) owing to revelations that 121 Indians were targeted using Israeli cybersecurity company NSO Group’s spyware Pegasus by exploiting a vulnerability in WhatsApp.

What initially followed was a series of denials by the government that WhatsApp had not informed the government about it while the Facebook-owned app maintained that it had informed the government when the vulnerability was first discovered in May. After a fair bit of back and forth, the chain of communication was established in November 2019 as IT Minister Ravi Shankar Prasad gave a timeline that supported WhatsApp’s claims.

The bee in this bonnet is the NSO Group, the company that has maintained, including in a number of statements to MediaNama, that it only sells to verified governments and law enforcement agencies. Pegasus’s sale is regulated by the Israeli Defence Export Controls Agency (DECA), part of the country’s Ministry of Defence, “under the same type of licensing requirements and export restrictions applicable to military weapons and national security systems”, as per an Amnesty affidavit. Thus, it is highly unlikely that the NSO Group would be able to sell it to all and sundry without drawing the ire of the government.

The Indian government has remained non-committal about whether or not it purchased spyware from the NSO Group. It has only said that “no unauthorised interception” has been done. Both MEITY and Ministry of Home Affairs have repeatedly demurred from issuing an explicit denial about the purchase. It has even dithered about whether it will conduct an audit of WhatsApp’s security systems and processes.

For instance, in response to a question by BJD MP Pinaki Misra (Puri) about whether it was a “fact that some human rights defenders were targeted by the NSO Group’s Pegasus spyware in 2019”, Home Minister of State G. Kishan Reddy gave a response that has been more characteristic of the government: “No such information is available with this Ministry”. And technically, they could be correct. The use of spyware was discovered by WhatsApp in May 2019 and the extend of compromise was revealed only in October 2019 when WhatsApp sued the NSO Group.

Read more: