Since 2019, Pegasus spyware has been the subject of many questions in Parliament; but the government is yet to state clearly if it has or hasn’t used the software to spy on Indian citizens.
The Minister of Electronics and Information Technology Ashwini Vaishnaw’s statement on Monday about new reports of Indians being impacted by the NSO-made Pegasus spyware neither denied nor confirmed the use or procurement of the spyware by the government, instead he only rubbished the news reports as ‘sensational’. The Minister also quoted several provisions under Indian law pertaining to government surveillance and referred to the Israeli NSO Group’s statement in response to the exposé.
Why this matters? The government’s statements on Pegasus have beat around the bush with answers frequently quoting various sections of the Indian law and reiterating that the government is committed to ‘due process’. This is especially important in light of recent reports on a leaked database of phone numbers that had been selected as targets for surveillance. Of the 300 phone numbers verified to belong to Indians, one used to belong to IT Minister Ashwini Vaishnaw himself along with the phone numbers of Minister of State for Jal Shakti Prahlad Singh Patel, Congress leader Rahul Gandhi, political strategist Prashant Kishore, several journalists, activists, and lawyers.
On October 30, 2019, The Indian Express had first reported that the Pegasus spyware, which can remotely access any sensitive information on a device and activate the camera too, had impacted 121 Indians.
What follows is a compilation of the government’s statements in Parliament on Pegasus spyware since it first came to light:
News reports on privacy breach misleading: MeitY(November 20, 2019)
Question: AIMIM MPs Asaduddin Owaisi and Imtiaz Jaleel Syed asked MeitY:
(a) whether the Government has taken note of the fact that a spyware/malware ‘Pegasus’ of Israel-based NSO group has reportedly been used to infect/spy/steal mobile phone data of many human rights activists, journalists and other eminent persons of the country;
(b) if so, the details thereof, State/UTwise along with the reasons therefor and the reaction of the Government thereto;
(c) whether the said breach of privacy has affected many people across the world and if so, the details thereof and the number of Indian citizens affected by this spyware;
(d) whether the Government has taken cognizance of the reports of alleged use and purchase of the Pegasus spyware by Government agencies and if so, the details thereof along with the reaction of the Government thereto;
(e) whether the Government has asked WhatsApp to explain the aforesaid spyware attack and if so, the details thereof and the response received by the Government thereon;
(f) whether the Government had received prior intimation in this regard from social media owners like WhatsApp, Facebook and if so, the details thereof along with the date on which such intimation was received and the action taken in this regard; and
(g) whether the Government proposes to enact any law to safeguard the privacy of citizens from similar attacks as mandated by the apex court and if so, the details thereof along with the other steps taken/being taken by the Government in this regard?
Answer: In its response, MeitY said that news reports on the breach of privacy of Indian citizens were highly misleading. It also revealed that:
- May 20, 2019: WhatsApp had reported an incident to the Indian Computer Emergency Response Team (CERT-In) about a vulnerability that could let an attacker insert and execute code which was subsequently fixed.
- May 17, 2019: CERT-in had already published a vulnerability note mentioning countermeasures to the aforementioned vulnerability.
- September 5, 2019: WhatsApp had written to CERT-In giving an update on the May 20 report saying that, ‘while the full extent of this attack may never be known, WhatsApp continued to review the available information.
- Further, WhatsApp told MeitY that it believes that ‘personal data within the WhatsApp app of approximately 20 users may have been accessed out of approximately 121 users in India whose devices the attacker attempted to reach.
- Based on news reports from October 31, 2019, CERT-In issued a formal notice to WhatsApp seeking submission of relevant details and information.
No unauthorised surveillance: RS Prasad during debate (November 28, 2019)
Then-IT minister Ravi Shankar Prasad during a debate in the Rajya Sabha had said that “to the best of my knowledge, no unauthorised interception has been done.” Prasad also revealed that –
- The government will not join the then-ongoing legal battle between WhatsApp and NSO in California.
- November 9: On the basis of media reports, CERT-In sought information from WhatsApp, including a need to conduct an audit and inspection of WhatsApp’s security systems and processes
- May 14: A Common Vulnerabilities and Exposures (CVE) Database in USA published a vulnerability note based on WhatsApp reporting the exploit to CVE
- July 26: WhatsApp CEO Will Cathcart met MeitY, no mention of the vulnerability
- September 11: Facebook VP for Global Affairs and Communications, Nick Clegg met MeitY, however, there was no mention of the vulnerability
- November 1: MeitY sent an email to WhatsApp, seeking a reply by November 4
- November 2: WhatsApp sent MeitY an email giving details of the vulnerability and its exploitation by Pegasus, developed by the NSO Group; said that they had told CERT-In about this on May 20, 2019, after it was detected and fixed in mid-May 2019
- November 18: WhatsApp submits its response
- November 20: WhatsApp said that it regretted that it did not meet “the government’s expectations on proactive engagement in this sensitive issue related to user privacy and security”
- November 26: CERT-In asks for further clarifications and technical details; sends notice to NSO Group, seeking details of the malware and its impact on Indian users
Govt denies having access to WhatsApp messages (September 22, 2020)
Question: Lok Sabha MP D.K. Suresh asked:
a) whether the Government proposes to regulate social media platforms, i.e., Facebook and Whatsapp to protect the interest of their users and if so, the details thereof;
(b) the restrictions imposed by the Government on these platforms in the last one year;
(c) whether the Government or any of its agencies have access to the data and voice messages circulated through WhatsApp; and (d) if so, the details thereof?
Answer: IT Minister of State Sanjay Dhotre in his response said that the government doesn’t have access to the data and voice messages, and has also not imposed any restrictions on Facebook and WhatsApp in the last year.
This was the first time that the government explicitly responded to a question that was related to the issue of surveillance using Pegasus spyware.
MeitY’s equivocal answer on WhatsApp audit (March 18, 2020)
Question: Rajya Sabha MP S. Muniswamy asked MeitY:
- whether the Government has any plan to conduct WhatsApp security system audit; and
- if so, the details thereof?
Answer: In response, the government did not say yes or no; instead, the government said that it had ‘sought submission of information from Whatsapp including discussing the need to conduct an audit of Whatsapp’s security systems and processes.
MeitY says no information on Pegasus (March 24, 2021)
Question: Lok Sabha MP Maneka Gandhi and Dr. T. Sumathy (a) Thamizhachi Thangapandian asked:
a) whether the Government has found the presence of spywares or surveillance software such as pegasus spyware in the country and if so, the details thereof; and
(b) whether the Government has launched any investigation into the presence, use and/or sale of spyware on surveillance software in the country and if so, the details thereof?
Answer: MeitY had replied in the Lok Sabha that the government had ‘no such information available’.
Govt statements on Pegasus outside Parliament
No information available on purchase of Pegasus: MHA (November 1, 2019)
The Home Ministry in response to an RTI on whether it had bought the Pegasus software responded saying that “It is informed that no such information is available with the undersigned CPIO”. The response was from a chief public information officer (CPIO) from the Cyber and Information Security Division of the Home Ministry, and the RTI query was filed by Saurav Das, a Puducherry-based member of the National Campaign for People’s Right to Information, on October 23.
Have set up committee to look into Pegasus: Chattisgarh govt (November 12, 2019)
The Chattisgarh government had constituted a three-member committee to look into reports that the Israeli spyware group, NSO Group, had pitched its malware Pegasus to the Chattisgarh police 2-3 years ago. Chattisgarh Chief Minister Bhupesh Baghel had tweeted that “We have taken the reports that some people of Chattisgarh had their phones illegally tapped seriously. Since this is tied to the question of citizens’ freedom, we are taking this seriously and have set up a committee under the leadership of principal secretary (home). The other members of the committee are Raipur IG and director of department of public relations. The committee will submit a detailed report within a month. The police department will cooperate with this committee.”
- A Guide to the NSO Group’s Pegasus Spyware in India
- Prasad gives details of communication between MeitY and WhatsApp in Rajya Sabha
- Pegasus Spyware: All the latest facts on who was targeted, the modus operandi, and more