Indian Govt To Audit WhatsApp Security Post Pegasus Spying Scandal

In a new revelation in the Pegasus spyware controversy, the Indian government has said that it would conduct an audit of WhatsApp’s security systems to prevent any untoward snooping and spying by unauthorised elements.

In an ET report, the IT minister, Ravi Shankar Prasad, stated that India’s Computer Emergency Team (CERT-In) had requested WhatsApp for information and wanted to conduct an audit and inspection on its security systems and processes. The government said that it has been following up with WhatsApp to clarify the issue.

Prasad also stated that India is WhatsApp’s biggest market. He added that in two high-level meetings in July and September 2019, WhatsApp CEO Will Cathcart, and VP of policy Nick Clegg never mentioned anything about the security breach or cyber-attacks on Indian users.

Moreover, Prasad said that CERT-In has also sent notice to the NSO Group, on November 26, asking details about the malware and its impact on Indian users. However, the incident reported by WhatsApp to the Indian cybersecurity agency had only mentioned that the company had identified and fixed the vulnerability, without mentioning Pegasus or any spying on Indian citizens.

Highlighting the WhatsApp message traceability issue, Prasad said that India, along with the US, UK and Australia, is in talks with WhatsApp to help law enforcement and authorities identify the source of the fake news, misleading messages and other objectionable content such as child pornography. The traceability of such messages has been included in the intermediary guidelines for social media regulation as well, which is expected to be ready by early 2020.

On November 28, the Indian government had planned to push its plan to mandate digital companies to store data of Indian users in the country. The government believes that if WhatsApp’s data was stored in the country, it would have been easier for the authorities to carry out the investigation related to the Pegasus spyware case. However, the Personal Data Protection Bill, which is still under works, includes the mandate of data localisation of Indian users. It is expected to be introduced in the ongoing winter session of the Indian Parliament.

The government believes that if WhatsApp’s data is stored in the country, it would have helped the authorities to carry out their own investigation related to Pegasus snooping case.

Notably, the provision which mandates the localisation of data of Indian users is a part of the Personal Data Protection Bill, which is expected to be introduced in the winter session of the Indian Parliament. At present, the draft personal data protection law proposes that companies store all ‘critical’ data within India.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.