A spying and privacy breach scandal shaking India has received a new twist, with the government saying that Facebook's WhatsApp messaging app had failed to inform it about a serious security problem – while the tech giant denies this claim.
WhatsApp stated that the Indian government was informed not once, but twice: first in May and then in September, a report from India Today said. WhatsApp backed this claim up by including a vulnerability note from May and a letter sent to the government in September as attachments to its response.
The Indian government now acknowledges the September letter, which is referred to as “an intimation” – but adds that the IT Ministry had said this information was “still too vague to be alarming.” There was a security vulnerability notice in May, they said – but it, too, failed to attract their attention. It was “pure technical jargon” about a technical vulnerability “and had nothing to do with the fact that the privacy of Indian users had been compromised,” the authorities said.
The Indian government's reaction is potential all the more problematic given that the spyware, dubbed “Pegasus,” targeted 121 Indians, many of whom are activists, lawyers, and journalists. And as the report suggests, the case has now become a political controversy.
Pegasus, developed by Israel-based NSO Group, was used in a highly targeted attack affecting a total of 1,400 people around the world. Facebook revealed this as it informed affected Indian journalists and activists of the security problem in late October, which is when the scandal became public knowledge.
It's unknown at this time who deployed Pegasus against Indian citizens, but NSO Group apparently limits the sale of its spyware to state actors, as the software “has the ability to collect intimate data from a target device.” As other reports have suggested, this means that Pegasus can extract all data and access all communications from an infected device.
Pegasus, that has managed to penetrate WhatsApp's encrypted system, costs $7-8 million a year in license fees – which raises the barrier to entry, eliminating run-of-the-mill hackers and indicating instead involvement of powerful entities. Facebook is now suing NSO Group for reverse-engineering WhatsApp and targeting devices using its own servers, writes the Economic Times.
India's government, meanwhile, is denying that it was, or plans to be among NSO Group's customers.