India

Pegasus breach: India denies WhatsApp hack amid outrage

Pictured in this photo illustration is the WhatsApp application logo launched on a mobile phone Image copyright Getty Images

Indian activists and politicians are pointing fingers at the state after WhatsApp revealed Indian journalists and activists were among those targeted with spyware on its platform.

WhatsApp has filed a lawsuit against Israeli firm NSO Group, alleging it was behind the cyber-attacks that infected devices in April and May.

NSO Group, which makes software for surveillance, says it only works with government agencies.

The government has denied the claims.

"These attempts to malign the government of India for the reported breach are completely misleading," a government statement read, adding that it would take "strict action" against those responsible for the attack.

India has also asked WhatsApp for a detailed explanation, Information and Technology Minister Ravi Shankar Prasad said in a statement on Twitter.

NSO Group has also denied the allegations against them.

"In the strongest possible terms, we dispute the allegations and vigorously fight them," NSO Group said in a statement to the BBC.

"The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime," it added.

How did the hack take place?

Hackers were able to remotely install surveillance software on phones and other devices by using a major vulnerability in the messaging app.

Targets received video or voice call requests from an unknown number - which even if ignored, allowed the spyware, known as Pegasus, to be installed on the device. This allowed users to remotely access everything on the phone, including text messages and location.

WhatsApp has not disclosed the number of Indians targeted.

"While I cannot reveal their identities and the exact number, I can say that it is not an insignificant number," WhatsApp spokesperson Carl Woog told The Indian Express newspaper.

Who has been targeted?

Indian news site Scroll says it has confirmed that at least 17 individuals, including activists, scholars and journalists, were affected by the breach.

"The profile of the private Indian citizens targeted in this case suggests the involvement of state agencies in India," technology writer Prasanto K Roy told the BBC. "These people are all activists, journalists and lawyers who work with or represent tribal people and dalits (formerly untouchables) in sensitive areas where people have clashed with the state."

Image copyright Getty Images

Mr Roy added that the list of people targeted so far is very specific. "I can't think of a single foreign government, not even Pakistan, who would be interested in these particular private citizens."

Lawyer Nihalsing Rathod, who has defended human rights activists arrested after caste-based violence broke out in the western state of Maharashtra in August 2018, told BBC Marathi that his phone had been targeted.

The arrests of the activists had been sharply criticised by many as a "witch hunt" against those who challenged the governing Bharatiya Janata Party (BJP).

Another of those targeted is Bela Bhatia, a writer and human rights lawyer who has alleged constant harassment by police in the volatile central state of Chhattisgarh.

What is India's relationship with WhatsApp?

With 400 million users, India is the biggest market for the Facebook-owned company.

However, it is not the first time that the messaging platform has found itself in trouble with local authorities.

A spate of lynchings driven by rumours of child kidnappings circulating on WhatsApp prompted Indian authorities to demand that the company do something to curb the spread of misinformation on its platform.

WhatsApp then took several steps, including advertising in newspapers and limiting the number of forwards a single user could send to five.

It also marked messages that had been forwarded with a label.

Since then, the government has gone a step further by saying that it would introduce new rules in January 2020 that would allow it to monitor, intercept and trace social media messages. In response, WhatsApp has said this would not be possible, "given the end-to-end encryption" the app uses.

What has WhatsApp done since the breach?

Soon after it discovered the cyber-attacks in May, the company rolled out a fix, adding "new protections" to their systems and issuing updates.

Cyber-experts at the University of Toronto's Citizen Lab helped WhatsApp identify more than 100 cases of "abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America".

Its decision to sue NSO Group is the first time an encrypted messaging provider has taken legal action of this kind

WhatsApp promotes itself as a "secure" communications app because messages are encrypted end-to-end. This means they should only be displayed in a legible form on the sender or recipient's device.

More on this story