WhatsApp didn't inform about vulnerability: Govt

New Delhi: IT Minister Ravi Shankar Prasad told Parliament on Thursday that a WhatsApp CEO-led delegation had not mentioned about any vulnerability of their system during their meetings with the ministry, and that the government was yet to receive the names of people targeted by unnamed entities using Pegasus spyware.

Replying to a question in Rajya Sabha, Prasad said the government had issued notice to Israeli technology firm NSO Group, which created Pegasus, on November 26, seeking details about the malware and its impact.

The minister also said digital players must erect appropriate security walls or be ready to face action.

He was replying to a special mention by Congress MP Digvijay Singh on the use of the spyware against some Indians.

"During the high level engagements like meeting of CEO Will Cathcart and VP Policy Nick Clegg of WhatsApp that took place with the ministry on July 26, 2019 and September 11, 2019, no mention was made by the high level WhatsApp team regarding this vulnerability," Prasad said in a statement.

According to the minister, when reports about the breach came in media, CERT -IN (Computer Emergency Response Team) on September 9 sought submissions from WhatsApp, including a need to conduct an audit and inspection of WhatsApp security system and process.

"The response from WhatsApp was received on November 18, 2019 and further clarification and technical details have been sought on November 26, 2019.

"CERT-IN has also sent a notice to NSO Group on November 26, 2019 seeling details about the malware and its impact on Indian users," he said.

Prasad also said that the government is committed to ensure safety and security of online platforms such as WhatsApp.

He also said that the government is also working to strengthen the Information Technology (Intermediaries Guidelines) Rules 2011.

The minister asserted India would never compromise its data security.

Replying to concerns raised by some members, Prasad said the global business community is welcome to do business in India but they would also have to acknowledge and understand that safety and security of Indians is indeed of prime importance.

"You can come to India for business, but there are sensitive and hyper-sensitive data and India would claim its right over that," Prasad said, adding he would discuss in detail once the Data Protection Law comes into force.

The minister said the Bill will be introduced in Lok Sabha soon.

According to WhatsApp, the spyware was developed by Israel-based NSO Group and had been used to snoop on about 1,400 users globally, including 121 users from India.

Experts seek clarity on data protection bill

New Delhi: As the Opposition took on the government in Rajya Sabha regarding WhatsApp snooping via third-party Israeli software Pegasus, a roundtable discussion in the Capital on Thursday sought clarity on the much-anticipated Personal Data Protection Bill (PDP). Organised by the Internet and Mobile Association of India (IAMAI), the roundtable deliberated upon the impact of the draft PDP 2018 on ease of doing business in India to create a dialogue between key industry representatives, civil society and media personnel on the different aspects of the draft PDP bill that are areas of concern for the industry. The experts demanded clarification in several areas of ambiguity that exists in the draft Bill which need to be better clarified for businesses to fully comprehend the extent of adjustments businesses will have to do to comply with them.

"The bill categorises data as Personal data, Sensitive Personal data and Critical Personal data, but the industry lacks clarity on to which data qualifies under which head and hence is not equipped to take necessary precautions," said an IAMAI report.

The PDP bill talks of consent and explicit content for different categories of data, but there is no clarity on what would qualify as consent and explicit consent. Thus, businesses have no idea of the compliance requirements involved.

The PDP bill creates a need for the data fiduciary to repeatedly obtain consent from the data principal for every step of the processing activity.

"The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation," said the report.

The discussion was an attempt to help create a holistic well-informed public discourse on the Bill, which will eventually strengthen the collective effort to the draft a well devised Data Governance regime in India, said IAMAI.

Earlier in the day, members of the Opposition led by Congress leader Digvijay Singh raised challenging questions and concerns in the Parliament as IT and Telecom Minister Ravi Shankar Prasad did not give any direct reply.

Singh also demanded a Joint Parliamentary Committee (JPC) be set up to probe the WhatsApp breach.

Also Read: Sonia, Rahul skip Uddhav's swearing-in, wish him the very best