WhatsApp: Govt admits to breach alert, House panel votes for scrutiny

Karishma Mehrotra, Liz Mathew
Shashi Tharoor, who heads the House panel on WhatsApp breach.  (File)

ON a day the government admitted in Parliament that WhatsApp had notified it in May and September of a breach in some accounts in India via spyware Pegasus, sharp differences emerged at a meeting of the Parliamentary Standing Committee on Information Technology on discussing the issue of “citizens’ data security and privacy”.

With the BJP members objecting and citing jurisdiction issues, the committee is learnt to have been split down the middle, with 12 members for a discussion, and 12 against. Finally, Shashi Tharoor, who heads the panel, cast his tie-breaker vote, supporting the demand for a discussion.

A group of 17 activists, whose WhatsApp in mobile devices was targeted, had demanded a detailed probe by the parliamentary panel. But the BJP members are learnt to have pointed out that none of the activists had filed an FIR or approached cybersecurity cells.

At least two BJP members cited Rule 331(E) of the Rules of Procedure and Conduct of Business in Lok Sabha, citing the provision under which a standing committee shall not consider matters of the day-to-day administration of the concerned ministries/ departments.

The ruling party members pointed out that the Department of Atomic Energy’s report to the panel did not mention the cyber security breaches, and the issue involved third parties — WhatsApp and an Israeli firm. Objecting to the committee’s move to take up the matter suo motu, the members said WhatsApp had not given information on the names of the persons whose accounts were breached.

Read | CERT-In issued notice to WhatsApp seeking info on Pegasus spyware: Ravi Shankar Prasad

As the other members pressed for a discussion, a BJP member is learnt to have cited Rule 261 to demand that a decision shall be determined by a majority of votes of the members present. With the vote resulting in a tie, Tharoor is learnt to have cast his second vote as chairperson — as per Rule 262, the chairperson has a second or casting vote.

Earlier in the day, the government’s admission came in a reply in Parliament to questions from AIMIM MPs Asaduddin Owaisi and Syed Imtiaz Jaleel asking for the government’s reaction to “reports of alleged use and purchase of the Pegasus spyware by government agencies”, The Indian Express first reported on October 31 that journalists and human rights activists in India were targets of surveillance by Pegasus that hacked into their WhatsApp accounts for a two-week period until May 2019. The spyware is developed by an Israeli cyber firm, NSO Group, which claimed that it only sells its products to legitimate government agencies.

Read | WhatsApp expresses 'regret' over Pegasus snooping row

In his reply, Union IT Minister Ravi Shankar Prasad said: “Some statements have appeared, based on reports in media, regarding this. These attempts to malign the Government of India for the reported breach are completely misleading. The government is committed to protect the fundamental rights of citizens, including the right to privacy. The government operates strictly as per provisions of law and laid down protocols.”

The timing of WhatsApp’s correspondences regarding the breach with the government have come under scrutiny. After the October 31 report, the IT Ministry had sent a letter to WhatsApp and a top official had then told The Indian Express that the government was “disturbed” that neither WhatsApp nor its parent company Facebook brought the privacy breach of Indian citizens to its notice though they had numerous top leadership meetings since the summer.

In response to the Parliament questions on Wednesday, Prasad said: “The Indian Computer Emergency Response Team (CERT-In) published a vulnerability note on May 17, 2019 advising counter measures to users regarding a vulnerability in WhatsApp. Subsequently, on May 20, 2019 WhatsApp reported an incident to the CERT-In stating that WhatsApp had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attacks.”

Read | 35 per cent jump in activations post-Pegasus, claims Viber

It continues: “On September 5, 2019 WhatsApp wrote to CERT-In mentioning an update to the security incident reported in May 2019, that while the full extent of this attack may never be known, WhatsApp continued to review the available information. It also mentioned that WhatsApp believes it is likely that devices of approximately 121 users in India may have been attempted to be reached. Based on media reports on 31st October, 2019, about such targeting of mobile devices of Indian citizens through WhatsApp by spyware Pegasus, CERT-In has issued a formal notice to WhatsApp seeking submission of relevant details and information.”

On Tuesday, the government had skirted the issue of use of Pegasus software for interception of WhatsApp calls and messages. To a question on whether the government was tapping WhatsApp calls and messages and if it was using the Israeli software for the same, Minister for State for Home G Kishan Reddy did not answer the question directly but merely said it had powers under the statute to make legal interception of Internet communication.

In a separate set of Parliament questions regarding another recent cyber attack on the Kudankulam Nuclear Power Project (KKNPP) in Tamil Nadu, Congress MP Manickam Tagore asked the details of “reported and experienced mechanical malfunctions”. Minister of State for Personnel, Public Grievances, and Pensions, Jitendra Singh said in Parliament on Wednesday that “an issue with KKNPP Unit-1 Turbo-generator bearings was faced, which was corrected.”

He added that increased vibration at higher power levels was found in the generator stator of KKNPP Unit-2. There has been a total of six and eight outages of KKNPP Units 1&2 respectively, the response said.

The Indian Express reported on October 30 that senior government officials confirmed that a National Cyber Security Council (NCSC) audit of the plant has detected an “incident” that was not on the main operations of the plant. KKNPP had denied any hacking of its control system the day before but after the report, the Nuclear Power Corporation of India Limited (NPCIL) confirmed in a press release that the “identification of malware in NPCIL system is correct.”

The government source said the NCSC and KKNPP had jointly decided to issue the press release denying an attack on its control system, since the audit found that only the administrative layer was affected and not the operations.