Govt wants to conduct audit of WhatsApp's security after NSO espionage: Ravi Shankar Prasad
The government wants to conduct an audit of WhatsApp's security systems following revelations of Israeli spyware exploiting its vulnerabilities, IT Minister Ravi Shankar Prasad said but refused to say if the government had bought the spyware.
The Indian Computer Emergency Team (CERT-In) "has clearly said that we want to audit your (WhatsApp) entire system... we have told them that we want to conduct an audit and inspection of WhatsApp's security systems and processes," Prasad said in reply to a short duration discussion in Rajya Sabha over the spying controversy.
He, however, did not give a direct reply to Congress leader Digvijaya Singh's repeated query if the government had bought Pegasus spyware from Isreali firm NSO.
To Singh's question on Home Minister having met WhatsApp officials, Prasad said WhatsApp representatives keep meeting government officials and they "may have met Home Minister as well. After all, WhatsApp has its biggest operations globally in India."
WhatsApp, last month, sued Israeli surveillance firm NSO Group, accusing it of helping those buying its spyware Pegasus break into the phones of roughly 1,400 users across four continents.
The targets of the hacking included diplomats, political dissidents, journalists, along with military and government officials. In India, 121 users are believed to have been compromised.
Prasad said cyber security agency CERT-In had sought information from WhatsApp including need to conduct an audit and inspection of WhatsApp's security systems and processes on November 9, and further clarifications and details have been sought on November 26, following response from WhatsApp on November 18.
Stating that the WhatsApp CEO had made no mention of vulnerability in their system by Pegasus spyware during his meeting with the Ministry, Prasad also warned digital players that they must erect appropriate security walls, failing which appropriate action would be taken.
"During the high-level engagements like meetings with CEO Will Cathcart and VP Policy Nick Clegg of WhatsApp that took place with the Ministry on July 26, 2019 and September 11, 2019, no mention was made by the high-level WhatsApp team regarding this vulnerability," said Prasad in a statement.
The Indian cybersecurity agency has also sent notice to NSO group on November 26, 2019 seeking details about the malware and its impact on Indian users, he said.
According to Prasad, WhatsApp reported an incident to CERT-In, where it mentioned it had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices, and that the vulnerability can no longer be exploited to carry out the attack.
Moreover, he also said that the government along with the US, the UK, and Australia is in discussion with WhatsApp to identify the source of the message and videos that have violence.
The minister also informed the Upper House that the work on Data Protection law is in progress and would be introduced very soon in Parliament.
Replying to the concerns raised by the members, Prasad said digital companies are welcome to do the business in India but they would also have to acknowledge and understand that safety and security of Indians is of prime importance.
(Edited by Evelyn Ratnakumar)