Possibly one of the biggest stories in that broke in cyberspace recently has been WhatsApp’s reports that 1,400 of its users were hacked by Pegasus, a spyware tool from Israeli firm NSO Group. A significant number of these Indian users include journalists, academics, human rights and Dalit activists. Further, the timing of such a surveillance — late April to mid-May — rakes up another set of worries about the motive behind the hack.

While WhatsApp has taken the NSO Group to court, India’s Ministry of Electronics and Information Technology (MeitY) has in turn issued a notice to WhatsApp and its parent company, Facebook, to explain the privacy breach in detail. For now, the NSO Group has washed its hands off the whole matter, saying that it sold the spyware tool to governments only, but it definitely cannot escape a larger responsibility.

Encryption override

The pertinent questions are, who is behind this surveillance and hacking incident; and has this intrusion of privacy reached a level that has not been fathomed by the legal and technical communities?

Stretching this further, is this a vulnerability ignored by WhatsApp’s management? Clearly, the potential revelations are worrying a large section of social media users about the confidentiality and integrity of the networks, which is the basis of trust for most users who prefer WhatsApp over other messaging platforms. Security and privacy breach apart, the possibility of an external surveillance code like Pegasus overriding the in-built end-to-end encryption that WhatsApp features generates more fear and affects users’ trust. At the same time, the NSO Group’s claim about only working with specific security agencies across the world brings to the fore questions about the role of such agencies, and whether they are operating beyond the purview of the existing laws in their respective countries.

WhatsApp’s legal recourse against the NSO Group might show its tactical response, but the larger strategic focus should be on plugging the apparent holes in the software and reassuring its users. Particularly, the fact that Pegasus was able to override the end-to end-encryption should be investigated. As recent as July this year, the global head of WhatsApp had reiterated the integrity of this encryption to IT Minister Ravi Shankar Prasad, even as the latter — and MeitY — have been following up for access to WhatsApp data for law enforcement purposes.

There is a lot of work to be done by WhastApp, as well as many other popular social media platforms, since they are also reported to be vulnerable to the Pegasus’ same exploit code. Clearly, this issue should also be taken up by US regulators (as WhatsApp and Facebook fall under their jurisdiction), to ensure the world that such platforms remain safe for usage by individuals across the world.

Global cyber cooperation

The other angle to this whole episode is the role of the perpetrators behind the hack. With access to technology increasing, networks can be intruded from any part of the world provided the encryption can be broken. Since this attack involves users from a quite a few countries, there is a greater need for global cooperation to a concerted and coordinated investigation. This incident has called attention to the lack of a global agreement for cyber security cooperation, as well as the problem of precise attribution in cyber security investigations.

At the same time, the offering of products such as Pegasus and their misuse or proliferation has the same, if not more, ramifications as advanced nuclear technology falling into the wrong hands. The role of non-state actors with support from rogue nations or even criminal syndicates is also not out of question.

Government role

Some in India have been quick to jump the gun and blame the government and its ‘snooping’ networks. But, that is definitely not proven to be the situation yet, and both the MeitY and Ministry of Home Affairs have clearly said they played no role and did not instruct surveillance on any of the Indians who have been the targets of this malicious attack. Also, any form of online interception, monitoring and decryption are well defined as per the provisions of the Information Technology Act 2008 (IT Act) and the concomitant rules set there, related to the provisions gazetted on October 27, 2009 and December 20, 2018.

These provisions clearly list the 10 agencies that can undertake such actions and the procedures for them, the competent authority who can order such an action being the Union Home Secretary. Even such authorised surveillance actions have to be reviewed by a committee, headed by the Cabinet Secretary, which meets at least once in two months. Likewise for States, the respective Home Secretary is the competent authority and the Chief Secretary heads the review committee. No such authorisations have been given by any of the competent authorities for the monitoring of the affected individuals in India for the period in reference.

As it is evident that the current set of attacks — at least in the Indian context — has not been authorised by government, this is a clear case of wilful hacking whose proportions entail it to be seen as a cyber terrorism attempt; it calls for application of Section 66 (F) of the IT Act to deal with the perpetrators.

The issue has brought to the fore the fear around the possibility of how emerging network access technology could also beat secured encryption, which remains the fundamental basis of user trust and hitherto privacy. Such software must be strictly controlled and a legal provisions must be inked, so that providers of such technologies are deterred. Social media providers must also stop chest-thumping, start investing in attribution solutions and be honest with users about the risks involved in their products. Needless to say, a relook at laws, technology and ethics is needed, preferably sooner than later.

The writer is a former country head of a defence multinational