WhatsApp denies allegations of data breach by spyware Pegasus in SC

The issue cropped up before a bench headed by CJI Bobde which was hearing a plea seeking direction to RBI for framing regulation to ensure that data collected on UPI platforms is not exploited

WhatsApp on Monday denied in the Supreme Court the allegations that its data can be hacked by Israeli sypware Pegasus, which had led to a controversy last year over breach of privacy following claims that Indian journalists and human rights activists were among those globally spied upon by unnamed entities.

The issue cropped up before a bench headed by Chief Justice S A Bobde which was hearing a plea filed by Rajya Sabha MP Binoy Viswam seeking direction to the Reserve Bank of India (RBI) for framing regulation to ensure that data collected on UPI platforms is not exploited or used in any manner other than for processing payments.

An allegation is that WhatsApp data can be hacked by a software called Pegasus, the bench, also comprising Justices A S Bopanna and V Ramasubramanian, told senior advocate Kapil Sibal, who was appearing for WhatsApp.

Sibal said these are all allegations. None of them are correct.

WhatsApp had said last year that it was suing an Israeli surveillance firm that is reportedly behind the technology that helped unnamed entities' spies to hack into phones of roughly 1,400 users.

During the hearing conducted through video-conferencing on Monday, senior advocate Krishnan Venugopal, appearing for Viswam, told the bench that RBI has filed an affidavit in the matter and the National Payments Corporation of India (NPCI) should also make its stand clear in the matter.

Additional safeguards should be there. WhatsApp's security is not up to the mark and the third point is of data localisation. Data is being shared by companies like Facebook, WhatsApp and Amazon. This is a breach of privacy. All the data are being shared in violation of the NPCI norms, Venugopal said.

He referred to the Pegasus controversy and said that WhatsApp's data can be hacked by the spyware.

The counsel appearing for NPCI said that he would file an affidavit in the matter.

The bench has posted the matter for further hearing in the fourth week of January.

On October 15, the apex court had sought responses from the Centre, RBI, NPCI and others including Google Inc, Facebook Inc, WhatsApp and Amazon Inc on the plea.

Viswam, the Communist Party of India (CPI) leader, has sought a direction to the RBI and the NPCI to ensure that data collected on Unified Payments Interface (UPI) platforms is not shared with their parent company or any other third party under any circumstances.

In India, the UPI payments system is being regulated and supervised by Respondent no. 1 (RBI) and Respondent no. 2 (NPCI), however the RBI and the NPCI instead of fulfilling their statutory obligations and protecting and securing the sensitive data of users are compromising the interest of the Indian users by allowing the non-compliant foreign entities to operate its payment services in India, the plea has alleged.

The RBI and NPCI have permitted the three members of Big Four Tech Giants' i.e. Amazon, Google and Facebook/WhatsApp (Beta phase) to participate in the UPI ecosystem without much scrutiny and in spite of blatant violations of UPI guidelines and RBI regulations, it has claimed.

The plea has alleged that this conduct of RBI and NPCI put the sensitive financial data of Indian users at huge risks, especially when these entities have been continuously accused of abusing dominance and compromising data, among other things.

It has further sought a direction that RBI and NPCI should ensure that WhatsApp is not permitted to launch full scale operations of WhatsApp Pay' in India without fulfilling all legal compliances to the satisfaction of the court regarding requisite regulatory compliances.

It said that in April 2018, the RBI, with a view to secure the data of Indian users, had issued a circular directing all system providers to ensure that entire data relating to payment systems operated by them are stored in systems only in India and they were asked to ensure compliance by October 15, 2018.

The plea claimed that later, the RBI toned down the April 2018 circular by issuing Frequently Asked Questions (FAQs) and permitted processing of all payment transaction abroad, including domestic transactions.

In the said FAQ it was clarified that in cases of data processing done abroad, the data should be deleted from the systems abroad and brought back to India within 24 hours, the plea said.

It has sought the apex court's direction to declare the FAQ dated June 26, 2019 issued by the RBI as ultra vires to the circular dated April 6, 2018.

It alleged that Google and Facebook already have access to immense personal data of millions of Indian users and if they are permitted to collect unrestricted financial data of Indian users while operating at the UPI platform, the same would give them draconian control over sensitive Indian data.