Is WhatsApp unsafe to use? A peep into the world of Pegasus attack

Many controversies and questions later, here are things you might have wanted to know but couldn't find an answer

WhatsApp, data privacy, data breach — Illustration: Ajay Kumar Mohanty

4 min read Last Updated : Dec 02 2019 | 10:28 AM IST

In October, WhatsApp sued NSO Group, an Israeli firm it said developed and sold a software called Pegasus, which misused the Facebook-owned messaging platform to spy on 1,400 people globally, of whom 121 were Indians.

Many controversies and questions later, here are things you might have wanted to know but couldn’t find an answer:

Who in India paid NSO Group to buy Pegasus?

Last week, Information and Technology Minister Ravi Shankar Prasad was asked multiple times by Opposition leaders in the Rajya Sabha this question. We still do not have a direct answer. He said Standard Operating Procedure was followed in cases of lawful surveillance, and no unauthorised surveillance was done. The home ministry in an RTI response said it had no information on the issue.

Why is the government being asked about the purchase of Pegasus?

This because NSO Group has maintained that it sells only to governments. Its software has been reported to have been misused by governments in countries like Saudi Arabia, the UAE, Mexico, Morocco, and Rwanda to spy on their own citizens.

According to a report by Fast Company last year, NSO Group was charging customers $650,000 to hack 10 devices, in addition to a $500,000 installation fee in 2016.

Hacking into the phones of a large number of people at that price would be prohibitive, even by government standards. It has been reported separately that NSO Group made a presentation to the Chhattisgarh Police Department in 2017.

Is Pegasus being used to spy on all of us?

No. Pegasus is not used for mass surveillance. An explanatory piece by Amnesty International, whose employee was also targeted using Pegasus, says: “NSO Group’s Pegasus tool is used for targeted attacks and by design, is not meant for mass surveillance.”

This means whoever bought the NSO software in India identified the people whose WhatsApp accounts were used to break into their phones.

Is WhatsApp now unsafe to use? Should I move to other platforms?

There is no simple answer to this.

While not a perfect analogy, think of it as someone installing a hidden camera and microphone in your house by getting in through a window. In this case, the house is a user’s smartphone, the hidden camera and microphone is Pegasus, and WhatsApp is the window.

WhatsApp became aware of Pegasus having used an open latch in some of its code, fixed it, and got an independent expert — Citizen Lab — to figure out how many houses were bugged.

This window could have been any other app. What makes WhatsApp an easy target is its mass base. The more popular an app becomes, the more likely it is to be targeted by malicious actors, Director of Cybersecurity at Electronic Frontier Eva Galperin tweeted on November 4.

What is the problem with the government questioning WhatsApp?

Going back to the analogy, so far, the window is being blamed for being open at the time of an intrusion into the house. It is important to find out how it was left open, but it is also important to find out who decided to hire an expensive hand to spy on the people in the house, and even those visiting the house.

Last Thursday was the first time that the IT minister said NSO Group had been sent notice. He did not give further details about when this was sent, and whether a response has been received.

What are the laws governing disclosure of a data breach by a company in India? Are users informed individually?

Private or government entities dealing with citizen data are not mandated to disclose a data breach, except in some cases where regulators have to be informed. Several countries have laws mandating this.

In this case, WhatsApp reached out to citizens and informed them that their devices and privacy were compromised.

Companies in India have previously used the loss of reputation as an argument against making data breaches public. Besides, there is no proper framework governing data handling, except for the upcoming Personal Data Protection Bill, the first public draft of which dealt with these issues.

Is Pegasus the only software capable of such data breach?

Most certainly not. There are several such software and products available on the dark web or through covert means.

Governments and individuals who can afford it will find different ways to breach security. The best way for consumers is to be aware, keep their devices updated, and if they work on sensitive issues, keep their communication private and use apps that offer a second layer of authentication and encryption.