India’s federal Electronics and Information Technology Ministry had earlier denied it had any role in the snooping and claimed that neither WhatsApp nor its parent Facebook had brought privacy breaches of Indian citizens to its attention.
But on Wednesday, India’s Federal Electronics and Information Technology Minister Ravi Shankar Prasad admitted in Parliament that WhatsApp had indeed informed the national agency on cyber security about threats using the software system Pegasus developed by Israel-based company NSO Group.
“On September 5, 2019 WhatsApp wrote to CERT-In (India’s Computer Emergency Response Team) mentioning an update to the security incident reported in May 2019, that while the full extent of this attack may never be known, WhatsApp continued to review the available information,” Prasad told Rajya Sabha, the upper house of the Indian Parliament.
The minister said that attempts to “malign the Government of India for the reported breach are completely misleading.”
But NOS Group later clarified that its software was sold only to governments and government agencies.
India’s junior home minister told Parliament on 19 November that “any interception or monitoring or decryption of any information from any computer resource can be done only by these authorised (investigative) agencies as per due process of law and subject to safeguards as provided in the rules and SOP.”
Prasad said that the government was drafting legislation to protect the privacy of its citizens from such cyber snooping.
With 400 million monthly active users, India is the biggest market for WhatsApp in the world.
In 2017, the messaging app applied end-to-end encryption to chats on its platform to ensure the security of the information exchanged.
US-based Facebook, which owns WhatsApp, has been facing charges that it has allowed the platform to violate the privacy of its account holders. In October, Turkey fined Facebook $282,000 violating its data protection laws, impacting 300,000 people.
In the United States itself, users held the company liable for allowing third parties including Cambridge Analytica to access its data.