Govt refuses to share WhatsApp letter
The government has refused to share the letter WhatsApp had written in May to reveal security breaches suffered by users, citing threats to the country’s integrity and sovereignty in response to an RTI query.
The information and technology ministry cited section 8 1(a) of the Right to Information Act as the basis for withholding the information that was sought by RTI activist Saket Gokhale on the controversy surrounding the Facebook–owned messenger service after it declared in early November that phones of over 1,400 users, including diplomats, journalists and activists spanning four continents, had been breached.
WhatsApp said the snooping, carried out through the use of Israeli-made spyware Pegasus, targeted 121 Indians.
While WhatsApp has not shared their names in its correspondence with the government, Citizen Lab, a university of Toronto independent Lab, roped in by WhatsApp to help investigate the breach, had informed the targets of the compromise by calling them.
“Copy of the communication cannot be provided as per section 8 1(a) of the RTI Act, 2005,” the ministry said in its reply to Gokhale, referring to the section that allows the government not to share information that could “prejudicially affect” the sovereignty and integrity of the country.
Gokhale had asked the IT ministry whether WhatsApp had informed it of the breach in May and also sought a copy of the letter in which it conveyed the information.
In its response, the ministry admitted that WhatsApp had informed its computer emergency response team (CERT-In) of a “vulnerability” in its code on May 20 which the app had “promptly fixed”.
Through another communiqué on September 5, WhatsApp again informed CERT-In that though the full extent of the attack may never be known, at least 20 users’ personal data, out of 121 individual targets in India, may have been accessed as a result of the breach.
“On May 20, WhatsApp reported an incident to the CERT-In wherein it mentioned that they (WhatsApp) had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute on mobile devices and that the vulnerability can no longer be exploited to carry out attack,” the department of electronics and information technology said in the reply.
“On September 5, Whtasapp wrote to CERT-In mentioning (an) update to the security incident reported in May that while the full extent of the attack may never be known, WhatsApp continues to review the available information. It also mentioned that WhatsApp believes it is likely that personal data within the WhatsApp app of approximately 20 users may have been accessed, out of approximately 121 users in India of whose devices the attacker attempted to reach,” it added.
The ministry’s replies contradict it’s reply when the controversy broke in the first week of November. The ministry had then denied receiving any information from WhatsApp about the breach.
The ministry admitted it had been informed about the breach in May only after a screenshot of a CERT-In page was circulated among journalists by sources. The ministry then indicated that it had not taken any action against the breach as the information provided by WhatsApp was full of “jargon” and did not mention Pegasus, the malware used to snoop on mobile phones of targets.
RTI activist Gokhale isn’t convinced with the government’s reply. He said he would challenge the response by filing an appeal, arguing that if the government had not done anything wrong there should be no reason not to make the letter public.
“First, you are saying you never received a letter. Then you’re saying you received it but you didn’t get it since it was full of technical jargon. There is no consistency in the government’s statements. The only way the government can clear the air and be transparent is by publishing a copy of the letter it received from WhatsApp,” Gokhale told The Telegraph Online.
The activist said he did not believe there could be anything in WhatsApp’s letter that could compromise national security.
The government has been evasive on the issue from start, citing “national security”. As recently as on November 28, during a debate in Parliament IT minister Ravi Shankar Prasad resorted to circumlocution in his response to whether the government had bought Pegasus from NSO, the Israeli company which makes it.
“They keep asking me whether we bought it or not. I keep telling them that there’s a standard operating procedure. Should I reveal here what many of your state governments do?
“The government authorities of India, whenever they have to do anything for the security of India, they do so only as per standard operating procedure,” Prasad told the Rajya Sabha, responding to a query by Congress MP Digvijaya Singh.