A key assertion made by Ashwani Vaishnaw, minister for communication, electronics and information technology, on the floor of the Lok Sabha on Monday – “In the past, similar claims were made regarding the use of Pegasus on WhatsApp, those reports had no factual basis and has been denied by all parties…” – is flatly contradicted by replies his own ministry has provided to RTI queries and parliament questions in the past.
In November 2019, when news emerged that the smartphones of some Indian activists had been hacked by Pegasus spyware – the military grade surveillance tool sold by the Israeli company NSO Group to ‘vetted governments’ around the word – via WhatsApp, Venkatesh Nayak of the Commonwealth Human Rights Initiative filed a request for information about the incident with the Prime Ministers’ Office, home ministry and the ministry of communication, electronics and information technology (MEITY).
MEITY, to whom the PMO and MHA forwarded Venkatesh’s requests, replied to him on December 2, 2019 clearly acknowledged that WhatsApp had informed the Indian Computer Emergency Response Team (CERT-IN)– the government’s official body responsible for monitoring such hacking – of the Pegasus attack on May 20, 2019. WhatsApp provided further details to CERT-IN on September 5, 2019:
“On May 20, 2019 WhatsApp reported an incident to the Indian Computer Emergency Response Team (CERT-In) wherein it mentioned that WhatsApp identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attack.
“Further, WhatsApp wrote to CERT-In on September 5, 2019 mentioning update to the security incident reported in May 2019, that while the full extent of this attack may never be known, WhatsApp continues to review the available information.
“It also mentioned that WhatsApp believes it is likely that personal data within the WhatsApp app of approximately twenty users may have been accessed out of approximately one hundred and twenty one users in India of whose devices the attacker attempted to reach.”
It is hard to square the ministry’s written acknowledgment of WhatsApp’s complaint with Vaishnaw’s assertion in the Lok Sabha that there is “no factual basis” to the claim that Pegasus attacks had occurred via WhatsApp. Especially since a government minister provided the identical information to parliament in a written answer on December 11, 2019.
Vaishnaw, incidentally, is one of the individuals whose telephone numbers appear in the leaked database.