An Analysis of Whatsapp Spyware issue

Reading time: 6-8 minutes.

Recently on 31st October, 2019 various questions were raised and explanation was sought by the Information Technology Minister Ravi Shanker Prasad regarding the privacy safeguards taken by ‘Whatsapp’ and the breach of it.

Various media publications on October 30, 2019 revealed that ‘Pegasus’, a spyware made by NSO, an Israeli company, was used to hack into the phones of the several activists, lawyers and journalists. The spyware uses the vulnerability in Whatsapp voice call which initiates a voice call in the target phone and gets installed in the device. Once installed it can track the activities of target phone including: access to messages, mails, audio calls, contacts, etc.

Pertaining to the spyware issue, Whatsapp has filed a lawsuit against NSO in U.S. Federal Court in San Francisco seeking permanent injunction, therefore, thwarting NSO from using its service. To this, NSO disputed the allegations and said that it only provided its technology to the licensed government agencies to help them fight terrorism and serious crime. After tremendous hue and cry on social media, with questions being asked of the Indian Government; clarion calls to boycott Whatsapp.

Whatsapp is not the only gateway for Pegasus. The impact is much more widespread. To understand this, one needs to understand how Pegasus exactly works. In July and August, 2016 there were multiple attempts to infect the phone of a Mexican health researcher with Pegasus by sending repeated messages that were emotionally stirring.

In fact, the Citizen Lab which has investigated several cases of Pegasus infections around the world, including the ones in India, has shown through its research as to how social engineering is common strategy to deliver the spyware.

How Pegasus actually works?

The question lies on the ability of Pegasus to spy on every aspect of the target device. The smart phones have operating systems like desktops. Android uses modified version of Linux (open source operating system) and iPhones use iOS.

The 2016 case was investigated by Lookout, a Cybersecurity company partnered with Citizen Lab, found that Pegasus had exploited zero-day vulnerability in iOS. A Zero-day vulnerability is a flaw in a software or hardware that is previously unknown to the party responsible.. Upon clicking a link, it executes a Stage 2 code which was able to jailbreak the target’s iPhone.

In the present Whatsapp issue, a specially crafted call was used to trigger buffer overflow, which in turn was used to take control of the device. The Android version of Pegasus is called Chrysaor Malware and it gets installed as an application on your phone using a root technique called framaroot.

This root access allows the spyware to monitor the target phone. The Google Play Store and Apple App store houses thousands of apps which could potentially be exploited by firms such as NSO to target the individual users.

Breach of Right to Privacy:

The Indian Constitution incorporates Right to Privacy under Article 21. It is requisite of right to life and personal liberty. Recently, the case of Justice K.S. Puuttaswamy and ors. v. Union of India, evolved as a landmark judgment in the history of India with regards to the status of Right to Privacy. According to Black’s Law Dictionary, Right to Privacy means “right to be let alone”; the right of a person to be free from any unwarranted interference.’

Telephone tapping and the right to privacy are affected by new technological developments related to the correspondence of a person and, therefore, has become a topic of debate. In the case of People’s Union for Civil Liberties v. Union of India it was held that the right to have a telephone conversation in the privacy of the home or office without interference can be claimed as the right to privacy. In this case, the Supreme Court held that telephone conversations are of a private nature and, therefore, telephone wiretapping amounts to a violation of one’s privacy.

The concept of privacy has also gained its impetus internationally under various Conventions such as article 12 of Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights and Article 8 of European Convention on Human Rights.

With the advancement of technology and the social networking sites, the intrusion of such a right has become extremely difficult. The extent to which privacy is important in individuals is subjective and differs from person to person. Section 43 of The Information Technology Act, 2000 also includes Right to privacy, that makes unauthorized access to a computer resource an offence.

Conclusion and probable way forward:

From a user point of view, to ensure security of your devices, it is important to keep phones updated — both the applications and the firmware. Many Smartphone users often disable automatic updates in order to save on data, but this also prevents security updates from being installed on the phones. It is extremely important to be self-aware about one’s digital security, as a compromise in that could lead to a situation of total surveillance.

The committee issued a final report and a bill in July 2018, which was called the Personal Data Protection Bill, 2018. The Personal Data Protection Bill provided for the establishment of a Data Protection Authority to monitor activities that involve data processing.

In addition, the objective behind the formulation of said bill was to protect the autonomy of people in relation to their personal data. It also laid down norms for cross-border transfer of personal data, not only this, it also provided remedies for unauthorized and harmful processing and ensured the accountability of entities processing personal data.

Finally, the question that needs to be asked is who in India can afford millions of dollars to target phones of select individuals. NSO charges an excessively high sum for its product and services. As a company, NSO has offered services to various clients, and helped them hack a victim’s phone through a variety of methods.

The government needs to investigate who in India can afford to hire NSO and is interested in attacking selected activists, lawyers and journalists, especially when NSO says it sells the software only to government agencies.

–This article is brought to you in collaboration with Abhishek Kumar from NUSRL, Ranchi.

One thought

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s