Indian Intelligence used Israeli spyware to snoop on WhatsApp users

It is now confirmed what was only suspected before; that Indian Intelligence Agencies used Israeli spyware to snoop on an unidentified number of Indian citizens. While WhatsApp, which is suing the NSO Group, which developed and sells the spyware in the United States, told The Indian Express that the number of Indians put under surveillance was not ‘insignificant’, it has not yet disclosed their identity.

While the law suit in the US maintains that the spyware has been used across the world from Rwanda to Morocco, from UAE to Mexico, most of these countries including India have no legal framework to force government agencies to disclose truthfully the data. Even the Indian Parliament, it needs to be noted, cannot force the Government to come clean.

In a statement NSO said, “In the strongest possible terms, we dispute allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”

The NSO Group is part-owned by a UK-based private equity group called Novalpina Capital and the spyware was designed to worm its way into phones and transmit the owner’s location, their encrypted chats, travel plans — and even the voices of people the owners met — to servers around the world.

WhatsApp in a statement maintained, “In May 2019 we stopped a highly sophisticated cyber attack that exploited our video calling system in order to send malware to the mobile devices of a number of WhatsApp users. The nature of the attack did not require targeted users to answer the calls they received.

“We quickly added new protections to our systems and issued an update to WhatsApp to help keep people safe. We are now taking additional action, based on what we have learned to date.

“WhatsApp has also filed a complaint in U.S. court that attributes the attack to a spyware company called NSO Group and its parent company Q Cyber Technologies. The complaint alleges they violated both U.S. and California laws as well as the WhatsApp Terms of Service, which prohibits this type of abuse.

“This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users.”

Clearly WhatsApp detected the use of malware in May, 2019 and carried out a survey during a fortnight and found that the spyware had been used to snoop on at least 1,400 people, among them journalists and human rights defenders. This period of survey, during April and May, coincided with the Indian General Election. The spyware, however, is likely to have been used for much longer and used to snoop on many more WhatsApp users than the check carried out by WhatsApp has revealed.

But it is not known how many Indians were targeted and whether the surveillance was carried out on judges, bureaucrats, politicians, auditors and industrialists as well.

A whistle blower from Madhya Pradesh four years ago had demonstrated to Supreme Court judges that their phones could well be tapped by police in Bhopal. He had demonstrated the ability of the snooping spyware but nothing came of it then.