NEW DELHI :
The government did not use Pegasus spyware for unauthorized interception of communication via instant messaging platform WhatsApp, information technology (IT) minister Ravi Shankar Prasad told Parliament on Thursday.
“Any violation of the procedure is actionable in law. Anyone who has a problem can file an FIR or a formal complaint and the government will look into it. No unauthorized interception has been done," Prasad said.
CERT-IN, India’s computer emergency response team, has sent a notice to WhatsApp for conducting an audit of their whole system and processes, Prasad said.
Prasad was responding to the Opposition’s queries on whether the government negotiated any deal or did any business transaction with the Israel-based tech firm NSO that developed NSO Pegasus spyware. They also sought his reply on whether the government has made unauthorized use of the spyware.
Last month, WhatsApp and Toronto-based Citizen Labs said that NSO’s Pegasus was used to spy on 1,400 users, including journalists and activists across the world. Out of these, 121 were Indians. Once the spyware infiltrates into a smartphone, it can continuously monitor all user activity, listen to conversation and even use the camera for video surveillance.
Prasad said the government had issued notice to NSO Group on 26 November, seeking details about the malware and its impact. WhatsApp assured the government that the vulnerability exploited to carry out the spyware attack has been addressed, Prasad said. The government is yet to receive even a single name among the 121 Indians who were targeted by Pegasus, he said.
WhatsApp chief executive officer Will Cathcart and Facebook vice-president, global affairs and communication, Nick Clegg, met government officials, including Prasad on 26 July and 11 September and, according to the minister, the company did not mention anything pertaining to the vulnerability.
Prasad also told the Parliament that anyone targeted by the spyware attack must lodge an official complaint. Section 66 of IT Act has a provision that mandates fine of up to ₹5 lakh and three-year imprisonment in case of breach of privacy of individuals. The Congress, however, said there is an urgent need for data protection and privacy law.
The minister replied that the government will soon introduce a robust and balanced personal data protection law in the Parliament. “India will never compromise on data sovereignty," Prasad said.
The government had last year, in line with the European Union’s General Data Protection Regulation, introduced a draft personal data protection bill to regulate the use of individual’s data by the government and by private companies.
Prasad also pointed out that the IT ministry is in the process of finalizing draft guidelines to regulate intermediaries such as social media platforms and internet service providers. According to the draft guidelines, the intermediaries will have to provide information sought by government agencies within 24 hours of receiving a court order and also identify the originator of the content. The minister assuaged fears about privacy and said that the government doesn’t want intermediaries to break encryption. “We also don’t want them to share information with everyone. However, if a message is being used to incite violence or for acts of terrorism and communal tension they will have to tell law enforcement agencies who started it as many of these conversations originate from Pakistan," he said. To boost cybersecurity, the Centre is conducting cyber auditing, training for officials, and skilling of cyber security team at CERT-IN, Prasad said.