WhatsApp: How private are your chats?

WhatsApp, not a safe handle anymore! Does that shock you? When you get to know that your messages, photos, and videos over the Facebook-owned WhatsApp are not safe and encrypted anymore? Albeit the Messaging app WhatsApp handled by Facebook confidently mentioned in their privacy policy that “Respect for your privacy is coded into our DNA”.

Central Government’s response to WhatsApp cyber intrusion

There are multiple instances of WhatsApp chats being Decrypted by Governmental agencies that lead investigations. This primarily came to light during the investigation of Shushant Singh’s mysterious death when investigating agencies, began to leak the selective WhatsApp chats to the media houses. Later the Narcotics Control Bureau (NCB) used Rhea Chakraborty’s alleged chats with her drug peddler which led her arrest and then Bollywood actresses like Deepika Padukone and many others.

The intrusion due to the Pegasus spyware had led many questions against the government in Parliament concerning their involvement in this.

On the question “whether the government does Tapping of WhatsApp calls and Messages in the country?” raised by M.P. Shri Dayanidhi Maran in the Lok Sabha on 19th November 2019, Shri G. Kishan Reddy Minister of State in the Ministry of Home Affairs, categorically ignored it by quoting Section 69 of the Information Technology Act, Section 5 of the Indian Telegraph Act, and other related rules, which empowers the Government to intercept, monitor any information generated by in any computer resource in the interest of sovereignty and security of the state.

On 20th November, Minister of Electronics & Information Technology on the question raised by Mr. Asaduddin Owaisi reveals the fact that WhatsApp informed the MEITY on 5th September 2019 that around 121 users in India have been breached by Pegasus. This contradicts Meity’s earlier statement over their knowledge about the scale of the breach.

With the following concerns regarding WhatsApp being monitored by the Government and its agencies, on 20th September 2020 answering to the question raised by Shri Pinaki Misra in the Lok Sabha, Shri G. Kishan Reddy Minister of State in the Ministry of Home Affairs clearly denied that the government has no details about the Human Right defenders being targeted by the NSO Group’s Pegasus spyware in 2019.

Whereas on 9th November 2019 Ravi Shankar Prasad asserts, CERT-In (Indian Computer Emergency Response Team) wrote to WhatsApp, seeking more information, including a need to conduct an audit and inspection of WhatsApp’s security systems and process.

What is Pegasus?

A report by Citizen Lab, an interdisciplinary lab based at the Munk Schook of Global Affairs & Public Policy, University of Toronto discloses, that Isreal-based Cyber Warfare vendor NSO Group produces and sells a mobile phone spyware suite called Pegasus.” NSO group asserts that Pegasus is only being provided to the Governments only for their national security purpose.

According to the Citizen Lab, it is very crucial to understand the nature of Pegasus, it works through an external link, the malware allows the surveillance as soon the user clicks on the link. Once Pegasus is installed the spyware can control the camera and microphone without letting you know and they can even track your entire day, what you do and to whom to meet.

The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.

In a report by The wire, Nihalsing Rathod, a victim of the Pegasus attack, asserts that he received some calls from international numbers. The moment he answered, it gets disconnected. On October 7, 2019, Rathod was acknowledged by John Scot-Railton senior researcher from Toronto university’s ‘Citizen Lab’ informing him he faced a “specific digital risk”.

Rathod is one of the lawyers litigating the Bhima Koregaon case along with him other human right defenders like Rupali Jadhav cultural and anti-caste activist, Degree Prasad Chouhan lawyer and a Dalit right activist, Bela Bhatia, Anand Teltumbde and Saroj Giri, and Shalini Gera were also been targated by the Pegasus spyware and all of them received a message from WhatsApp on their security breach. The common thing that arises from these attacks is that all these victims are connected to the Bhima Koregaon case, this cannot be merely a coincidence.

The message that Rathod received from WhatsApp. Credit: The Wire.

Digital Privacy laws in India

The Constitution of India does not directly safeguard the Right to Privacy as a Fundamental Right, but in many landmark Judgments, the Supreme Court of India read the Right to privacy along with Fundamental Rights enshrined under, Article 19 (1) (g) and Article 21 of the Constitution of India. Recently in the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors, the Supreme Court had considered the right to privacy as a Fundamental Right, subject to certain Reasonable restriction imposed by the State.

Unlike the European Union, India does not have a separate law for data protection. Still the Information Protection Act, 2000, and the Contract Act, 1872 are the only codified laws that govern the Digital Crimes. However, according to the Ravi Shankar Prasad, the Meity is working on the personal Data Protection bill to safeguard the privacy of citizens, and it is proposed to table it in Parliament.

Section 69 of the Information Technology Act 2000, empowers the government to order their officers or appropriate Government agencies to intercept, monitor, or decrypt any information including information of personal nature i.e. WhatsApp messages too, in the interest of the sovereignty, defense of India, friendly relations with foreign states, public order, for preventing incitement to the commission of any cognizable offense and for any investigation of any offense.

The legal protection for personal information in India is ascertained in the Information Technology Rules 2011, under section 45A of the Information Technology Act 2000.

  • Rule 4: Body corporates must provide a privacy policy to all ‘providers of information.
  • Rule 5(1): They must obtain consent in the letter, fax, or email from the ‘provider of information’ before collecting, using, or disclosing any sensitive personal information.
  • Rule 5(2)(a): While collecting the information, they must ensure that the individual is informed of the (a) fact that the information is being collected; b) the purpose for which the information is being collected; c) the intended recipients of the information; d) the name and the address of the agency collecting information, and the agency that will retain the information.

Though, the only preventive measure which was laid down by the ‘Citizen Lab’ to the victims of Pegasus, is to change your mobile phone.

About the Author

Nahush Gautam
Student of Gujarat National Law University.

Did you enjoy this story?

Subscribe now to get the latest updates straight in your inbox. No spam, we promise.

Continue Reading