India and several governments use Israeli spyware to breach WhatsApp

WhatsApp, a communications service owned by Facebook, filed a complaint against NSO Group on Tuesday in US District Court in California. WhatsApp accuses the Israeli technology company (acquired by Novalpina Capital) of selling spyware that infects targeted users’ phones and devices and transmits their information to third parties.

In an opinion piece written for the Washington Post, WhatsApp head Neil Cathcart said: “While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”

NSO Group is known for its surveillance software Pegasus, which reportedly has the ability to turn on a phone’s camera and microphone, sift through emails and messages and collect location data.

Pegasus works by placing a call to a targeted user’s phone via WhatsApp. The targeted user doesn’t even have to answer the call for the spyware to be installed in their phone.

The NSO Group bills itself as creating “technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe”.

However, WhatsApp says the software was misused to target “at least 100 human-rights defenders, journalists and other members of civil society across the world.”

In the Washington Post opinion piece, Cathcart warns: “Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”

A report in the New York Times that quotes the lawsuit puts the total number of breaches at more than 1,400 people in 20 countries.

Despite NSO Group’s denial that its spyware is used to target civilians, Canada’s Citizen Lab believes otherwise. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto. It has been assisting WhatsApp in its research into the app hacks detected in May 2019, especially to identify cases “where the suspected targets of this attack were members of civil society, such as human rights defenders and journalists”.

A report by the Citizen Lab points out: “NSO Group spyware is being sold to government clients without appropriate controls over how it is employed by those clients. They are, in turn, using NSO’s technology to hack into the devices of members of civil society, including journalists, lawyers, political opposition, and human rights defenders—with potential lethal consequences.”

The situation in India and around the world

An article published in the Indian Express notes: “At least two dozen academic, lawyers, Dalit activists and journalists in India were contacted and alerted by WhatsApp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019.”

According to The Indian Express article, WhatsApp wouldn’t reveal the exact information about how many people were the target of surveillance via Pegasus in the country or their identities, but a spokesperson told the newspaper: “While I cannot reveal their identities and the exact number, I can say that it is not an insignificant number.”

But activists whose WhatsApp numbers were breached have started to come forward, triggering outcry in the country. 

The Indian Express tried to get comments from Home Secretary A K Bhalla and Electronics and Information Technology Secretary A P Sawhney but their efforts went unanswered.

In September 2018, Citizen Lab had identified India as one of the 45 countries that had been targeted with the Pegasus spyware.

“We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies,” Citizen Lab reported.

The Citizen Lab has pinpointed at least six countries that have used Pegasus “to target civil society”, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates. The lab is concerned that this poses a human rights risk to the targets involved.

The Citizen Lab provided another case study in October 2018 in which it identified a Saudi Arabian citizen who has escaped to Canada and is now a student there. Activist Omar Abdulaziz is an outspoken critic whose family has been threatened by the Saudi state. Based on the analysis of data movement patterns on the internet, the lab believes Abdulaziz’s phone has been infected and that “the targeting occurred while Abdulaziz, who received asylum in Canada, was attending university in Quebec”.