Avoiding WhatsApp-gate in future

By Prashant Mali

Privacy has become kind of a floating myth and we are running helter-shelter with every revelation of different social media company prying eyes adventure. WhatsApp on which we Indians trust with life for mode of communication rather we communicate our lives on it. This NSO made Pegasus secretly spying not only our WhatsApp messages and calls bit also Facebook, Gmail and the whole phone came as a jolt to loyal WhatsApp users. The spyware thus embedded has capability of guessing what we are going to type next is like not hacking the phone, but hacking the minds of unsuspecting users. What recourse you are thinking of, like formatting the phone or factory reset. No, my readers. Pegasus allegedly can exist even after a factory reset to spy on you…scary isn’t it?

India and its mighty CERT this time was the first to report WhatsApp vulnerability one day before; kudos to them, but they were certainly handicapped to report whose mobile phones in India were compromised. CERT, also erred, is not asking data from WhatsApp, after WhatsApp reporting the bug. CERT India’s sultanate is guarded by only one section i.e section 70-B of the IT Act, 2000 and the penal clause for not giving information “when asked” under section 70-B(7) is upto one year’s imprisonment or upto one lakh of penalty. The point to be noted is, if WhatsApp doesn’t report suo motto there are no penalties or jail time…what a huge loop hole in the Law, which needs to corrected impromptu in next amendment.

So, can India initiate action against WhatsApp? Oh! Yes, it goes as follows.

WhatsApp, by not following Reasonable Practices under Section 43A of the IT Act, 2000, has abetted unauthorised access which is a cyber crime under S85, S43(a) & (b) read with S66 & S84(B) of the IT Act, 2000. Indian Government can file a case and proceed against WhatsApp. This may create deterrence amongst other social media companies too. So, can WhatsApp hide behind the veil of being Intermediary? Not this time, because they didn’t follow due diligence as required by S79(2)(c), hence the safe harbor provision under S79 is not applicable in this case. CERT India can ask data i.e. names of users under S70-B(6) which can be used as witnesses in the case, if not provided, again an Police FIR can be registered under S70-B(7).

Incidents like these are creating chilling effects in the minds of Digital India users. India wanna launch its e-governance initiatives in a big way on popular Apps or why India even WhatsApp Pay now looses its sheen. How can WhatApp Pay users trust their money part when they cannot trust the platform itself. The trust on Indian Government also diminishes, when such incidents come up with Governments name dragged in Probably WhatsApp should decide now zero day and exploits is the business model or giving communication aid and payments service should be its business model. WhatsApp should come clean this time to persist in indian market or already downloads of signal and telegram have increased, not that they are holy cows its just they are not in news for Privacy violation. Don’t forget Rich Communication Services (RCS) with SMS yet exists.

Indian Government needs to send a strong message on privacy, which the Supreme Court had declared to be intrinsic to life and liberty and therefore an inherent part of our fundamental rights. Did governmental agencies used two Israel-based spyware makers NSO Group Technologies and Q Cyber Technologies services? If so then those disclosures are required too. Now that the warrants have been issued against these two companies by the northern district court of California in USA, in case of sending malware ‘Pegasus’ to approximately 1,400 mobile phones globally, after WhatsApp filed a civil suit against the two cyber defence companies, India should follow the suit locally too.

India today per se has skewed laws related to snooping which needs to be fixed by the Government, till date all the activism to protect the privacy of citizens is done by the courts but mighty law of land should now be stepped up. Pegasus may not work now as the WhatsApp bug is fixed. Any zero-day exploit lives till discovered and reported publically by someone, but what happens to the zero days still existing and thousands may be still compromised using other vulnerabilities. We need law and we need it now. Digital India needs assurances at the speed of digital age.

What WhatsApp fiasco did is a chance for the Government to amend the Section 79 of the IT Act, the one that deals with liabilities of intermediaries like WhatsApp and Vodafone, so that it can force them to monitor “unlawful” content, even at the cost of encryption. If enforced during this winter season, the proposed rules may require WhatsApp and others to break the privacy protection they offer to users through encryption, so that government can get access to messages, images, videos etc. sent through IM apps or at least get the access to who sent a message to trace its origins. This would also mean invading privacy at the cost of national security within lawful means.

I may not be in the favour of the decryption keys being handed over to Government, but I am sure for the other rule which Government plans to bring in with The Information Technology [Intermediaries Guidelines (Amendment) Rules] 2019, Rule 3(9) is related to presence of web services and apps in the country. The amendments note that any IT company or service that has more than 50 lakh users in India will be required to have an office in the country and will have to appoint a nodal officer that will be available to work with law enforcement agencies on 24×7 basis. This is required to maintain law and order and aid in crime investigation to get better conviction rates.

I believe cybersecurity is in the resilience we develop and resilience is developed by inculcating cyber security culture in our daily lives. If we learn to remain alert and share our life judiciously, we may ward off Pegasus like attacks or any further snoopgates like this wouldn’t give us goose bumps. Mixture of self awareness supported by legal framework would help us tide through WhatsApp-gate like this in future.

(The author is a leading Cyber Lawyer, Bombay High Court and Cyber Thought Leader in the country)