Indian lawyers among those targeted in WhatsApp surveillance fiasco

Indian lawyers among those targeted in WhatsApp surveillance fiasco

Aditya AK

In a disturbing development, a spyware on WhatsApp has reportedly exposed lawyers, activists and journalists in India to surveillance. Israeli firm NSO Group – the designer of the spyware Pegasus – has been accused of helping government spies track human rights defenders and journalists in at least 20 countries across the world.

Three lawyers – Shalini GeraNihalsing Rathod and Ankit Grewal – are among the Indians who were intimated that their numbers were placed under surveillance through the spyware on the social media platform.

Back in May 2019, WhatsApp identified a glitch that allowed attackers to inject spyware on phones by simply calling the number of a target’s device. Two days ago, the social media giant attributed the attack to NSO Group.

Canadian cybersecurity research organisation Citizen Lab had worked with WhatsApp to help identify the persons who were targeted by Pegasus. The organisation based at the Munk School of Global Affairs & Public Policy, University of Toronto revealed how Pegasus works:

“Once Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, and use the GPS function to track a target’s location and movements.”

Pursuant to collaboration with WhatsApp, Citizen Lab got in touch with the persons who were likely placed under surveillance.

Shalini Gera, a Chhattisgarh-based lawyer who is part of the Jagdalpur Legal Aid Group (JAGLAG), revealed to Bar & Bench that she was contacted by Citizen Lab in the first week of October.

Citizen Lab had told Gera that the numbers of activists, journalists and lawyers around the world were targeted between February and May 2019. And Gera’s was one of them.

Gera remembers receiving WhatsApp video calls from an unknown Swedish number during the period. Although she did not take the calls, it is unclear as to whether the spyware could have been placed on her phone by merely calling her number. 

Reacting to the intimation by Citizen Lab that she was placed under surveillance, Gera said,

“I didn’t find it odd, given our history.”

Gera and JAGLAG have been targeted in the past by various quarters in Chhattisgarh – including the police. In 2015, the group was forced to evict its premises in Jagdalpur and carry out its legal aid services in Bilaspur.

As to whether the Government of India was the beneficiary of such surveillance, Gera was informed that such spyware costs millions, and could only be afforded by large organisations like a government. She says,

“I don’t think governments of other countries would be interested in me, given the work I do.”

Two days ago, Gera received confirmation from WhatsApp itself that her number was targeted by the spyware.

Indian lawyers among those targeted in WhatsApp surveillance fiasco

When asked the possible reason as to why she could have been targeted, she said that helping out in Sudha Bharadwaj’s case might have had something to do with it. Bharadwaj, an accused in the Bhima Koregaon case that allegedly pointed to Maoist links in the violence that broke out in January last year, has been in custody since August 2018.

And it is the Bhima Koregaon incident and its aftermath that connects the other lawyer targeted in the surveillance fiasco, Nihalsing Rathod.

Speaking to Bar & Bench, Rathod hinted WhatsApp was not the only means through which spyware could have been introduced on systems. He revealed that he had been receiving various emails having suspicious links from persons known to him.

When asked for the reason as to why he was being targeted, Rathod said,

“The purpose is not only to spy on you, it is to implicate you as well. The reason they have targeted us is to create something on the basis of which they can do character assassination and call us anti-nationals and urban Naxals and whatnot. Which is what they have done in the Bhima Koregaon case.”

Rathod heads the Nagpur chapter of NGO Human Rights Law Network (HRLN). He has been appearing in the Bhima Koregaon case on behalf of his senior, Surendra Gadling, who is one of the accused.

He pointed out that the evidence in the Bhima Koregaon case could have been planted using similar means.

“Being a lawyer for the defence team, an eye is being kept on me. Mr. Gadling, who is my senior, has received similar kinds of emails and phone calls.”

Rathod further said that the government cannot conduct surveillance without complying with Section 65B of the Information Technology Act. This provision lays down conditions for the admissibility of electronic records as evidence.

He went on address larger questions surrounding the surveillance that was conducted on him, including the Fundamental Right to Privacy.

“What does the Right to Privacy as upheld by the Supreme Court really mean? Is it really sacrosanct or is alterable at the whim of the State?”

He also raised the possible violation of attorney-client confidentiality by surveillance of his conversations with clients.

When asked whether he plans to take any action in light of these developments, Rathod said,

“I have requested the affected people to come forward so that there is a consolidated action.”

Meanwhile, the Indian government has asked WhatsApp to explain the breach and to reveal the measures taken to strengthen the privacy of Indian citizens.

Suit in US federal court

On the international front, WhatsApp has filed a suit against NSO Group in a federal court in San Francisco. The suit reportedly accuses NSO of facilitating government hacking sprees in 20 countries, and that 100 civil society members were targeted in “an unmistakable pattern of abuse.”

As per the complaint published by Washington Post, between April 29 and May 10 this year, NSO caused its malicious code to be transmitted over WhatsApp servers in an effort to infect approximately 1,400 target devices. The users of these devices included attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

“According to media reports and NSO documents, Defendants claimed that Pegasus could be surreptitiously installed on a victim’s phone without the victim taking any action, such as clicking a link or opening a message (known as remote installation). Defendants promoted that Pegasus’s remote installation feature facilitated infecting victims’ phones without using spearphishing messages that could be detected and reported by the victims.”

It is further alleged that NSO violated WhatsApp’s terms of use by using the platform’s servers without authorization, to send discrete malware components to target users.

The Indian government has not been specifically named among NSO’s clients, which include, but are not limited to, government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities.

Violations of the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act under the California Penal Code, breach of contract, wrongful trespass are among the causes of action for filing the suit.

The lawsuit thus seeks to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services. In this light, the social media platform has pleaded for compensatory, statutory, and punitive damages, as well as reasonable costs, including reasonable attorneys’ fees.

WhatsApp and Facebook are represented by Cooley LLP and Daniel J Grooms.

In light of the issue, head of WhatsApp Will Cathcart wrote in an op-ed,

“This should serve as a wake-up call for technology companies, governments and all Internet users. Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”

Bar and Bench - Indian Legal news