Indian government has no dealings with Israeli company NSO that is said to be behind a software used to snoop on activists and journalists around the world, a top government source said on Friday.
The source, who requested anonymity, said WhatsApp had not disclosed the alleged spying incident in its conversations with the Indian government that it has had since the attack in May this year.
India, the source said, will continue to insist on WhatsApp bringing in traceability and will also want the Facebook-owned company to respond to the latest incident in full details.
WhatsApp has been given time till November 4 to respond, and the government will decide on the future course of action once it receives a reply from the company.
A WhatsApp spokesperson said that in May, the company had "quickly resolved a security issue and notified relevant Indian and international government authorities".
"Since then we've worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable", the spokesperson said in a statement.
WhatsApp emphasised that it accords the highest priority to the privacy and security of its users. "We agree with the government of India it's critical that together we do all we can to protect users from hackers attempting to weaken security."
NSO has so far maintained that it only sold its "technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime" and is not "designed or licensed for use against human rights activists and journalists."
It was not clear to whom the company has sold its software to in India and at whose behest journalists and activists were targeted.
The source said there has been no dealing between the government and the NSO, and that the fight is between NSO and WhatsApp.
The Indian government is concerned only because Indian names are involved, the source said.
The source said WhatsApp Global Head Will Catchcart (in July) and Facebook Global VP Global Affairs and Communications Nick Clegg (September) had met IT Ministry officials and that the government, in these meetings, had insisted on disclosure of malicious source under compelling reason that did not require any decryption.
Even at that point in time, WhatsApp did not disclose this incident, the source pointed out, adding that any hacking incident pertaining to the country has to be reported to the authorities.
WhatsApp has over 1.5 billion users globally, of which India alone accounts for about 400 million.
In the past too, WhatsApp has drawn flak from the Indian government on the platform being misused for spreading misinformation that led to incidents of mob lynching.
The government has categorically told WhatsApp that it wants the platform to bring in a mechanism to enable tracing of the originator of messages, a demand that WhatsApp has resisted citing privacy issues.
The source raised questions on whether the disclosure by WhatsApp was a rearguard action to prevent the government from bringing measures on traceability and accountability.
Drawing parallels with a letter in an envelope, the source said the government was not interested in the contents of the letter but the address of the sender.
The person said it was not acceptable that WhatsApp resist demands for message traceability when in fact people are being snooped on, and that challenges around end-to-end encryption technology can be certainly solved with technology.
WhatsApp on Tuesday filed a lawsuit in a California federal court against NSO Group, which allegedly developed the spyware, saying an attempt was made to infect approximately 1,400 "target devices" globally with malicious software to steal valuable information from those using the messaging app.
These attacks allegedly targeted civil society members like journalists and human rights activists across the world, including India.
On Thursday, WhatsApp had said Indian journalists and human rights activists were among those globally spied upon by unnamed entities using an Israeli spyware Pegasus.
Following the disclosure, the government asked WhatsApp to explain the matter and list out the measures that have been taken by it to safeguard privacy of millions of Indians.
WhatsApp on Friday said it has taken a "strong action" in the incident and that it supports the Indian government's stand on the need to safeguard the privacy of all citizens.
"We agree with the government of India's strong statement about the need to safeguard the privacy of all Indian citizens. That is why we've taken this strong action to hold cyber attackers accountable and why WhatsApp is so committed to the protection of all user messages through the product we provide," a WhatsApp spokesperson said.
The spokesperson, however, did not comment on whether WhatsApp has submitted its response to the government's query.
The government is also questioning the timing of the disclosure of the hacking incident, particularly against the backdrop of Supreme Court allowing the Centre three months to come up with rules to curb misuse of social media in the country, the source added.
Asked whether the developments could further delay national rollout of WhatsApp Pay, the source said this incident raises flags on the seriousness and security of WhatsApp's digital payment plans because digital payments need to be fool-proof.
