After WhatsApp accounts of 121 Indians were compromised by the Israeli spyware Pegasus, experts have warned that the payment feature the Facebook-owned platform is planning to launch in India may put the digital banking system at risk.
The Ministry of Electronics and Information Technology (Meity) has already expressed dissatisfaction over the manner WhatsApp communicated about the compromised accounts.
The piece of NSO Group software called Pegasus allegedly exploited WhatsApp’s video calling system by installing the spyware via missed calls to snoop on 1,400 users globally. The devices were compromised with just a WhatsApp video call.
In May, WhatsApp, which has 400 million users in India, urged its 1.5 bn global users to upgrade the app after discovering the vulnerability. “WhatsApp’s recent operations have shown that it’s difficult for the government to get information from it. WhatsApp is an intermediary under the Information Technology Act and is mandated to exercise due diligence under the law. But it has failed to do due diligence,” Duggal said. “You should not be in a hurry to grant new licences or permission to WhatsApp without being satisfied with its adherence to cyber-security norms, international best practices and Indian laws,” he said. The Facebook-owned company is learnt to have countered the government charge that it didn’t inform it about a privacy breach on the messaging platform. WhatsApp didn’t even comply with the data breach notification law in India, Duggal said. “It (WhatsApp) didn’t follow reasonable security practices as mandated in Section 43A of the IT Act, 2000. It abetted the crime of unauthorised access too. Granting WhatsApp pay licence should be given a second thought by the RBI,” said Prashant Mali, cyber lawyer at Bombay High Court.