Pegasus: The WhatsApp Spyware

Ujjwal Tomar / November 24, 2019

What is Pegasus?

Pegasus is a type of spyware created by the NSO Group, a company based out of Israel. Like any other app, WhatsApp too had a loophole in its application which was exploited by the company by using this spyware. A missed call to the phone was enough to embed the malware into a victim’s device. Pegasus was first reported in May 2019 after which Whatsapp did make a public announcement. However, as the Indian Government claims, no intimation as to accounts of Indian citizens being compromised was given by WhatsApp.

Then, why is Pegasus being hyped again?

The recent limelight was drawn towards the spyware following WhatsApp’s decision to institute a suit against the NSO Group in the USA. More so as newspaper and new channels claim, a WhatsApp spokesperson said that the company approached citizens whose accounts were compromised a week ago to assist them. WhatsApp has accepted the fact that a few Indian citizens were also part of approximately 1400 individuals targeted. Following this, the Indian Government put questions to WhatsApp for breach of privacy of Indian citizens.

Can WhatsApp be made liable for the breach?

This is the major question lurking the minds of plenty. Like any other application out there, WhatsApp too is bound to have certain bugs and security teams at the company continually fix them. Does merely the presence of a bug make WhatsApp responsible? More so, does the presence of a bug give NSO Group the right to exploit it?

Likewise, the presence of a loophole does not give NSO Group the right to exploit the vulnerability. As an individual would not be liable for accidentally leaving the back door open, so would WhatsApp not be liable for a bug in the app.

Having said that, WhatsApp does have a duty of care towards its users. It needs to be seen what action did WhatsApp take the moment the bug was identified. Whatsapp claims the vulnerability has been patched. Moreover, it went on to contact the targets to assist them. However, what is yet to be seen is the compliance in handling the breach of personal data by WhatsApp in accordance with mandates and requirements of GDPR.

Article 33 of the GDPR requires that in case of any breach of personal data, the controller informs the supervisory authority within 72 hours. Any delay in doing so has to be reasonably explained. Since GDPR’S enforcement, hefty fines have been imposed on several tech giants by nations owing to similar breaches. Is WhatsApp next in line? As events unfold, only time will tell.