KN Govindacharya files letter petition on WhatsApp NSO matter to SC
Govindacharya has also written to Ravi Shankar Prasad seeking NIA investigation against FB, WhatsApp, NSO Group Technologies, and Q Cyber Technologies for compromising with public data. Govindacharya has also said that from the pleadings of WhatsA...
Separately, Govindacharya wrote to electronics and IT minister Ravi Shankar Prasad seeking a probe by the National Investigation Agency against WhatsApp, its owner Facebook, NSO Group Technologies and Q Cyber Technologies for compromising public data.
In the letter, a copy of which ET has seen, Govindacharya said government agency accounts on WhatsApp should be removed in the interest of national security and that the Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018 must be notified to make such companies accountable.
The snooping took place earlier this year and involved 121 Indians, it was revealed last week.
The perjury claim was made in the matter of the Supreme Court hearing a transfer petition by Facebook from the Madras High Court, which was originally about linking of social media accounts with Aadhaar. It has since been expanded to include issues such as the government’s demand to find a way to trace originators of messages in cases involving national security.
WhatsApp had told the courts that its systems are fully encrypted, a situation akin to a locked room to which no one, including the messaging company, has the key, according to the letter-petition.
“From the present incidents, it is clear that such a claim was wrong. On the other hand, WhatsApp did not disclose to the honourable courts about the hack despite having full knowledge at that time. The government, being a party, must file suitable application against WhatsApp for perjury,” the petition said.
“It’s like arguing in the court that we don’t have the keys to the house while not disclosing that someone has already broken the lock,” Virag Gupta, lawyer for Govindacharya, told ET.
Gupta said that the government’s argument that WhatsApp is bound under the IT Act to give details of the attack is not valid since the law is not clear on it.
“So many attacks have happened in the past by several internet companies – be it Google, Facebook or Twitter. Have they all informed the government and if not, then why hasn’t the government taken any action against them?” asked Gupta.
The letter-petition states that while IT ministry officials claim that WhatsApp failed to inform government authorities about the hack, the ministry has not notified the intermediary rules that would make it possible for the government to penalise the companies in case they fail to inform the government of a security incident involving Indians.
Experts said the IT Act has no clear provisions or penalties that make companies duty-bound to report security incidents to the government.
“The law is clear that WhatsApp is an intermediary under the IT Act,” said Pavan Duggal, a Supreme Court advocate and cyber law expert. “It is mandated to exercise due diligence to discharge its obligations under the IT Act. Once a breach has happened, WhatsApp is mandated to inform CERT-In. The onus is then on the agency to do a detailed analysis.”
“As per the IT (Intermediaries Guidelines) Rules, 2011, Rule 9, the intermediary shall report cyber security incidents and also share cyber security incident-related information with the Indian CERT, but it never says if they don’t report what would be the punishment or penalties – this loophole needs to be patched immediately,” Prashant Mali, a cyber law expert, told ET.
Gupta said that despite this provision, companies are not penalised for not reporting incidents.
“These companies don’t have offices or nodal officers in India, then how can they be held responsible? That’s why we have requested the government to notify the rules so that these companies can be made liable,” he added.
ET reported on Sunday that WhatsApp informed the Indian government that it had written to the country’s nodal cyber response agency in September about the data breach in the accounts of 121 Indian users of its messaging app by the Pegasus spyware and had also informed CERT-In about a malware in its messaging app in May. The government said the messaging company did not share enough details such as the identity of those affected and the nature and origin of the malware.
The government had asked WhatsApp for a response on the NSO hacking matter by November 4. In its affidavit in the Facebook transfer petition matter, the government informed the apex court that the process for notifying the intermediary rules is likely to be completed by January 15, 2020.
Gupta’s petition also seeks to direct the government to regulate the sale of data of Indian users by foreign internet companies and levy GST on such transactions.
Govindacharya’s previous petitions in the Delhi High Court led to WhatsApp having to appoint a grievance officer for India and the government framing its social media and email policy.