'Noted WhatsApp malware, working on Personal Data Protection Bill': Govt tells LS

New Delhi: The government has taken note of the fact that a spyware/malware has affected some WhatsApp users in the country, the Lok Sabha was informed on Wednesday.

In a written reply, the Ministry of Electronics and Information Technology also said that it is working on the "Personal Data Protection Bill to safeguard the privacy of citizens, and it is proposed to table it in Parliament".

"The government has taken note of the fact that spyware/malware has affected some WhatsApp users. According to WhatsApp, this spyware was developed by an Israel based company NSO Group and that it had developed and used Pegasus spyware to reach mobile phones of a possible number of 1400 users globally that includes 121 users from India," the ministry said while replying to the question asked by Asaduddin Owaisi and Imtiaz Jaleel Syed.

They had asked whether the government has taken note of the fact that a spyware/malware 'Pegasus' of Israel-based NSO group has reportedly been used to infect, spy, steal mobile phone data of many human rights activists and journalists.

The ministry said that the government is committed to protecting the fundamental rights of citizens including the right to privacy and refuted media reports in the matter.

"Some statements have appeared, based on the reports in media, regarding this. These attempts to malign the Government of India for the reported breach are completely misleading ... The government operates strictly as per provisions of law and laid down protocols. There are adequate provisions in this Information Technology (IT) Act, 2000 to deal with hacking spyware etc," said the ministry.

The ministry further said that the Indian Computer Emergency Response Team (CERT-In) published a vulnerability note on May 17, 2019, advising countermeasures to users regarding a vulnerability in WhatsApp.

"Subsequently, on May 20, 2019, WhatsApp reported an incident to the ICERT-In in stating that WhatsApp had identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attacks," read the reply.

The ministry also said that CERT-In has issued a formal notice to WhatsApp seeking submission of relevant detail and information.

"On September 5, 2019, WhatsApp wrote to CERT-In mentioning an update to the security incident reported in May 2019 that while the full extent of this attack may never be known, WhatsApp continued to review the available information."

"It also mentioned that WhatsApp believes that it is likely that devices of approximately one hundred and twenty-one users in India may have been attempted to be reached."

"Based on media reports on October 31, 2019, about such targeting of mobile devices of Indian citizens through WhatsApp by spyware Pegasus, CERT-In has issued a formal notice to WhatsApp seeking submission of relevant detail and information," said the ministry.

The Centre had earlier sought an explanation from WhatsApp to explain the breach of privacy.

Union Information Technology Minister Ravi Shankar Prasad had said that the government is concerned at the breach of privacy of citizens of India on WhatsApp and has sought a detailed explanation from the messaging platform.

"We have asked WhatsApp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens," he had tweeted.