Download as PDF Print
PDF/WORD(Hindi) PDF/WORD
GOVERNMENT OF INDIA
MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
LOK SABHA
UNSTARRED QUESTION NO: 2576
ANSWERED ON:  04.12.2019
Extent of WhatsApp Privacy Breach
Dayanidhi Maran
Will the Minister of



ELECTRONICS AND INFORMATION TECHNOLOGY be pleased to state:-



Will the Minister of ELECTRONICS AND INFORMATION TECHNOLOGY be pleased to state?

(a) whether the Government has assessed the extent of privacy breaches in the recent WhatsApp snooping using the Israel-based NSO Group’s Pegasus spyware and if so, the details thereof;

(b) whether the spyware was used for surveillance purposes and/or theft of private data and if so, the details thereof and the reaction of the Government thereto; and

(c) the current regulations and measures put in place by the Ministry to protect financial data of users?



ANSWER
(a) and (b): On May 20, 2019 WhatsApp reported an incident to the Indian Computer Emergency Response Team (CERT-In) wherein it mentioned that WhatsApp identified and promptly fixed a vulnerability that could enable an attacker to insert and execute code on mobile devices and that the vulnerability can no longer be exploited to carry out attack.

On September 5, 2019 WhatsApp wrote to CERT-In mentioning update to the security incident reported in May 2019, that while the full extent of this attack may never be known, WhatsApp continues to review the available information. It also mentioned that WhatsApp believes it is likely that personal data within the WhatsApp app of approximately twenty users may have been accessed out of approximately one hundred and twenty one users in India whose devices the attacker attempted to reach.

The Government is committed to protect the fundamental rights of citizens, including the right to privacy. The Government operates strictly as per provisions of law and laid down protocols. There are adequate safeguards to ensure that no innocent citizen is harassed or his privacy breached.

(c): Section 43A of the Information Technology (IT) Act, 2000 establishes a legal framework for data protection in India. The section provides for compensation to be paid to the victim in case of unauthorized access of information and leakage of sensitive personal information respectively. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) rules, 2011 notified under section 43A explicitly define ‘sensitive personal information’ which includes “financial information such as Bank account or credit card or debit card or other payment instrument details of the users”

*******


Developed and Hosted by National Informatics Centre (NIC)
Content on this website is published, managed & maintained by Software Unit, Computer (HW & SW) Management. Branch, Lok Sabha Secretariat