Begin typing your search above and press return to search.
Top Stories

Petitioner Cites Pegasus Issue In Supreme Court To Argue Against Allowing WhatsApp Payment Services

14 Dec 2020 9:12 AM GMT
Petitioner Cites Pegasus Issue In Supreme Court To Argue Against Allowing WhatsApp Payment Services

The controversy regarding snooping of WhatsApp users using Israeli spy software 'Pegasus' found a mention in the Supreme Court on Wednesday.The 'Pegasus-Whatsapp' issue was referred to by Senior Advocate Krishnan Venugopal to argue that the system of WhatsApp was not secure and reliable so as to allow it to launch payment services.Venugopal was appearing for Binoy Viswam, Rajya Sabha MP...

Your free access to Live Law has expired
To read the article, get a premium account.
    Your Subscription Supports Independent Journalism
Subscription starts from
(For 6 Months)
Premium account gives you:
  • Unlimited access to Live Law Archives, Weekly/Monthly Digest, Exclusive Notifications, Comments.
  • Reading experience of Ad Free Version, Petition Copies, Judgement/Order Copies.
Already a subscriber?

The controversy regarding snooping of WhatsApp users using Israeli spy software 'Pegasus' found a mention in the Supreme Court on Wednesday.

The 'Pegasus-Whatsapp' issue was referred to by Senior Advocate Krishnan Venugopal to argue that the system of WhatsApp was not secure and reliable so as to allow it to launch payment services.

Venugopal was appearing for Binoy Viswam, Rajya Sabha MP belonging to Communist Party of India(CPI), who has filed a writ petition in the Supreme Court seeking to direct the Reserve Bank of Inda(RBI) and the National Payments Corporation of India(NPCI) to ensure date protection of various Unified Payments Interface (UPI) platforms.

Referring to Venugopal's submission, the Chief Justice of India told Senior Advocate Kapil Sibal, the counsel of WhatsApp : "Mr. Krishnan Venugopal has made a serious allegation that your system (WhatsApp) can be hacked by something called 'Pegasus'".

Sibal vehemently denied the allegation as "absolutely baseless". He submitted that such an allegation was not there in the writ petition and that the same was a baseless oral submission made across the bar.

Venugopal retorted by saying that the Pegasus issue has been covered by several newspapers.

CJI then told Venugopal that the submission should be made on affidavit. In response, Venugopal asserted that the submission is there on the affidavit.

The petition refers to the Pegasus controversy in paragraph 22 as follows :

"...after the acquisition of Whatsapp by Facebook in 2014, Whatsapp has also suffered from and been accused of several privacy and security breaches as well. The biggest breach among those was the hacking of the devices and accounts of several Indians by the software named "Pegasus" developed by Israeli organization NSO. The spyware was activated on an individual's device by merely a missed voice call on the application, which highlights the vulnerability of respondent no.7's (Whatsapp) platform"

The Pegasus issue came to light last year after Whatsapp filed a suit in the US against the Israeli company alleging that it hacked the Whatsapp servers to install malwares on the accounts of nearly 1400 users for conducting surveillance.

The issue found echoes in India as the list of targeted individuals allegedly contained several prominent activists, journalist, lawyers and academicians who have voiced dissent against the Indian government.

When the subject was raised in the Rajya Sabha last year, the Union IT Minister Ravi Shankar Prasad refused to give a direct answer to the query whether the Indian Government hired the services of Pegasus to snoop on individuals.

The Minister said "no unauthorized interception has been done, to the best of my knowledge".

Whatsapp Spyware : Union IT Minister Evades Question In Rajya Sabha On Whether Govt Sought Pegasus Services

Major issues with UPI platforms, petitioner submits in SC

The PIL filed by the CPI MP through Advocate Sriram Parakkat seeks for "the protection of fundamental right to privacy of millions of Indian citizens who are using Unified Payments Interface (UPI)".

Krishnan Venugopal, appearing for Binoy Viswam, submitted that there are three or four major issues with the UPI systems of Amazon, Google, Facebook and Whatsapp.

As far as Whatsapp is concerned, there is no system for 'two-factor authentication', he said. Whatsapp is using the same platform of the messenger service to allow payments.

Another issue raised by the counsel was "data localization". According to him, the problem with Whatsapp, Amazon & Google was that when they allow payment to happen, data goes abroad.

He submitted that the RBI has to respond on whether it is proper for the data of Indians to go abroad without any formal protection.

He further submitted that critical financial data is being allowed by the RBI to be accessed by companies abroad without any regulations or guidelines. This is violation of Privacy judgment as a citizen's data is being grossly misused by these companies which use the aggregated data for their revenue generation through advertisements and promotions.

Venugopal argued that  the data is being shared with the parent companies in violation of the NPCI guidelines. The data is being processed by the infrastructure of the parent company.

The bench, also comprising Justices AS Bopanna and V Ramasubramanian, asked the National Payments Corporation of India(NPCI) to reply to the petition and adjourned the hearing till the last week of January 2021.

The petition submits that RBI and NPCI "have permitted the three members of 'Big Four Tech Giants' i.e. Amazon, Google and Facebook/WhatsApp (Beta phase) to participate in the UPI ecosystem without much scrutiny and inspite of blatant violations of UPI guidelines and RBI Regulations".

This conduct of the two authorities, submits the plea, invariably puts the sensitive financial data of Indian users at huge risk, especially in light of the fact that the Big Four Tech Giants have been "continuously accused of abusing dominance, and compromising data, among other things". There is also a reference to the fact that CEOs of these entities had been directed to testify in a hearing before the Judiciary Committee of US Congress.

"Although these entities are based in United States and take Indian data abroad, however, in absence of any strong scrutiny and responsibility the data shared on their platform is at very high risk of being misused. Moreover, these entities in the past have not only been blamed for misusing the data of its users, but has also been accused of reneging the promises made to the law makers and regulators".

However, it is stated in the plea, instead of actively looking into the allegations, RBI and NPCI have turned a blind eye and have permitted their operation on UPI platforms. Referring to an April 2018 circular issued by RBI directing all system providers to ensure data relating to payment systems operated by them to be stored in India, the plea submits that system providers, especially WhatsApp and Google Pay, have failed to follow the deadline of October 2018.

RBI, however, in complete disregard of the financial data of users, toned down the Circular in an FAQ and clarified that in cases of Data Processing done abroad, the data should be deleted from the systems and brought back to India within 24 hours. The plea submits that the FAQ was illegal and ultra vires the Circular issued, and prays for the same to be declared so.

The plea goes on to state that the entities have failed to comply with even the diluted data localization norms and, that RBI and NCPI have failed to take any action against them, thereby "jeopardizing the security of payments data of Indian citizens".

Positing that these entities already have access to immense personal data of millions of Indian users, "if they are permitted to collect unrestricted financial data of Indian users while operating at the UPI platform, the same will give them draconian control over sensitive India data".

"Further, in absence of any compelling state regulation, accumulation of such kind of data at such a large scale is also violative of Article 14 of the Constitution of India. Thus, the continuation of Amazon Pay, Google Pay and WhatsApp Pay, without proper safeguards ensuring that no data accessed by these entities through its payment services would be transferred outside India, stored indefinitely and shared with parent companies, would be against national interest".

In light of the above, the plea prays for directions to RBI and NPCI to ensure that WhatsApp Pay is not permitted to launch full-scale operations without fulfilling all legal compliances to the satisfaction of the Supreme Court.

It further prays for RBI to frame necessary regulations in an order to ensure that the data collection on UPI Platform is not exploited/used by the participants in any manner other than for processing of payments, and to ensure that the data collected by WhatsApp Pay, Google Pay and Amazon Pay is not shared with their parent company or any other third party.

In an affidavit filed  in a related case, the RBI has told the Supreme Court that it has not granted permission to Whatsapp to go live for full-scale operations on Unified Payments Interface (UPI) system.

The RBI further told that it "concerned that WhatsApp was storing some payment data elements outside India beyond the permitted timelines indicated in the circular and the Frequently Asked Questions on 'Storage of Payment System Data' issued by RBI on June 26, 2019" thereby stating that it was not to go live until all norms were met by the company.

No Permission Granted To Whatsapp For Full Scale Operations On UPI System : RBI Tells SC [Read Reply]

Last week, the Delhi High Court sought the responses of RBI and NPCI on a petition seeking regulation of UPI platforms.


Next Story
Share it