With nearly two-thirds of the world’s population plugged in the cyberspace, interestingly, social media seems to appeal to a wide range of cultures, age groups and personalities. What happens in a social media minute according to reports is rather mind boggling. Yes, there are nearly 4.4 billion internet users across multiple device types sending or receiving a whopping 41.6 million messages over Facebook Messenger and WhatsApp, besides, 3.47 lakh persons seem to be scrolling Instagram, 87,500 people posting to Twitter and another 4.5 million videos being watched on YouTube. This is possible due to the easy availability of affordable smartphones.
Notably our country has been a growing market for the social media network with recent statistics indicating that Facebook presently has 241 million active users in India – a million more than it does in the U.S. It is great to know that India is its largest user base for the first time.
All this is fine.
At a time when India is aiming to put in place social media regulations following trolling, character assassination, spreading lies and fake news, there is a growing worry ever since the Indian Express reported this October 31 about the alleged use of foreign spyware, Pegasus, to snoop on WhatsApp users, primarily Indian journalists and human right activists. Yes, the WhatsApp episode shows how easy it is to violate the right to privacy and that anyone using a smart phone can no longer be hopeful of end-to-end encryption.
The Pegasus controversy has generated several debates. The opposition parties and the government continue to spar over allegations of such spying. The Parliamentary Standing Committee on Information Technology headed by Dr Shashi Tharoor which meets on 20 November to discuss 'Citizens’ data security and privacy’ is also expected to take up the snooping issue.
Due to the scare spread across the country, WhatsApp has reportedly seen a massive decline in its downloads even as downloads for other end-to-end encrypted messaging applications like the Telegram and Signal rose 10% and 63%, respectively. A week before the Pegasus issue came to limelight, between October 17 and October 25, WhatsApp saw 8.9 million installs.
Following the filing of a civil suit by Facebook, the parent company of WhatsApp, in a California Court in the US, two Israel-based cyber intelligence companies, have been given three weeks to respond to the charges of Facebook or move their own motion before the court.
It is interesting to note that in May 2019, WhatsApp identified that a bug in the app’s call function. It was used to install a malicious code into users’ mobile phones. On October 29, WhatsApp further identified the malicious code as Pegasus, a spyware developed by an Israeli firm NSO which was used to conduct cyberespionage in several countries including India. Believed to have been developed by senior intelligence experts, to provide governments with a way to address the new communications interception challenges in today's highly dynamic cyber battlefield, Pegasus is described as the world-leading cyber intelligence solution that enables law enforcement and intelligence agencies to remotely and covertly extract valuable intelligence from virtually any mobile operating system – be it BlackBerry, Android or iPhone without alerting the target to its presence. The attackers are known to send specific tailor-made messages, SMS, email etc., to targeted persons, often conveying a sense of urgency and containing a link which when clicked helps in the installation of the spyware on the mobile phone. Such messages could be purported to be from reputed organisations. It can range from messages warning the target of impending danger or security threat; personal matters, reference purchases, credit cards etc.
The Pegasus gets transmitted by calling the target phone on WhatsApp. Importantly, even if the call is not answered, the code can enter the phone. Reports indicate that the software can read not only the entire content off the phone, but also operate its camera without the user’s knowledge. The Citizen’s lab of the University of Toronto which collaborated with WhatsApp on identifying spyware victims found that once Pegasus gets installed it can track the phone’s location/calls, read text messages, do real-time monitoring, screen grabbing as well send the target’s contacts, calendar events on communication apps like WhatsApp and Telegram to the spyware’s controller. Further, the spyware can steal messages from even services that offer encryption. The controller, having the ability to turn the phone into a spying device by switching on its camera or microphone, can compress all this data and send it to the agency that deployed it. Among the 1400 users reportedly targeted by Pegasus, across 20 nations, were 121 Indian journalists, activists, lawyers and senior government officials, who were spied on for a two-week period this April.
With more and more people using mobile phones for a number of activities, from purchasing to banking including social networking and storing a wealth of personal information, there is no end in sight for cybercrime as the crooks seem to be getting wiser and more daring. The Pegasus episode is just a tip of the iceberg. Studies have concluded that four out of ten mobile users click on unsafe links with their smartphone. At least 30% smartphone users store credit and debit card information along with passwords on their mobiles making them vulnerable. Threats also come camouflaged as games where the unsuspecting user’s data gets compromised once ‘permissions’ are granted by the user during installation of applications. Close to 90 per cent of smartphone applications can transmit confidential payment information related to credit and debit cards as also bank account information without the consent or knowledge of the user. Financial applications in smartphones can be infected with specially designed malware to steal vital information.
As smartphones have vulnerabilities and consequences of a mobile attack can be severe, small steps like configuring the device to be more secure, using encrypted connections, avoiding public Wi fi, desisting from following links received in suspicious emails or sms, maintaining physical control of one’s mobile in public places, disabling Bluetooth, Wi Fi when not currently in use, being careful when using services that track one’s location etc., can minimise cyber threats to mobile phones. It has to be realised that a bit of awareness can go a long way in protecting one’s privacy and avoid loss of precious data.(Published on 18th November 2019, Volume XXXI, Issue 47)