The need to investigate the NSO Group, which was behind the Pegasus software, is now more than ever. #SaveOurPrivacy

We wrote to the Chief Ministers of Maharashtra and Chhattisgarh urging them to establish committees to investigate the Whatsapp hack. Our key recommendations were to include victim and expert testimony in the investigation which should be carried out in a transparent manner.

10 April, 2020
3 min read


According to a Hindustan Times report dated April 07, 2020, the NSO Group has created a surveillance application to track COVID-19 infected patients which they have been actively pitching to almost a dozen governments around the world to use. This is the same company which was behind the Pegasus software that was used to hack the Whatsapp applications of a substantial number of Indian citizens mainly journalists and human rights activists in May and June of 2019. Mindful of the potential harms of this COVID-19 application being used by the Indian government, we wrote to the Chief Ministers of Maharashtra and Chhattisgarh urging them to establish committees to investigate the Whatsapp hack. Our key recommendations were to include victim and expert testimony in the investigation which should be carried out in a transparent manner.

What happened?

Last year on May 14, 2019, an article published in the Financial Times for the first time reported that Whatsapp, “discovered that attackers were able to install surveillance software on both iPhones and Android phones by ringing up targets using the app’s phone call function.” As per a statement by Whatsapp, this vulnerability was patched and closed. On October 30, 2019, Indian Express published a report containing statements made by Whatsapp which confirmed that the victims of the hack in India were mostly Indian journalists and human rights activists. Of these a significant number are situated in Maharashtra and Chhattisgarh as the hack targeted lawyers related to the Bhima-Koregaon case in Maharashtra and Dalit activists in Chhattisgarh.

What is the law related to hacking?

Surveillance such as this which was carried through the Pegasus software developed by the NSO Group puts the personal and informational privacy of citizens at risk. This goes against the decision in Justice K.S. Puttaswamy vs Union of India which affirms informational privacy as one of the facets of the right to privacy.

Additionally, the Information Technology Act, which deals with interception of data, expressly prohibits hacking. Under S. 66 of the Act, hacking is a criminal offense punishable by imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Attempts at reputation laundering by the NSO Group

We are bringing this up again right now because we are especially concerned about the operations of the NSO Group in India. It was reported in the Hindustan Times on April 07, 2020 that NSO has now developed a surveillance app to track the spread of the COVID-19 virus. The report also said that the NSO Group  is “actively pitching surveillance tools to their governments and to others around the world.”

It was not made clear whether NSO has approached the Indian Government. However, since the NSO Group has already been accused of illegal surveillance, privacy experts are of the opinion that the company might try to exploit this crisis to market intrusive systems. The coronavirus pandemic presents a golden opportunity for corporate actors  like the NSO Group to recast previously unpalatable behavior as life saving intervention.

Our recommendations

  1. We recommend that the State governments of Maharashtra and Chhattisgarh should establish an investigation committee to look into the hack committed in their state.
  2. The Committee should have a fixed timeline in which to complete its investigation and submit its report to the State governments.
  3. The Committee should allow for the victims (or legal counsel on their behalf) of the hack to testify before it.
  4. The Committee should allow experts in the field of data privacy to testify before it.
  5. The Committee should facilitate the registration of open FIRs and encourage that investigations are commenced immediately.
  6. The Committee should operate in a transparent manner.

Important Documents

  1. Representation to the Chief Ministers of Maharashtra and Chhattisgarh seeking investigation into the Whatsapp hack carried out by NSO Group’s Pegasus software dated 10.04.2020. (link)
  2. Statement: Scary disclosures on use of NSO spyware in India signal a need for urgent reform. (link)
  3. We provide the Standing Committees on Home Affairs with suggestions as they discuss the Pegasus scandal. (link)
  4. Representation to the Parliamentary Standing Committee on Home Affairs dated 14.11.2019. (link)

“We will, we will stalk you”- NSO Group, Circa 2020.

Help IFF in holding such companies accountable for their illegal actions by becoming an IFF member today! And don’t forget to join our Forum for closer dialogue with the IFF staff and community about technology, society and law!

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!