WhatsApp Hacking: Around the world, governments are using surveillance tools they have purchased from Israeli spyware firm NSO Group — the infamous creator of Pegasus — to monitor and crack down on human rights defenders. Access Now and our partners have repeatedly called on NSO Group and its investors to stop providing its products to countries who use them as tools of oppression, but the company has failed to take any meaningful steps to address these harms.

Whatsapp Hacking

Since 2016 — when UAE human rights activist Ahmed Mansoor first uncovered NSO’s Pegasus on his iPhone — it has been detected in at least 46 countries around the world. Reports from Access Now, Citizen Lab, and others all show that an alarming number of people targeted using Pegasus have been journalists, lawyers, and activists, whose only crime was speaking out against and reporting on the injustices in their home countries. Citizen Lab has identified more than 100 such victims in a hack targeting WhatsApp users. The platform has since sued NSO Group in U.S. court, claiming NSO illegally used WhatsApp’s servers to hack into the phones of 1,400 of its users. The legal battle, which started in October 2019, is now under review in the 9th Circuit Court of Appeals over the issue of jurisdiction.

NSO Group’s Denials

Despite all the evidence, NSO has continuously denied knowing about these abuses and has insisted their priority is to fight crime and prevent terrorism. Instead of taking meaningful action, NSO has instead tried to improve its image by creating sham human rights policies and advisory boards, and by developing a COVID-19 tracking app.

Voices of Victims

Five individuals who suffered from the WhatsApp hack have stepped forward to tell their stories — sharing the important work they are doing to protect human rights in their communities, how their governments used NSO Group’s products to surveil them, and consequences they have faced as a result.

Bela Bhatia’s Story

Bela Bhatia is an Indian human rights lawyer, activist, independent researcher, and writer. She shares her experience as a victim of NSO Group’s surveillance.

“My name is Bela Bhatia. I live in Jagdalpur in Bastar district of Chhattisgarh state of India. I work here as a human rights lawyer and activist, independent researcher, and writer. Before shifting to live in Bastar in January 2015, I was an honorary professor at the Tata Institute of Social Sciences, Mumbai. My association with Bastar goes back to 2006. Bastar has been a site of a “war” between the Indian government and the Communist Party of India (Maoist) since 2005. Since then there have been scores of human rights violations involving the indigenous Adivasi residents of the villages of the war zone. I have been amongst other members of civil society who have documented, spoken out, and written against these excesses as well as represented victims in courts.

governments of India

I believe I was targeted because the state and federal governments of India do not want individuals to witness or speak out against the impunity of the police and paramilitary while they carry out their plans to quell the Maoist movement with brutal force and illegal means. Besides issues related to the Maoist movement, there are other issues pertaining to governance and the democratic rights of citizens, especially Adivasis in this area — that comes under the Fifth Schedule of the Indian Constitution that allows them special protection — that are being trampled upon, for example, furthering the mining industry in the interests of private corporations without due process. The government is keen to discourage even nonviolent mobilization for upholding such democratic rights.

There has been continuous surveillance and harassment of independent observers and actors, whether local or visitors, in this area for many years, including local youth, especially educated youth, who have been harassed and arbitrarily arrested, social workers, journalists, lawyers, and academics who have been threatened, driven away, or framed under false charges

Like others, I was also subjected to such surveillance, harassment, threats, and labeling — as a “Naxalite agent” and “urban Naxalite” — as well as attacks in diverse ways by police, paramilitary, and vigilante organizations during 2016-17. For example, an anonymous leaflet with my photo, labeling me as a Naxalite agent (an implicit incitement to violence), was circulated in the area by members of a hostile rally organized by a vigilante group in the village that I used to live in, in March 2016; my phone was snatched by a masked man when I was trying to report on a rally organized by police and vigilante groups in Jagdalpur, in September 2016; my effigy was burnt along with that of other activists by police in several district headquarters, in October 2016; and goons of a vigilante group attempted to threaten me in the night and attacked my house, a rented accommodation in a village, the following morning with the idea to evict me, in January 2017. Besides, I have been aware that my phone was most probably tapped and that my movements were often tracked.

Therefore, when I learnt from John Scott-Railton, a senior researcher at Citizen Lab, at the University of Toronto, that my phone had been hacked using spyware called Pegasus that was sold exclusively to governments by the Israeli cyber-warfare company NSO Group, I was not surprised. I saw that as a continuation of the older surveillance in a more sophisticated form.

January 2017 Attacked

The impact of these surveillance activities, culminating in the Pegasus operation, is that I am forced to work in an environment of suspicion and live a restricted life. Building trust among community members for any joint activity has become all the more difficult. Besides, I have not been able to live where I would have liked to, a village close to the town I live in now, where I was attacked in January 2017. I have also not been able to work in other capacities that I would have liked to; for example, I would have liked to have had some association with the university here, but university officials have also become wary of me.

Being targeted with international spyware has amplified all the earlier rumors and their possible consequences. The Pegasus operation has taken surveillance to a new level and made me even more controversial and vulnerable than I used to be. I also have to live with the constant apprehension of possible arrest based on false charges, as has already happened to several other activists in the country in recent times.”

WhatsApp Vulnerabilities

This incident sheds light on the vulnerabilities of WhatsApp, a popular messaging application used by millions worldwide. Recently, a vulnerability (CVE-2019-3568) was discovered that allowed hackers to execute code on the target phone and potentially gain remote access to it by simply calling the phone. This posed a significant security risk to users and required immediate updates to the app.

Security researchers also found flaws in WhatsApp’s group chat functionality, allowing hackers to intercept and manipulate messages, potentially spreading misinformation. Such vulnerabilities have raised concerns about the safety of messaging apps and the need for enhanced security measures.

What is Pegasus spyware?

Pegasus spyware is a highly sophisticated and notorious surveillance tool developed by the Israeli cyber-warfare company NSO Group. It is designed to infiltrate mobile devices, such as smartphones, and gain access to their contents and functions without the knowledge or consent of the device’s owner. Pegasus is capable of remotely collecting a wide range of data, including text messages, call logs, emails, and even activating the device’s microphone and camera for audio and video surveillance. This powerful spyware has been used by various governments and entities around the world for monitoring and potentially targeting individuals, including journalists, activists, and human rights defenders, often infringing upon their privacy and civil liberties.

How can individuals protect themselves from hacking?

Individuals can take several measures to protect themselves from hacking and enhance their online security:

1. Use Strong and Unique Passwords: Create complex passwords that include a combination of upper and lower-case letters, numbers, and special characters. Avoid using easily guessable information like birthdays or common words.
2. Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA on your accounts. This adds an extra layer of security by requiring a secondary verification step, such as a one-time code sent to your phone.
3. Regularly Update Software: Keep your operating system, applications, and antivirus software up to date. Software updates often include security patches that protect against known vulnerabilities.
4. Beware of Phishing: Be cautious about clicking on links or downloading attachments in emails or messages from unknown or suspicious sources. Cybercriminals often use phishing emails to trick users into revealing sensitive information.
5. Use a Virtual Private Network (VPN): A VPN can help protect your online privacy by encrypting your internet connection and hiding your IP address.
6. Secure Your Wi-Fi Network: Change the default password for your Wi-Fi router and use strong encryption protocols (e.g., WPA3) to secure your network. Avoid using easily guessable network names (SSID).
7. Regularly Backup Your Data: Backup important files and data regularly to an external drive or a secure cloud storage service. This ensures you can recover your data in case of a cyberattack.
8. Install Antivirus and Anti-Malware Software: Install reputable antivirus and anti-malware software on your devices to detect and remove malicious software.
9. Be Cautious with Downloads: Only download software, apps, and files from trusted sources, such as official app stores or the developer’s website.
10. Review App Permissions: Pay attention to the permissions requested by mobile apps. Only grant access to necessary information and features.
11. Secure Your Social Media: Adjust your social media privacy settings to limit the amount of personal information that is publicly accessible. Be cautious about sharing personal details on social networks.
12. Use Encrypted Messaging Apps: Opt for messaging apps that offer end-to-end encryption, which ensures that only you and the recipient can read your messages.
13. Regularly Monitor Your Accounts: Routinely check your bank statements, credit reports, and online accounts for any suspicious activity. Report any unauthorized transactions or access immediately.
14. Educate Yourself: Stay informed about current cybersecurity threats and best practices for online security. Knowledge is a powerful defense against hacking.

By following these security measures, individuals can significantly reduce their vulnerability to hacking and safeguard their personal information and digital assets.

Are messaging apps like WhatsApp safe to use?

Messaging apps like WhatsApp are generally considered safe to use, but it’s essential to understand the nuances of their security and take precautions to protect your privacy:

1. End-to-End Encryption: WhatsApp employs end-to-end encryption, which means that messages you send and receive are scrambled on your device and can only be unscrambled by the recipient’s device. This encryption ensures that even WhatsApp cannot access the content of your messages.

2. Secure Calls: WhatsApp also offers encrypted voice and video calls, providing a high level of privacy during your communications.

3. Two-Factor Authentication (2FA): WhatsApp allows users to enable 2FA for an extra layer of security when verifying their phone number with WhatsApp. This helps protect your account from unauthorized access.

4. Frequent Updates: WhatsApp regularly updates its app to patch security vulnerabilities and improve overall security. It’s crucial to keep your WhatsApp app up to date to benefit from these security fixes.

5. Group Chats: Group chats on WhatsApp also benefit from end-to-end encryption. However, be cautious when sharing sensitive information in groups, as other members can potentially forward your messages.

While WhatsApp is designed with a strong focus on security and privacy, it’s important to keep in mind the following considerations:

1. Backup Data: When you back up your WhatsApp chats to the cloud, such as Google Drive or iCloud, your messages are not end-to-end encrypted in the backup. Ensure that your cloud storage accounts are adequately secured.

2. Contact Security: The security of your WhatsApp conversations depends on the security practices of the people you communicate with. If someone’s device is compromised, it could potentially put your messages at risk.

3. Account Verification: Always verify the identity of the people you communicate with on WhatsApp, especially if you receive unsolicited messages or requests.

4. Beware of Scams: Be cautious about phishing attempts and scams that may impersonate WhatsApp or ask for personal information. WhatsApp itself will never ask for sensitive information via messages.

In summary, WhatsApp is considered a secure messaging app due to its end-to-end encryption and security features. However, users should remain vigilant, practice good security habits, and stay informed about potential threats to ensure their privacy and data remain protected.

What actions have been taken against NSO Group?

everal actions have been taken against the NSO Group, the Israeli cyber-warfare company known for developing the Pegasus spyware, which has been linked to human rights abuses and surveillance. These actions include:

1. Lawsuits: NSO Group has faced legal challenges related to its spyware. WhatsApp, owned by Facebook (now Meta Platforms, Inc.), filed a lawsuit against NSO Group in October 2019, alleging that NSO illegally used WhatsApp’s servers to hack into the phones of 1,400 of its users. This legal battle has brought the company’s practices into the spotlight.
2. Citizen Lab Reports: Citizen Lab, a research group at the University of Toronto, has published multiple reports exposing the use of Pegasus spyware in targeting activists, journalists, and dissidents. These reports have contributed to raising awareness about the extent of NSO Group’s surveillance activities.
3. Regulatory Scrutiny: Various governments and regulatory bodies have started investigating NSO Group’s activities. They are examining whether the company’s products have been misused for human rights abuses and unlawful surveillance.
4. Export Restrictions: Some countries have imposed export restrictions on NSO Group’s spyware and technology to prevent it from being sold to governments with questionable human rights records. These measures aim to curb the misuse of surveillance tools.
5. Pressure from Advocacy Groups: Human rights organizations and advocacy groups, such as Access Now, have been actively campaigning against NSO Group’s practices. They have called on the company and its investors to halt the sale of its products to governments implicated in human rights violations.
6. Media Coverage: Extensive media coverage of the Pegasus spyware revelations has drawn public attention to NSO Group’s actions, leading to public scrutiny and demands for accountability.
7. Legal and Ethical Concerns: NSO Group’s actions have raised ethical and legal concerns globally, with calls for greater transparency and oversight of the surveillance industry.

It’s important to note that these actions are ongoing, and the outcome of legal cases and investigations is still pending. The controversy surrounding NSO Group highlights the complex issues related to surveillance technology and its impact on human rights and privacy.

How can we support human rights defenders like Bela Bhatia?

Supporting human rights defenders like Bela Bhatia and their vital work is crucial for promoting justice, equality, and the protection of civil liberties. Here are several ways you can provide support:

1. Amplify Their Voices:
   • Share their stories and work on social media to raise awareness about the challenges they face.
2. Stay Informed:
   • Educate yourself about the human rights issues they are addressing, both locally and globally.
3. Donate:
   • Contribute to organizations and causes that support human rights defenders. Your financial support can make a significant difference.
4. Advocacy:
   • Engage in advocacy efforts to pressure governments and international organizations to protect human rights defenders and address human rights abuses.
5. Raise Awareness:
   • Organize events, seminars, or workshops to shed light on the issues they are working on. Invite them to speak at events if possible.
6. Network and Connect:
   • Help connect human rights defenders with organizations, individuals, or resources that can further their work.
7. Provide Legal Support:
   • If you have legal expertise, consider offering pro bono legal assistance to human rights defenders facing legal challenges.
8. Solidarity Campaigns:
   • Participate in or organize solidarity campaigns to show your support and solidarity with human rights defenders. Use hashtags and social media to spread the message.
9. Write to Authorities:
   • Write letters or emails to relevant authorities, both locally and internationally, urging them to protect human rights defenders and investigate human rights abuses.
10. Support Mental Health:
    • Recognize that human rights defenders often face significant psychological and emotional challenges. Offer emotional support and resources for mental health.
11. Advocate for Policy Change:
    • Advocate for policies and legislation that protect human rights defenders and hold those who threaten them accountable.
12. Engage in Grassroots Activism:
    • Participate in local grassroots efforts that align with the causes supported by human rights defenders.
13. Stay Safe and Informed:
    • If you’re in a position of relative privilege, use that privilege to protect and support human rights defenders without putting them at risk.

Remember that supporting human rights defenders is an ongoing commitment, and their work often comes with great personal risk. Your support can be instrumental in helping them continue their crucial efforts to promote human rights, justice, and equality.

Conclusion

The stories of victims like Bela Bhatia highlight the serious consequences of surveillance and hacking by entities like NSO Group. It is crucial for governments and technology companies to prioritize user privacy and security. The battle against surveillance and cyber threats continues, and it’s essential to protect the rights of individuals who stand up for human rights and justice.

FAQs

1. What is NSO Group’s Pegasus spyware, and how does it work?
   • Explore the inner workings of Pegasus spyware and its implications for privacy and security.
2. Why are human rights defenders often targeted by surveillance technology?
   • Learn about the motivations behind the surveillance of activists, journalists, and rights advocates.
3. What legal actions have been taken against NSO Group to curb its activities?
   • Discover the legal battles and international efforts aimed at holding NSO Group accountable.
4. How can individuals protect themselves from potential hacking and surveillance threats on messaging apps like WhatsApp?
   • Gain practical tips for enhancing personal cybersecurity and privacy on messaging platforms.
5. What can the global community do to support and safeguard human rights defenders like Bela Bhatia?
   • Explore ways individuals and organizations can actively contribute to the protection of those fighting for human rights worldwide.