WhatsApp acknowledged the flaw in its system as part of a vulnerability disclosure to American authorities published on May 14 and told the Indian government that 121 Indians had been targeted in a communication in September.

The Union government is likely to cite the WhatsApp snooping controversy to push through with its plan to compel digital companies to store data of Indian users locally, which, according to officials aware of the developments, would have helped the administration carry out its own investigation in the incident.

The mandatory data localisation rule is part of the provisions of the personal data protection law, which could be introduced for Parliament’s approval during the ongoing Winter session. Multinational companies such as Amazon and Facebook have opposed the rule through prominent trade bodies that they are a part of.

“WhatsApp informed us about some kind of vulnerability in its software in May [2019] and later in September, it sounded the government out about some kind of infiltration in its network without any specific detail. This is a serious issue of national security, and hence, requires necessary measures, including data localisation,” said one of the officials with access to direct information on the matter.

Data localisation will help government with legal access to all kinds of encrypted data in cases of breaches similar to the WhatsApp incident, a second official added.

Experts have said data localisation presents privacy concerns. ​“Such a measure would heighten and consolidate the access to data by the government for surveillance, while also reducing the range of options available for an individual to choose services on the Internet, creating a very real trade-off between state sovereignty over data and individual autonomy and choice,” Nayantara Ranganathan, programme manager at the Internet Democracy Project, wrote in a piece in HT on August 26.

The WhatsApp breach was exposed earlier this year when researchers discovered a flaw that allowed a spyware called Pegasus – a malicious computer programme meant to steal stored and real-time data – to be installed on the phones of those using the popular messaging service.

WhatsApp acknowledged the flaw in its system as part of a vulnerability disclosure to American authorities published on May 14 and told the Indian government that 121 Indians had been targeted in a communication in September.

The timing of these alerts has been disputed by Indian officials, who say that WhatsApp made its direct filing to Indian authorities on May 20, three days after India’s cyber emergency response team (Cert-IN) took note of the vulnerability reported in domains such as the United States-based Common Vulnerability and Exposures (CVE) database and issued an advisory ​“proactively”.

“Even then [after the delayed communication] the alert was non-actionable,” the senior official who did not want to be named said, and added: ​“India is one of the biggest markets for WhatsApp, one wonders about the reason for the reluctance to keep India informed.”

In addition, Indian authorities were not kept in the loop when WhatsApp decided to reach to individuals who were affected by the malware, a fourth senior official said.

A WhatsApp spokesperson did not reply to requests for a comment on whether the disclosure was delayed, but pointed to the May 17 Cert​.IN alert, suggesting that this was based on the company’s information.

Several human rights activists, lawyers and journalists in India came forward last month to say that they had been identified as targets of Pegasus, which has been developed by Israel-based NSO group. The incident triggered alarm among civil society groups as well as privacy activists. Cyber security researchers have expressed worry over how undetectable the hack was and how easily it could be carried out.

NSO Group has denied allegations of wrongdoing and said it sells its Pegasus tool only to government and law enforcement agencies for legal surveillance.