Neville Lahiru
The Committee on Ethics and Privileges is set to summon the Director of the Criminal Investigation Department (CID) on 18 October over allegations of tapping Opposition MP Patali Champika Ranawaka’s WhatsApp calls.
Back in October 2021, Ranawaka accused the CID of listening to his WhatsApp calls made between 2018 and 2019. He claims that the CID has done so without the authorization of a magistrate and that it had violated his parliamentary privilege. The MP went on to pose his suspicions over the use of spyware like Pegasus. “No service provider has any technology that we know of to find out that I contacted so-and-so on WhatsApp,” Ranawaka claimed at the time.
The Pegasus of it all
Pegasus is spyware for government agency use, developed by an Israeli company called the NSO Group. The program infects a phone and sends back data like photos, messages, and audio recordings. As per NSO, a key selling point of Pegasus is that it can’t be traced back to the user, aka the government agency.
The existence of Pegasus came to light a few years ago back when the UAE government was caught attempting to tap into an activist’s phone in 2016. Since then, Pegasus has resurfaced multiple times over the years. In 2017, the software was reportedly used against Mexican reporters and activists. In 2020, the FBI launched investigations on NSO over the hacking incident of Jeff Bezos’ phone. WhatsApp even sued the NSO Group for allegedly that it was involved in compromising over 1,400 devices via a WhatsApp code exploit. For context, this was in 2019, years after WhatsApp messages and calls became end-to-end encrypted (E2EE).
How does Pegasus even work?
Successful deployment of the spyware relies on phishing, where an unsuspecting user clicks on a link that delivers the Pegasus payload. Although, more recent versions reportedly work as “zero-click” hacks, which means the user wouldn’t need to do anything at all, and just sending the link to a target phone is enough.
Pegasus essentially captures everything including messages, photos, location data, call logs, and even camera/microphone recordings. As of now, there’s hardly a tech ecosystem that’s safe from its capabilities, not even the privacy-hyping Apple. This is one main reason why tech giants like Microsoft, Cisco, and Google voiced support for WhatsApp’s suit against NSO.
So what about Champika Ranawaka’s phone?
Naturally, a commercial program of this nature and capability doesn’t come cheap. In 2016, the New York Times reported that the NSO billed clients USD 500,000 for setting up. That’s roughly LKR 182.4 million. On top of this, it apparently cost USD 650,000 to hack 10 iPhone/Android users. For context, NSO’s contract with Saudi Arabia is USD 55 million.
In other words, the price tag for such an implementation in Sri Lanka alone should raise more than a few eyebrows. Then there’s the country’s own lackluster history around cybersecurity at the national level. Neither of these makes for a compelling case for advanced spyware in Sri Lanka. But that doesn’t mean the possibility should be ruled out either.
In any case, Champika Ranawaka’s claim that the CID tapped into his phone via spyware like Pegasus could be verified. Amnesty International, which was involved in breaking the news about Pegasus, released a tool to check if a particular phone has been affected by Pegasus. The process involves taking a backup of your phone to a separate computer and running the tool with that backup. Before you ask, yes there’s some terminal work involved and it’s intended for use by those with some technical expertise. But The Verge has an easy-to-follow guide on using the tool.
User privacy vs national security
Champika Ranawaka’s allegation comes at a time when governing bodies increasingly demand access to data, mostly for national security reasons. The situation is becoming more problematic as big tech companies look to add more privacy-centric features to products and services.
For instance, back in 2017, the UK demanded Facebook provide a backdoor to WhatsApp following the Westminister Bridge shooting. Why? The government’s claim was that encrypted messaging services like WhatsApp offer a place for criminals to hide. Previously, Apple faced a similar encryption-related issue with the FBI. Even the privacy-focused messaging darling Signal had faced government demands to provide access to its platform.
Of course, this is nothing new. Governments have been asking for encryption backdoors from tech companies for years. Australia has already passed legislation that would force companies to submit information upon request, even if it includes E2EE. Though the Assistance and Access Act was passed in 2018, the Australian government reportedly sought the controversial power to crack encrypted platforms at least two years prior. The US also tried to introduce an encryption backdoor bill that would have required companies to do just that through the “Lawful Access to Encrypted Data Act”.
Fortunately, Sri Lanka has neither the bargaining power nor the governmental aptitude to head this route. The closest it has come to was blocking social media altogether to fight terrorism and public dissent in general.
Are platforms really secure?
But government demands are only part of the problem. It doesn’t help that sometimes the tech companies themselves make for poor defenders of privacy. Take WhatsApp for example. The messaging service claims approximately two billion active users from around the world. In 2016, Meta Facebook announced that it was adding E2EE for WhatsApp messages and calls. This meant that nobody other than the user would have access to the data on WhatsApp. However, despite the privacy-focused narrative, the reality isn’t that black and white.
Pro Publica‘s report from 2021 points to how Facebook seemingly undermines WhatsApp’s privacy. According to the report, over 1,000 contract workers are employed by WhatsApp to comb through millions of private messages, photos, and videos via special Facebook software. It should be noted that the workers reportedly only have access to a section of WhatsApp content—those forwarded by the company or flagged by users over abuse-related matters. But content moderators and whistleblowers like Frances Haugen allege that WhatsApp routinely employs outside contractors, AI, and account information to examine platform content.
On another note, WhatsApp does share certain information with other Facebook companies. According to the company, this includes phone number, transaction data (if you use Facebook pay or Shops in WhatsApp), mobile device information, and your IP address among others.
To be fair, Facebook isn’t the only tech company in troubled waters over privacy concerns pertaining to encrypted platforms. But it’s one instance that emulates how privacy and platform safety is becoming increasingly challenging endeavor. It gets further challenging as the scale and purview of different platforms grow to cover a massive chunk of the world’s digital population.
The Champika-CID-WhatsApp problem
Getting back to Champika Ranawaka’s allegations, did the CID really tap the MP’s WhatsApp calls? Honestly, we don’t know yet. But this isn’t the first time the opposition made spyware allegations at the government. Last year, former Opposition MP and current Cabinet Minister of Tourism and Lands, Harin Fernando accused the government of using Pegasus. “This government is focused on looking into your information more than ours. I can say this with utmost confidence,” said Fernando at the time.
Politicians are no strangers to stoking controversies, particularly in Sri Lanka. But even so, these are alarming allegations, not only because of the seemingly gross privacy violation of a public individual but also due to the potential implications for citizens at large.
Of course, the government has outright refused that such spyware is in use, calling the allegations baseless. Either way, we’re likely to get more answers on the 18th at the Committee on Ethics and Privileges hearing. Here’s hoping for more clarity and not more questions to be asked.
Update [11/10/2022]: Added Harin Fernando’s Pegasus allegation from 2021 for context, along with the government’s official response on the matter so far. (Thanks, Sanjana)
GIPHY App Key not set. Please check settings