Maharashtra activists spied on by Israeli security firm tell Firstpost how Citizen Lab helped uncover conspiracy

On Wednesday, The Indian Express reported that "at least two dozen academics, lawyers, Dalit activists and journalists in India were contacted and alerted by WhatsApp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019". Firstpost has located three such people: Nagpur-based lawyer-activist Nihalsingh Rathod, Pune-based cultural activist Rupali Jadhav and Gadchiroli-based lawyer and human rights activist Jagdish Meshram.

On 7 October, Rathod received a message on WhatsApp from an international number. The person identified himself as John Scott-Railton, and said he was a senior researcher at the Citizen Lab of the University of Toronto in Canada. "The Citizen Lab works on tracking internet threats against civil society," the message read, "I encourage you to do a little googling to figure out more about me and the Citizen Lab if you are suspicious."

He proceeded by sending the url of Citizen Lab website, and his own email address in case Rathod wanted to "check that [he was] real".

"I am lightly familiar with your work based on our research into an ongoing case, and this message concern a specific digital risk that we believe you face," John wrote, "I would like to set up a quick time to chat. Again, I apologise for the strangeness of such a contact, and understand it may be disconcerting. Unfortunately, there is no better way to do this kind of thing."

John Scott-Railton's chats with Nihalsingh Rathod. Screenshots procured by Parth MN

Rathod is a human rights lawyer and activist who has been fighting the Bhima-Koregaon case against the state government of Maharashtra. "Citizen Lab wanted to ask me if I had received any strange messages or emails," he said, "I told them of an email I received from an address I didn’t expect to."

Meshram said he received video calls from international numbers. He said he tried picking them up, but the call would disconnect. Between 7 April and 15 May, he received 15 to 20 such video calls. In The Washington Post, Will Cathcart wrote, "A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call."

(left) Rathod's chat with John, (centre) the message from WhatsApp, (right) Rathod's email to his contacts. Screenshots procured by Parth MN

On 28 October, Jadhav received messages from John, who introduced himself in a similar manner.  She is a cultural activist with the Kabir Kala Manch. John proceeded to inform Jadhav that he was familiar with who she is, based on the research that the Citizen Lab was pursuing in what he called an 'ongoing case'. He mentioned that the message concerned a 'specific cyber risk' that they believe she faced earlier in 2019.

John went on to request Jadhav for a time to speak over the phone — a request to which she is yet to acquiesce. Jadhav subsequently received messages from WhatsApp where the reasons for the message to her was stated as:

"In May, we stopped an attack where an advanced cyber actor exploited our video calling to install malware on user devices. There’s a possibility this phone number was impacted, and we want to make sure you know how to keep your mobile phone secure".

(left) Rupali Jadhav's WhatsApp chat with John, (right) the message from WhatsApp. Screenshot procured from Jadhav's Facebook post

Jadhav accessed links mentioned in the message titled 'how to stay secure'. "When I went through what is mentioned under ‘help on video calling cyber attack’, it had instructions, one of them saying that I should get a new handset to evade further privacy concerns. I should now get a new phone for no fault of mine?" she asked, adding that she had just purchased her handset. This incident is likely to dent WhatsApp's credibility, a private messaging service, which prides itself on its end to end encryption.

In May, WhatsApp located an attempt of a cyber attack through their video calling feature. The aim was to bug a particular phone with spyware. On 30 October, 2019, WhatsApp filed a suit in Federal Court claiming an Israeli Technology company called NSO group was behind it. In a piece in The Washington Post, Will Cathcart, head of WhatsApp, which is owned by Facebook, thanked Citizen Lab for helping them with the investigation. "We’re grateful to experts at the Citizen Lab at the University of Toronto for their work in this regard," he wrote, "They volunteered to help us understand who was affected by the attack and engaged with journalists and human rights defenders to help them better protect themselves in the face of these threats."

The lawsuit filed by WhatsApp says NSO targeted about 1,400 WhatsApp users with a spyware called Pegasus. “Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number,” a WhatsApp spokesperson told The Indian Express.