The WhatsApp-Pegasus controversy came up before the Supreme Court on Monday during the hearing of a plea seeking protection of data of transactions made over UPIs.
Senior advocate Krishnan Venugopal, representing CPI Rajya Sabha member Binoy Viswam, submitted before a bench headed by Chief Justice S. A. Bobde that against the backdrop of WhatsApp-Pegasus controversy, the system used by WhatsApp is not secure and reliable to allow it to launch payment services. Last year, the WhatsApp Pegasus spyware controversy had raised the issue of user privacy on smartphones.
Citing Venugopal's submission, the Chief Justice told senior advocate Kapil Sibal, representing WhatsApp, that: "Krishnan Venugopal has made a serious allegation that your system (WhatsApp) can be hacked by something called 'Pegasus'."
Sibal, however, countered that these are baseless allegations and it was not there in the petition filed before the top court, and instead was a submission made across the bar. Venugopal retorted that the issue was covered widely by many media organisations. "It was in the papers," he said.
As the bench also comprising Justices A. S. Bopanna and V Ramasubramanian asked Venugopal to make these submissions on an affidavit, he replied these submissions are already part of the affidavit.
Venugopal cited three-four major issues with the UPI systems of Amazon, Google, Facebook and WhatsApp. For WhatsApp, he said it is not an independent application and payment is made from the messaging service and there is no system for "two-factor authentication", therefore the system is not secure.
He also raised the issue with "data localisation", saying these foreign entities allow payment to happen, and data goes to parent company infrastructure, which is abroad.
Citing litigation in the US against Facebook, Amazon and Google, Venugopal said so much data is stored with them and critical financial data is being allowed to go abroad. "This violates the privacy judgment," he added.
Venugopal insisted that data is being shared with the parent companies in violation of the NPCI guidelines. After a detailed hearing in the matter, the bench sought NPCI response to the petition and adjourned the hearing till the last week of January 2021.
On October 15, the Supreme Court had sought response from Facebook/WhatsApp, Google, Amazon and the Centre on Viswam's seeking protection of data of transactions made over UPIs. The plea said that the RBI and the National Payments Corporation of India (NPCI) instead of fulfilling their statutory obligations are compromising the interest of Indian users by allowing the non-compliant foreign entities to operate its payment services in India. The plea sought direction for RBI and the NPCI to ensure data protection of various UPI platforms.