WhatsApp Data Breach

Lord Watson of Wyre Forest Excerpts
Wednesday 15th May 2019

(5 years, 7 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.

Each Urgent Question requires a Government Minister to give a response on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Lord Watson of Wyre Forest Portrait Tom Watson (West Bromwich East) (Lab)
- Hansard - -

(Urgent Question): After that significant and important point of order from the right hon. Member for Hemel Hempstead (Sir Mike Penning), I would like to ask the Secretary of State for Digital, Culture, Media and Sport to make a statement on the WhatsApp data breach.

Margot James Portrait The Minister for Digital and the Creative Industries (Margot James)
- Hansard - - - Excerpts

I am responding to this question from the shadow Secretary of State because the Secretary of State for Digital, Culture, Media and Sport is in Paris for the G7 Digital Ministers meeting. He is meeting political and digital leaders from across the world, including senior representatives of Facebook, which owns Whatsapp, to ensure that the technology that is an increasing part of our daily lives is developed and managed in a safe and ethical manner.

I share the concern of all Members of the House about WhatsApp’s announcement of this vulnerability and the steps that it is taking to address it. In this instance, the National Cyber Security Centre has acted quickly to assess the risk to UK users and to publish guidance for our user base here in the UK. The NCSC has recommended that users protect their devices by installing updates as soon as they become available, and I would encourage any users with concerns to check the NCSC website. It is right that people should have confidence that their personal data will be protected and used fairly and lawfully.

The Data Protection Act 2018, which the Government passed last year, imposes strict obligations on organisations to ensure that UK citizens’ data is processed safely, securely and transparently. Organisations that fail to comply with the legislation may be investigated by the Information Commissioner’s Office, which received extra resources and more powers last year during the passage of that Bill. WhatsApp has designated the Irish Data Protection Commission as its European national regulator, and the ICO will work with and support its Irish counterpart so that the data of UK citizens is protected.

Cyber-security is of paramount importance to this Government, and our cyber-security strategy, which is supported by £1.9 billion of investment, sets out ambitious policies to protect UK citizens and businesses in cyber-space. Trust is the foundation of our digital economy. Cyber-security is absolutely vital in providing the stability and certainty that businesses need to thrive, and the public must have confidence in it.

Lord Watson of Wyre Forest Portrait Tom Watson
- Hansard - -

Here we are again: another day, another major data breach from a Mark Zuckerberg company. I am glad that the Secretary of State is with Facebook today, because we can suggest a number of questions for him to put to Facebook.

First, what has happened? Spyware called Pegasus, created by the Israeli security company NSO Group, has been used to hack the phones of lawyers and human rights activists. The news reports read like a nightmare: a dystopian world of tech-enabled total surveillance. The spyware transits malicious code via a WhatsApp call. The target does not even need to answer the call for the phone to be infected. According to The New York Times, once the spyware is installed, it can extract everything: messages, contacts, GPS location, email and browser history. It can even use the phone’s camera and microphone to record the user’s surroundings. That is terrifying.

About 1.5 billion people worldwide use WhatsApp and millions are here in the UK. Many of them will have been drawn to the service for its unique selling point: end-to-end encryption that ensures user privacy. Now we find that a gap in WhatsApp’s defences has enabled complete violation of that privacy. What is the Minister doing to work with GCHQ, the National Cyber Security Centre and tech industry players to protect the UK’s digital communications and privacy?

Media reports say that WhatsApp contacted the US Department of Justice earlier this month when it found out about the hack, but when was the Minister notified about it? When was the Information Commissioner informed? How many users in the UK are affected? Have those affected been notified? If the Minister does not know the answers, will she commit to updating the House when she does?

The spyware was licensed for export by the Israeli Government. What assurances can the Minister provide to social media companies that any digital surveillance products that the UK exports will not be misused to track and monitor human rights defenders? The particular vulnerability of WhatsApp was the voice over internet protocol—the process for receiving calls over the internet. As telecoms companies modernise, they are all moving away from calls over copper lines and phasing in calling via the internet. What is the Minister doing to ensure that those companies do not have vulnerabilities such as those we are discussing today?

The attack looks as if it was carried out by malicious actors, possibly other state actors, trying to close down journalists, dissidents, human rights activists and lawyers seeking justice, but exactly that kind of surveillance was given legal basis in the Investigatory Powers Act 2016, which the right hon. Member for Haltemprice and Howden (Mr Davis) and I fought in the courts and won concessions on. The Government want tech companies to build back doors into their services, but this is an example of what happens if malicious actors find those doors: those who are fighting for justice and what is right come under attack. The Government must not allow that to happen.

Margot James Portrait Margot James
- Hansard - - - Excerpts

I share the shadow Secretary of State’s outrage and shock at this latest development and I agree that such transgressions happen far too frequently. At the Paris summit, the Secretary of State has already raised his deep concern about the latest report with Nick Clegg, the head of global affairs and communications for Facebook—[Laughter.] I am sorry that hon. Members find that amusing, but he is the senior head of global affairs for Facebook. He sits on the main board and is therefore the appropriate person for my Secretary of State to raise this matter with at the outset.

Of course, I share the shadow Secretary of State’s particular concern. WhatsApp is an encrypted service and therefore users are entitled to have even greater confidence in their privacy when they use it than when they use other social media platforms. The hon. Gentleman asked me what we are doing about it and when I was informed. I was informed of the breach, along with everybody else, earlier this week. I will have to find out from my Secretary of State later today exactly when he was informed.

I share the hon. Gentleman’s concern that the spyware was placed seemingly so easily on the WhatsApp service through using the phone contact part of it merely to call another number. That call, whether it was answered or not, meant that the spyware was installed directly on the user’s device. It is extremely worrying.

We are fortunate in Britain to have the National Cyber Security Centre and GCHQ, which are across those matters daily. We recently published the third cyber-security strategy, which includes several cyber-defence measures that are taken routinely and constantly, and updated. They are designed to deter and disrupt adversaries, to develop critical capabilities in the UK and to address systemic vulnerabilities as soon as they are identified. I meet the NCSC executive reasonably regularly and I take my responsibilities for cyber-security from the Department’s perspective extremely seriously.

I share the concern that a state could use this kind of attack to monitor human rights activists. That is deeply worrying. I am assured by the NCSC that we should all follow its current advice and that it is investigating the likelihood of any UK users being victims of the latest attack. As yet, I have no further information on that point to give to the House.