Tom Watson – 2019 Speech on the WhatsApp Data Breach

Below is the text of the speech made by Tom Watson, the Deputy Leader of the Labour Party, in the House of Commons on 15 May 2019.

Here we are again: another day, another major data breach from a Mark Zuckerberg company. I am glad that the Secretary of State is with Facebook today, because we can suggest a number of questions for him to put to Facebook.

First, what has happened? Spyware called Pegasus, created by the Israeli security company NSO Group, has been used to hack the phones of lawyers and human rights activists. The news reports read like a nightmare: a dystopian world of tech-enabled total surveillance. The spyware transits malicious code via a WhatsApp call. The target does not even need to answer the call for the phone to be infected. According to ​The New York Times, once the spyware is installed, it can extract everything: messages, contacts, GPS location, email and browser history. It can even use the phone’s camera and microphone to record the user’s surroundings. That is terrifying.

About 1.5 billion people worldwide use WhatsApp and millions are here in the UK. Many of them will have been drawn to the service for its unique selling point: end-to-end encryption that ensures user privacy. Now we find that a gap in WhatsApp’s defences has enabled complete violation of that privacy. What is the Minister doing to work with GCHQ, the National Cyber Security Centre and tech industry players to protect the UK’s digital communications and privacy?

Media reports say that WhatsApp contacted the US Department of Justice earlier this month when it found out about the hack, but when was the Minister notified about it? When was the Information Commissioner informed? How many users in the UK are affected? Have those affected been notified? If the Minister does not know the answers, will she commit to updating the House when she does?

The spyware was licensed for export by the Israeli Government. What assurances can the Minister provide to social media companies that any digital surveillance products that the UK exports will not be misused to track and monitor human rights defenders? The particular vulnerability of WhatsApp was the voice over internet protocol—the process for receiving calls over the internet. As telecoms companies modernise, they are all moving away from calls over copper lines and phasing in calling via the internet. What is the Minister doing to ensure that those companies do not have vulnerabilities such as those we are discussing today?

The attack looks as if it was carried out by malicious actors, possibly other state actors, trying to close down journalists, dissidents, human rights activists and lawyers seeking justice, but exactly that kind of surveillance was given legal basis in the Investigatory Powers Act 2016, which the right hon. Member for Haltemprice and Howden (Mr Davis) and I fought in the courts and won concessions on. The Government want tech companies to build back doors into their services, but this is an example of what happens if malicious actors find those doors: those who are fighting for justice and what is right come under attack. The Government must not allow that to happen.