Skip to main content

WhatsApp Data Breach

Volume 660: debated on Wednesday 15 May 2019

(Urgent Question): After that significant and important point of order from the right hon. Member for Hemel Hempstead (Sir Mike Penning), I would like to ask the Secretary of State for Digital, Culture, Media and Sport to make a statement on the WhatsApp data breach.

I am responding to this question from the shadow Secretary of State because the Secretary of State for Digital, Culture, Media and Sport is in Paris for the G7 Digital Ministers meeting. He is meeting political and digital leaders from across the world, including senior representatives of Facebook, which owns Whatsapp, to ensure that the technology that is an increasing part of our daily lives is developed and managed in a safe and ethical manner.

I share the concern of all Members of the House about WhatsApp’s announcement of this vulnerability and the steps that it is taking to address it. In this instance, the National Cyber Security Centre has acted quickly to assess the risk to UK users and to publish guidance for our user base here in the UK. The NCSC has recommended that users protect their devices by installing updates as soon as they become available, and I would encourage any users with concerns to check the NCSC website. It is right that people should have confidence that their personal data will be protected and used fairly and lawfully.

The Data Protection Act 2018, which the Government passed last year, imposes strict obligations on organisations to ensure that UK citizens’ data is processed safely, securely and transparently. Organisations that fail to comply with the legislation may be investigated by the Information Commissioner’s Office, which received extra resources and more powers last year during the passage of that Bill. WhatsApp has designated the Irish Data Protection Commission as its European national regulator, and the ICO will work with and support its Irish counterpart so that the data of UK citizens is protected.

Cyber-security is of paramount importance to this Government, and our cyber-security strategy, which is supported by £1.9 billion of investment, sets out ambitious policies to protect UK citizens and businesses in cyber-space. Trust is the foundation of our digital economy. Cyber-security is absolutely vital in providing the stability and certainty that businesses need to thrive, and the public must have confidence in it.

Here we are again: another day, another major data breach from a Mark Zuckerberg company. I am glad that the Secretary of State is with Facebook today, because we can suggest a number of questions for him to put to Facebook.

First, what has happened? Spyware called Pegasus, created by the Israeli security company NSO Group, has been used to hack the phones of lawyers and human rights activists. The news reports read like a nightmare: a dystopian world of tech-enabled total surveillance. The spyware transits malicious code via a WhatsApp call. The target does not even need to answer the call for the phone to be infected. According to The New York Times, once the spyware is installed, it can extract everything: messages, contacts, GPS location, email and browser history. It can even use the phone’s camera and microphone to record the user’s surroundings. That is terrifying.

About 1.5 billion people worldwide use WhatsApp and millions are here in the UK. Many of them will have been drawn to the service for its unique selling point: end-to-end encryption that ensures user privacy. Now we find that a gap in WhatsApp’s defences has enabled complete violation of that privacy. What is the Minister doing to work with GCHQ, the National Cyber Security Centre and tech industry players to protect the UK’s digital communications and privacy?

Media reports say that WhatsApp contacted the US Department of Justice earlier this month when it found out about the hack, but when was the Minister notified about it? When was the Information Commissioner informed? How many users in the UK are affected? Have those affected been notified? If the Minister does not know the answers, will she commit to updating the House when she does?

The spyware was licensed for export by the Israeli Government. What assurances can the Minister provide to social media companies that any digital surveillance products that the UK exports will not be misused to track and monitor human rights defenders? The particular vulnerability of WhatsApp was the voice over internet protocol—the process for receiving calls over the internet. As telecoms companies modernise, they are all moving away from calls over copper lines and phasing in calling via the internet. What is the Minister doing to ensure that those companies do not have vulnerabilities such as those we are discussing today?

The attack looks as if it was carried out by malicious actors, possibly other state actors, trying to close down journalists, dissidents, human rights activists and lawyers seeking justice, but exactly that kind of surveillance was given legal basis in the Investigatory Powers Act 2016, which the right hon. Member for Haltemprice and Howden (Mr Davis) and I fought in the courts and won concessions on. The Government want tech companies to build back doors into their services, but this is an example of what happens if malicious actors find those doors: those who are fighting for justice and what is right come under attack. The Government must not allow that to happen.

I share the shadow Secretary of State’s outrage and shock at this latest development and I agree that such transgressions happen far too frequently. At the Paris summit, the Secretary of State has already raised his deep concern about the latest report with Nick Clegg, the head of global affairs and communications for Facebook—[Laughter.] I am sorry that hon. Members find that amusing, but he is the senior head of global affairs for Facebook. He sits on the main board and is therefore the appropriate person for my Secretary of State to raise this matter with at the outset.

Of course, I share the shadow Secretary of State’s particular concern. WhatsApp is an encrypted service and therefore users are entitled to have even greater confidence in their privacy when they use it than when they use other social media platforms. The hon. Gentleman asked me what we are doing about it and when I was informed. I was informed of the breach, along with everybody else, earlier this week. I will have to find out from my Secretary of State later today exactly when he was informed.

I share the hon. Gentleman’s concern that the spyware was placed seemingly so easily on the WhatsApp service through using the phone contact part of it merely to call another number. That call, whether it was answered or not, meant that the spyware was installed directly on the user’s device. It is extremely worrying.

We are fortunate in Britain to have the National Cyber Security Centre and GCHQ, which are across those matters daily. We recently published the third cyber-security strategy, which includes several cyber-defence measures that are taken routinely and constantly, and updated. They are designed to deter and disrupt adversaries, to develop critical capabilities in the UK and to address systemic vulnerabilities as soon as they are identified. I meet the NCSC executive reasonably regularly and I take my responsibilities for cyber-security from the Department’s perspective extremely seriously.

I share the concern that a state could use this kind of attack to monitor human rights activists. That is deeply worrying. I am assured by the NCSC that we should all follow its current advice and that it is investigating the likelihood of any UK users being victims of the latest attack. As yet, I have no further information on that point to give to the House.

Does the Minister agree that the incident reveals the evolving nature of the threat from cyber-space, and that the Government need to redouble their efforts across Government to work on the national cyber-security strategy, as well as to develop co-operative relationships with businesses, large and small, so that the threats can be robustly combated?

My hon. Friend is right that the threat is evolving all the time and morphing from one aspect to another. It is therefore important that we keep business and citizens informed of what they can best do to protect themselves against the threats. As part of the national cyber-security strategy, we provide advice: the Cyber Essentials guide for businesses of all sizes and a small business guide on the NCSC website. The NCSC can provide tailored advice to companies when they are under a particular threat.

This massive cyber-security breach underlines why we need to be part of the European institutions designed to tackle those issues. For example, leaving the European Defence Agency and its policies will make the UK substantially more vulnerable to cyber-attacks.

The Minister was asked about the timing of the information. The hack was discovered a month ago, so when exactly did the company alert the Government and the security services? Have the Government taken any action? The US Justice Department was apparently told last week. Have the security services ever used the Pegasus malware or similar spyware software? Do the Government have any contracts with the NSO Group, which in 2018 had revenues of $251 million, or indeed with WhatsApp?

In relation to our membership of the European Union and impending Brexit, as long as Britain leaves with a deal, preferably the deal that the Prime Minister has negotiated, we will have continued access on a smooth basis to much of that vital information.

The hon. Gentleman asks when the Government were informed. I answered that question in my reply to the hon. Member for West Bromwich East (Tom Watson). I was informed earlier this week, and I will find out from the Secretary of State when he was informed; I suspect he was informed earlier than I was.

On Pegasus and other types of malware, I can assure the hon. Member for Inverness, Nairn, Badenoch and Strathspey (Drew Hendry) that GCHQ and the NCSC ensure that this country has excellent, state-of-the-art malware detection systems in play at all times.

People largely believed that as WhatsApp is encrypted, it is a safe app. Now we suddenly discover that perhaps it is not safe after all. This is deeply worrying and has caused deep unease in society. What is the Minister doing to restore public confidence in data protection? We have various Acts in place, but we have to restore that confidence. Can she give assurances that Mr Zuckerberg has fixed the flaw and will be brought to task?

I will answer the questions that I can answer. I cannot speak for what Facebook and WhatsApp are doing, but I can assure my hon. Friend that, as part of the general data protection regulation across Europe, the Data Protection Act has put in place the strongest privacy standards, rules and laws anywhere in the world. In our Information Commissioner’s Office we have the best resourced ICO in Europe, and we gave the commissioner enhanced powers last year. The ICO has shown itself to be superb in utilising those powers.

This WhatsApp scandal demonstrates again that the Government’s online harms White Paper is too little, too late, as it deals only with harms arising from user-generated content. What we need is a robust regulatory framework that assigns rights and responsibilities.

When a vulnerability is identified, as the Minister has said, it is essential to install an update as quickly as possible. Too many of our citizens still do not have access to fixed wireless broadband and will be obliged to install the update over a mobile network, incurring significant charges. Who should pay those charges?

I reassure the hon. Lady that we already have robust legislation in place through the introduction of GDPR. We also have competition law and a number of agencies. Indeed, Opposition Members usually complain that we have too many regulatory bodies in this space. We have the Competition and Markets Authority, Ofcom and the Information Commissioner’s Office, and we will be setting up a powerful regulator on the back of our online harms White Paper. People should be taking more responsibility for the security of their devices, and the NCSC has very good user advice on its website.

No Government would find it easy to cope with the rapidly changing character of technology and its associated protocols, and I congratulate the Minister on both her diligence and commitment. I am pleased that, as the former Minister responsible, I put in place the means and methods to deal with this issue in the form of the strategy and the NCSC. However, would she acknowledge that, for too long, we assumed that these big tech companies could be asked, not told; and requested, not obliged? We cannot be too tough in dealing with these matters, for at risk is the welfare of our citizenry and our nation.

I congratulate my right hon. Friend on his previous work. I strongly agree with his thesis that a voluntary approach of asking companies for their co-operation has not produced the needed change in a timely manner, which is exactly why in the White Paper we published last month we concluded that statutory regulation that places on companies a duty of care for their users, backed up by a powerful regulator, is the answer to these problems.

I am sure the right hon. Member for South Holland and The Deepings (Sir John Hayes) is absolutely delighted to have been congratulated by the Minister on the delivery of his thesis, as he is of a notable academic and, some would say, even philosophical bent.

Following this very serious WhatsApp security breach, what assurances can the Minister provide that social media companies in the UK will ensure that the products they export cannot be misused to track or monitor human rights activists and others who might themselves subsequently face human rights abuses? Can she also inform the House specifically whether any MP has been targeted?

I cannot give the hon. Gentleman that assurance, but I can say that the early investigations point to this being a highly targeted attack. As I said earlier, the NCSC is investigating whether UK citizens, including Members of this House, might have been the butt of the attack. We await further information on that.

It is somewhat ironic that the former Home Secretary tried to get WhatsApp to overcome its security so that, for national security purposes, we could access messages.

What messages have been given to British aid workers working overseas and to people working in human rights environments who may be vulnerable to attack if WhatsApp messages are leaked? Surely they should be given a very strong message not only to upgrade but to be very cautious about their use of WhatsApp until this problem is fixed.

I agree with my hon. Friend that such attacks undermine the confidence of users, which is why it is in the interests of manufacturers to make sure that security is much more heavily designed into their software products and devices before they are released to the consumer.

The 1.5 billion WhatsApp users worldwide—millions of them here in the UK—have been attracted by its end-to-end encryption and the guarantee that their messages are secure, but they are relying on old-fashioned media to find out about this breach and to be told to update devices. What conversations has the Minister or the Secretary of State had with WhatsApp to prompt it to alert users to update the app? At the moment, I fear that many of the millions of WhatsApp users here in the UK will not have updated their app, and they should do so urgently.

I agree with the hon. Lady that on hearing about this—it is ironic that people have to hear about it through traditional print media and television—they really should update WhatsApp. People should get into the habit of installing security updates whenever they are prompted to do so by an app, and they should do it proactively. It is easy to visit the app store and select all updates, which is a routine security precaution that users should take.

This is obviously a very serious data breach, as acknowledged on both sides of the Chamber. Of course, the recent Data Protection Act enhances the powers of the Information Commissioner’s Office, which could implement a fine of up to 4% of global revenue. Facebook’s revenue last quarter was over £16 billion, which could go quite a long way to helping cover the costs of our security services in countering the challenges in the digital space. Does the Minister believe that a fine would be appropriate in these circumstances?

I am grateful to my hon. Friend for reminding the House of the significant powers that the ICO now has. Of course, the powers are there to enforce and protect the privacy of UK users. It remains to be seen whether UK users have been affected by this breach but, if they have, I am sure the ICO will make further inquiries.

I declare my interest, as set out in the Register of Members’ Financial Interests.

I am sure the Minister will want to encourage the increasing number of her colleagues who have their own budding leadership WhatsApp groups to update their app. My hon. Friend the Member for West Bromwich East (Tom Watson) made an important point that this is not only about encryption but about the connection between devices and the transition from the old copper cables to the VoIP system of broadband connectivity. This is a question for Ofcom, not the ICO, so what conversations is the Minister having with Ofcom about the security standards for connections over the internet-based communications network?

I thank the hon. Gentleman for quite rightly raising the role of Ofcom. I have regular meetings with the chief executive of Ofcom, and I will certainly raise the matter the hon. Gentleman has raised with me at my next meeting with her.

I am afraid the Minister’s response to my hon. Friend the Member for Lancaster and Fleetwood (Cat Smith) was less than convincing. The reality is that WhatsApp is a critical app that is used in everyday life by millions of people across the UK. It is therefore of national importance that its resilience is protected, and the state has an interest in making sure that that happens. Why is the Minister not compelling WhatsApp to ensure that all users in the United Kingdom are alerted to the potential data breach and are obliged to upgrade the software accordingly?

I think that that is precisely the content of the discussion my right hon. Friend the Secretary of State has had with Facebook just this morning. I agree with the hon. Gentleman: WhatsApp and any other platform where there has been a serious breach of this kind should take responsibility for informing its entire user base immediately. I completely concur with that.

There will be millions of people with a serious concern that their data—their conversations with loved ones and business contacts—has been stolen by this spyware, and they will want to know that someone is being held accountable. Does the Minister now agree that it is time to add Government pressure to the pressure from the Digital, Culture, Media and Sport Committee to have Mark Zuckerberg come to Parliament to explain what has gone wrong with Facebook and WhatsApp, and to make sure we can restore some public trust in him and his company?

It is vital that we hold platforms—in this case, WhatsApp—to account for breaches that have occurred. If these breaches have resulted in UK users’ data being compromised, the ICO has the powers to investigate them thoroughly. It also has a sanctions regime, which my hon. Friend the Member for Mid Worcestershire (Nigel Huddleston) pointed out includes a potential fine of up to 4% of global turnover. The ICO has proved itself to be a forceful regulator, and I am sure it will be watching this space with great interest.

Although we know that data breaches have happened previously, the difficulty is that we have had no adequate response from Facebook since evidence of those data breaches came through. Is not the reality that we have to have legislation in place? We are now in an election period, with WhatsApp and closed Facebook groups being used, as we speak, in electoral campaigning, but the law has not changed since the DCMS Committee, on which I serve, raised these issues. We have yet another instance of shutting the door after the horse has bolted. We have to act, and the Cabinet Office and the Select Committee need, as a matter of urgency, to take forward steps relating to the electoral position, which is so vulnerable and about which we will learn nothing before polling day next Thursday.

The hon. Gentleman raises a subject that is top of my priority list at the moment. My Department works with the Cabinet Office on making our electoral laws fit for the internet age. As he made clear, there is a huge requirement in terms of updating, and I have read the Select Committee report, which is extremely alarming. The ICO is undertaking a number of investigations into matters of concern around our democracy and the security of our democracy. I advise all Members to have a good look at the ICO website, where they should find a draft political code of practice—which the ICO has developed under the powers handed to it under the Data Protection Act last year—with advice to political parties on how they use social media platforms and the data available to them from those platforms. It is a very serious matter.

On a point of order, Mr Speaker. I have just looked at the version history of the WhatsApp advice on what to update. There is no mention whatever of security breaches or the need to update WhatsApp because of security. The advice talks about having stickers in full size, entering phone numbers and seeing who is on WhatsApp. There is nothing about security.

I note what the hon. Gentleman has said, and it will have been heard by Members of the House, who may well share his reaction to it. I thank him for taking this opportunity to put the matter on the record.