Indian officials are likely to cite the WhatsApp snooping controversy to push through a plan to compel digital companies to store data of Indian users locally, multiple reports say.
Tech experts confirmed that multiple government departments and agencies have proposed such demands.
It was “a serious issue of national security”, and “requires measures, including data localisation”, officials were quoted as saying.
Experts called it a “bizarre response”.
“This makes no sense at all. The location of the data had nothing to do with the Pegasus breach,” technology expert Prasanto K Roy told the BBC.
“WhatsApp was very transparent about the breach and reported it to the authorities. What is important now, is to find out who did it and how.”
“Data localisation completely goes against the whole concept of the internet which is a global network,” he added.
Reports have quoted government officials as saying that they wanted user data stored locally as the Pegasus breach “compromised national security“.
What was the Pegasus breach all about?
Hackers were able to install surveillance software on phones and other devices by using a major vulnerability in the messaging app.
Targets received video or voice call requests from an unknown number – which even if ignored, allowed the spyware, known as Pegasus, to be installed on the device.
This allowed users to remotely access everything on the phone, including text messages and location.
WhatsApp fixed the vulnerability as soon as it was discovered and informed affected users.
It also filed a lawsuit against Israeli firm NSO Group, alleging it was behind the cyber-attacks that infected devices in April and May.
NSO Group, which makes software for surveillance, says it only works with government agencies and strongly denied responsibility for the attacks.
Activists and politicians pointed fingers at the state after WhatsApp revealed Indian journalists and activists were among those targeted.
The government has denied the claims.
However, it has also repeatedly refused to discuss the issue in parliament.
It refused to answer questions about who had authorised the attacks and instead cited a controversial law that specified the right of agencies to monitor and decrypt information in national security interest.
It also tried to stop a parliamentary committee on cyber security from discussing the matter, saying it did not fall under the purview of the panel.