IFAI, Mexico. Photo by SFView. (CC BY-NC-SA 2.0)

A group of human rights activists and journalists filed a request [es] yesterday with Mexico's Federal Institute for Access to Public Information and Data Protection (IFAI), demanding an investigation of the possible use of FinFisher surveillance software in Mexico. The group suspects that the software has been used to spy on journalists and activists in the country.

The group, which includes individuals as well as civic organizations such as Propuesta Cívica A.C., Al Consumidor and Contingente MX, asked the IFAI to investigate the use of FinFisher, a malicious surveillance software product. The request states that two local Internet service providers, IUSACELL and UNINET, appeared to be linked FinFisher's “Command and Control” servers. FinFisher, produced by Gamma International, enables users to intrude on and remotely monitor electronic devices by infecting them through simple, seemingly benign actions like clicking on a link or updating one's software. It often captures far more information than is necessary for conducting a criminal investigation.

The request highlights the work of researchers at the University of Toronto's Citizen Lab, who have used technical testing to detect the use of FinFisher in 36 countries over the last two years. In a report entitled “You Only Click Twice,” Citizen Lab experts indicated that FinFisher programs were being operated on both IUSACELL and UNINET servers. The report also suggested links between FinFisher and a third ISP, TelMex.

Spyware of this caliber could easily exceed the limitations on government access to data that are set by Mexico's Data Protection Law. The law provides mechanisms for the data authority to determine whether a public or private institution or individual is violating privacy laws; this procedure takes less than a year. If IFAI finds that the Data Protection Law has been violated, it could impose administrative sanctions and even prosecute the infractors. It will be up to IFAI to determine whether FinFisher is being used for surveillance activities that exceed the limitations set by the law.

Mexico is a member of the OECD, a signatory to the Universal Declaration of Human Rights, both of which promote strong protections for privacy. The right to privacy is also enshrined in the 1917 Mexican Constitution.

But while Mexico has made strong commitments to privacy both at the national level and through international fora, these policies’ enforcement is not guaranteed. And citizens rarely seek to hold authorities accountable for their actions in this area. Mexico's public has been overwhelmed by drug-related violence in recent years, a problem that has left citizens fearing for their safety and generally unopposed to aggressive surveillance practices. As a result, the government has been able to launch sophisticated surveillance programs without facing significant resistance from civil society.

But yesterday's request marks a shift in this trend. Like advocates in many country across the globe (including GVA partners in Pakistan, who pursued a similar case), this group has drawn on the work of academics and legal experts in order to make an informed call for transparency and to promote a balanced national security regime that will respect privacy standards in Mexico.