Mexican news outlet Reforma recently confirmed that Mexico's Attorney General (the government agency in charge of investigating and pursuing federal crimes in Mexico) acquired surveillance software from the Israeli company NSO Group in 2014 and 2015 for a sum of 15 million dollars. According to Reforma:
La PGR compró en la Administración de Jesús Murillo Karam el software de espionaje Pegasus, hasta ahora el más sofisticado en el mercado y capaz de escuchar, ver, capturar texto, imagen y contactos de cualquier teléfono inteligente.
The AG (Attorney General), under the Administration of Jesús Murillo Karam, bought the espionage software Pegasus, which is so far the most sophisticated spy software on the market and is capable of listening, viewing, and extracting text, images, and contacts from any smart phone.
This information emerges a few weeks after the North American newspaper the New York Times published an article revealing that, according to e-mails to which the Times had access, the Mexican government has held multimillion-dollar contracts with the NSO company in order to conduct three projects over three years since 2013.
The New York Times emphasized that in August 2016, investigators from the specialized centers on digital security issues Citizen Lab and Lookout detected attempts to tap into the cellphones of human rights advocate Ahmed Mansoor from the United Arab Emirates and of Mexican journalist Rafael Cabrera (one of the journalists behind the “Casa Blanca” investigation that involved Mexico's presidential couple in acts of corruption) with technology made by the same NSO Group. Here is what Cabrera announced on his Twitter account:
The spokesman for the Mexican embassy in Washington, Ricardo Alday, responded by telling the New York Times that all intelligence systems acquired by the Mexican government have the required legal backing and that they are not being used against journalists or activists.
In spite of this, according to Mexican NGO Network in Defense of Digital Rights (R3D in Spanish):
Las revelaciones son preocupantes, puesto que hasta ahora la adquisición se manejó en completa opacidad; además, la empresa NSO Group tiene antecedentes de haber vendido su equipo a gobiernos que no respetan los derechos humanos, como el caso de los Emiratos Árabes Unidos.
Pegasus permite capturar imágenes, mensajes de texto, escuchar llamadas telefónicas y robar información de cualquier smartphone, lo que lo convierte en un software altamente intrusivo.
The revelations are worrisome, given that until now the acquisition was handled in complete obscurity; in addition, the company NSO Group has previous records of having sold its equipment to governments that do not respect human rights, as is the case with the United Arab Emirates.
Pegasus allows the extraction of images, text messages, listening to telephone calls, and stealing information from any smartphone, which makes it a highly intrusive software.
This is not the first time that the Mexican government has been seen buying surveillance technologies and using them for purposes that lie beyond public interest.
In April 2013, the University of Toronto's Citizen Lab detected the surveillance software FinFisher, sold by the British company Gamma Group, operating on the telecommunication networks of the companies Iusacell and UniNet, which is a subsidiary of Mexican telecommunications company Telmex. The software, which also has been used by various governments in the Middle East and Asia, typically infects computers and smartphones disguised by a seemingly harmless link or attachment. Once it has installed itself into a person's device, it allows the perpetrator to monitor communications without the user's knowledge.
That same year, an investigation done by the organizations Propuesta Cívica and ContingenteMX and published by Mexico City newspaper La Jornada found that FinFisher was used extensively by at least four federal dependencies: The Secretary of Public Security (SSP in Spanish), the Republic's Attorney General (PGR), the Center for Investigation and National Security (CISEN in Spanish), and the Presidential General Staff (EMP in Spanish).
In July 2013, the representative of the collective ContingenteMX, Jesús Robles Maloof, reported that he had been a target of espionage in his column, “Smile, They are Watching You” for the digital journal SinEmbargo:
El pasado martes 7 de mayo de este año , mi familia y yo recibimos una amenaza. Nos hicieron saber que accedieron a mis comunicaciones, leyendo incluso algunas de ellas. Denuncié los hechos penalmente y estoy en espera que la autoridad determine el origen y los programas usados para este. Acepto, como todos mis colegas, los retos que significan defender los derechos humanos, lo que de ninguna manera implica que nos quedemos cruzados de brazos. Al defender la Constitución, defendemos la vía de la transformación democrática.
No se es paranoico cuando se revisan periódicamente las medidas personales de seguridad. Se es paranoico cuando crees que necesitas espiar a toda la población. Instalados en la irracionalidad están los gobiernos que nos tienen miedo. La democracia es incertidumbre en el cambio de poder, querer controlar todo es muestra de autoritarismo.
This past Tuesday, May 7 of this year , my family and I received a threat. They made it known to us that they had gained access to my communications, even reading some of them. I reported these criminal acts and am now waiting for the authorities to determine their origin and the programs used for this. I admit, like all of my colleagues, the challenges that come with defending human rights, which in no way implies that we keep our arms crossed. In defending the Constitution, we defend the road to democratic transformation.
It is not paranoid when one periodically reviews one's personal security measures. It is paranoid when you believe that you need to spy on the entire population. The governments that fear us are settled in irrationality. Democracy is uncertainty in the change of power; to want to control everything is proof of authoritarianism.
The 2014 Global Information Society Watch (GISWatch) report on surveillance technologies included a chapter on Mexico, created by the organization SONTUSDATOS. In the chapter, they point out that they found traces of the program FinFisher in the mobile devices of different human rights activists.
At the end of July 2016, the magazine Proceso demonstrated as well that Mexico acquired simulators of cell phone towers (also known as IMSI catchers) belonging to the Finnish technology company Exfo Oy in 2014, which have the ability to intercept cellular traffic and communications content, to collect information from mobile devices, and to track and locate users.
Additionally, in 2015 a leak by Wikileaks showed that Mexico spent almost 6 million euros over four years in order to acquire the program Remote Control System (RCS), from the Italian company Hacking Team, which is capable of invading any electronic device. According to the report “Hacking Team: Spy Malware in Latin America,” published by Digital Rights together with Aristegui Noticias:
[el programa] Remote Control System accede a contraseñas, contactos, mensajes y correos electrónicos; llamadas telefónicas; que además controla micrófono y webcams; tiene acceso a nuestras redes sociales; puede saber dónde estamos en todo momento y registra cada una de las teclas apretadas, clics del mouse y sitios de internet visitados.
[the program] Remote Control System accesses passwords, contacts, messages, and e-mails, telephone calls, and also controls the microphone and webcams. It has access to our social networks, it can know where we are at every moment and register each one of our keystrokes, mouse clicks, and visited internet sites.
This report concludes that these types of technologies violate rights to privacy, freedom of expression, and due process, and underscores the importance of the Mexican government being transparent in its information regarding the purchase and use of these types of surveillance tools.
Unfortunately, the federal government does not seem to have any intention of making this type of information public, as demonstrated by its recent refusal to disclose which people and devices were tapped by the Center for Investigation and National Security (CISEN) during 2014 in response to a request for information filed by the Network in Defense of Digital Rights (R3D). Nevertheless, as indicated by R3D, in 2016 the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI in Spanish) determined that such information should be public knowledge.
— R3D (@r3dmx) September 13, 2016
The @INAImexico compelled the CISEN to tell us how many people it spied on in 2014. @EPN wants the @SCJN to stop/impede/block/ it.
(In image: Presidency does not want you to know how many people it spied on…)