“All is fair in love and war.” This common saying is perhaps the main argument that the Mexican government hides behind to arbitrarily monitor its citizens using surveillance software or “spyware.”
Researchers in Mexico revealed findings last week that since 2011, at least three Mexican state agencies spent nearly 80 million dollars on Pegasus spyware. This software has been used to spy on citizens, including journalists who cover organized crime, human rights attorneys and anti-corruption activists. The US newspaper The New York Times published a report on research conducted by Mexican organizations Artículo 19, Red en Defensa de los Derechos Digitales (R3D) and SocialTIC.
El @nytimes publica un reportaje sobre espionaje a periodistas y activistas con el malware Pegasus #GobiernoEspía https://t.co/eZF5vkaRRy
— R3D (@r3dmx) 19 de junio de 2017
The @nytimes published a report about surveillance of journalists and activists using Pegasus malware #GobiernoEspía
This particular software is designed to infect mobile devices and collect data from communications, shared images, geolocation tools, and even cameras. It can also steal passwords to access private networks. Most people affected by the software receive it in the form of a benign-seeming email attachment or link, which infects their device after they download or click on it.
Top: The software called Pegasus is developed by the Israeli company NSO Group. According to NSO, they only sell it to governments for intelligence gathering against organized crime and terrorism. Lower left: How does it work? It tricks the user into clicking a malicious link that installs the software on their device. Lower right: Once it’s installed the government can access: your phone calls, your emails, your contacts, your calendar.
The rise in use of digital surveillance tools has become part and parcel of Mexico's ongoing internal armed conflict. Triggered by the war against drug cartels, declared by the administration of former President Felipe Calderón in late 2006, the conflict has led to the deaths of tens of thousands of people, including members of armed groups, military and civilians. Many others have gone missing, including 43 students from Ayotzinapa. Several attorneys who have represented disappeared victims have been targeted and surveilled with Pegasus malware.
Opacity and vulnerability
In this context, the allocation of public resources to intelligence and security matters goes unquestioned and it is difficult to scrutinize. The government spends millions of dollars with little accountability to the public, and it employs cyberweapons to wage war against its citizenry.
The use of Pegasus in Mexico, however, is not novel. Since August 2016, the New York Times has reported that Pegasus spyware, developed by the Israeli company NSO Group, is used by the government of Mexico. In September 2016, the Mexican news outlet Vanguardia reported on the purchase of this system:
La Procuraduría General de la República en la gestión de Jesús Murillo Karam fue la dependencia que compró el software de espionaje Pegasus, el más sofisticado en el mercado y capaz de escuchar, ver, capturar texto, imagen y contactos de cualquier teléfono inteligente.
The Office of the Attorney General of the Republic under the management of Jesús Murillo Karam purchased Pegasus surveillance software, the most sophisticated of its kind on the market, with capabilities to listen, view and capture text, images and contacts of any smartphone.
Until now, the tools that citizens of Mexico have at their disposal to force government transparency have been ineffective at exposing information about Pegasus and how to defend against its intrusions.
In September 2016, a citizen officially requested that the Attorney General release details about the acquisition and use of Pegasus. The AG responded saying that the information doesn't exist and that it does not have a cyber-surveillance program.
This was later confirmed by Mexico's transparency agency, the National Institute for Transparency, Access to Information and Personal Data Protection (known by the acronym INAI in Spanish). The INAI has undergone major reforms in the current administration, some of which have cast a shadow of suspicion among civil society advocates, who have begun to doubt its accountability.
Confirmation of surveillance
In February 2017, the Mexico City NGO Red en Defensa de los Derechos Digitales (R3D) published a study on surveillance by the Mexican government of two activists and a researcher who supported a tax on sugary beverages.
Conclusions of R3D study on soda tax activists
- The three victims were subjected to attacks using similar methods that they received on key dates when their work and advocacy for public health, in particular the promotion of the sugar tax.
- Pegasus surveillance malware is marketed exclusively to governments.
- There is evidence that at least the Ministry of National Defense (SEDENA), the Attorney General's Office (PGR) and the National Security and Research Center (CISEN) have acquired licenses to use malware marketed by NSO Group.
In an article on independent media site Animal Politico, activist Vladimir Cortés commented:
Las acciones de intromisión a la privacidad de los activistas por el derecho a la salud, sugieren que su trabajo no es una amenaza al Estado sino a los intereses privados. Demuestra que el gobierno mexicano ejerce total discrecionalidad para intervenir los teléfonos de las personas sin que existan instancias que regulen esta actividad.
The attacks against the privacy of nutrition activists suggest that their work is not a threat to the State but to private interests. It shows that the Mexican government exerts total discretion to intercept people’s communications without there being instances that regulate this activity.
In light of these allegations, it was not surprising that in May 2017 various civil society organizations declared their intention to leave the government on its own, and to end a partnership that had existed as part of the Open Government Alliance (AGA or OGP for its acronym in English), a multinational initiative intended to promote actions that contribute to transparency, accountability and citizen participation, in order to strengthen governance and combat corruption.
The news was circulated by many users on Twitter including Jaime Villasana:
Otra mala noticia para @gobrep de @EPN ONGs se levantan de mesa de Gobierno Abierto. @INAImexico https://t.co/8ODq937IXo
— Jaime Villasana D. (@jvillasanad) 24 de mayo de 2017
More bad news for EPN's government, NGO's leave the table of Open Government.
It was clarified shortly thereafter that the departure of the organizations happened “as a consequence of serious indications of espionage directed at human rights defenders and the increase of threats to freedom of expression in Mexico.”
The INAI — the agency through which the government participates in the aforementioned Alliance — only stated that it condemns espionage and respects the decision of the organizations.
Violence and surveillance
Threats to freedom of expression have also come in the form of executions of many journalists including Miroslava Breach and Javier Valdéz, who both covered organized crime, and whose spring 2017 executions remain unpunished and without substantial investigative progress even after several weeks.
The threats are compounded by the fact that journalists have been spied on by the government through the use of Pegasus. Those targeted range from journalists working independently, to well-known mainstream journalists such as Carmen Aristegui and Carlos Loret de Mola. Since April 2017, both have openly denounced receiving suspicious texts messages to their mobile phones, which researchers have since confirmed were attempts to infect their devices with malware.
The caricaturist Patricio weighed in on the subject:
El gobierno de @EPN espía a los periodistas exclusivamente cuando están vivos. Una vez que los asesinan, dejan de investigar. https://t.co/9wbvDAxmfq
— Patricio (@Patriciomonero) 19 de junio de 2017
EPN's government spies on journalists exclusively while they're alive. Once they are murdered, the investigation stops.
In the face of invasions of privacy in Mexico, whether through malware or spyware sold to the government, activists, communicators and citizens in general have limited ability to defend themselves. The inviolability of private communications becomes nullified in the context of the drug war, despite the fact that the specific motives behind these surveillance practices remain opaque.
The conversation between citizens regarding this topic can be followed on Twitter using hashtag #GobiernoEspía.