#GobiernoEspía: Widespread Mexican government surveillance of human rights defenders and organisations
On 19 June, the New York Times published an in-depth article on the Mexican Government’s deployment of $80 million worth of spyware against lawyers, journalists and human rights defenders (HRDs). According to the article - which looked at a groundbreaking investigation led by the University of Toronto's Citizen Lab - the software, named Pegasus and developed by Israeli hacking company NSO Group, infiltrates smartphones to grant access to calls, emails, texts, contacts and calendars. It can even allow remote activation of cameras and microphones, keeping a record of the target's meetings and conversations. The research carried out by Citizen Lab together with Article 19, R3D (Red en Defensa de los Derechos Digitales) and SocialTIC, gathers evidence on the cases of 12 HRDs and their relatives, who have been targeted through highly personalised and persistent hacking attempts. For the spyware to be installed on the smartphone, the user must click on a link within an individualised message designed to persuade the HRD or family member into clicking. These attacks, which took place between January 2015 and July 2016, add to the list of another 12 documented attempts against campaigners for a soda tax in Mexico, reported by the newspaper in the beginning of the year.
The revelation has generated an outrage in Mexico and beyond, with #GobiernoEspía (#SpyGovernment) making the headlines, thousands expressing their repulsion in social media and more than 200 organisations demanding accountability. It is of grave concern that the Mexican government is investing such vast public resources and sophisticated tactics to spy on those defending human rights, neglecting the constitutional guarantees which require that the targets of such surveillance techniques pose an "imminent threat to national security" and that such intrusions be authorised by a federal court order.
However, the discovery of the use of Pegasus software is far from being an isolated case of illegal surveillance and digital harassment of HRDs in Mexico. In March 2013, the Citizen Lab of the University of Toronto published the report For Their Eyes Only: The Commercialization of Digital Spying, where researchers found surveillance software FinFisher operating in two Mexican telecommunication networks: Iusacell and Uninet (a subsidiary of Telmex). When installed on the servers of internet service providers, FinFisher can track the internet traffic of a whole country, identifying targets based on their activities on Skype, Twitter, Facebook and other social media platforms. Similarly to Pegasus, FinFisher infiltrates cell-phones or computers giving remote control of a device, granting access to files, contact lists, text messages, cameras and microphones. Two years later, in 2015, the massive leak suffered by Hacking Team, the Italian cyber-surveillance firm, revealed that Mexico had been Hacking Team's biggest client by far, amounting contracts worth more than $6.3 million since 2010. Mexico bought licenses for the use of Galileo and DaVinci, the commercial names for Remote Control System (RCS), a software which enables access to all types of content in computers or cellphones, from keyboard and mouse clicks, geographic location and passwords to emails and chat platforms. Furthermore, in 2014, Finland sold to Mexico cell tower simulators destined to trick cell phone devices to connect to them instead of the legitimate towers of the mobile phone companies, as disclosed in a report by the Finish Foreign Affairs Ministry. These devices, known as “IMSI catchers”, can collect information from phones in proximity including the identification of a cell phone (phone numbers as well as International Mobile Subscriber Identity or IMSI), intercept communications and meta-data, track the location of the phone, block phone communication, obtain the encryption key for a phone's communications, etc.
In addition to the evidence of the use of sophisticated surveillance software and devices by the Mexican government, HRDs in Mexico have been persistently reporting cyber-attacks targeting their work. The number of Distributed Denial of Service (DDoS) attacks against civil society organisations and independent media has been on the rise in Mexico. DDoS attacks entail a form of censorship where a myriad of computers, infected with a malware, are used to flood a targeted website with junk traffic to the extent where it can no longer serve information to legitimate visitors. In addition, the deployment of bots, online harassment (trolling) and targeted efforts to trigger hate-filled discussions, particularly against women HRDs and female journalists, have also been repeatedly reported.
Since 2008, Front Line Defenders has carried out long-term digital protection support and trainings for HRDs and human rights organizations. Additionally, by training digital protection trainers, Front Line Defenders has contributed to building a network of experts who are responding to the complexity of these threats. In 2016 in Latin America, Front Line Defenders supported and trained 40 individual HRDs and 41 organizations with direct technical support in the transition to using more secure digital tools.1 12 digital security experts were also trained in the region in 20162 in order to enhance their capacities to accompany HRDs and organizations in the development and implementation of digital security plans. Human rights defenders are also thriving in the deployment of self-defense tactics. For example, in response to the use of IMSI-catchers during protests, HRDs in Mexico have chosen to make use of alternative communication tools such as Nextel, which operates via radio frequencies, or Firechat, which allows communications without cellular data connection. The increase in capacities, policies and protocols on security has resulted in organisations being effective in identifying and denouncing surveillance techniques and cyber-attacks. However, it remains difficult to measure the long-lasting effects of the human rights community being under widespread surveillance. As denounced by civil society organisations, surveillance has become an effective mechanism to not only control but intimidate human rights defenders – the perception of the possibility of reprisals is enough to expand self-censorship and restrict political participation - a clear retreat for freedoms of expression, assembly and association. In addition to the initiatives and efforts that build capacities to resist and defend against digital security threats, it remains important that pressure is maintained against surveillance practices by the Mexican, and other “Spy governments”, and to hold these governments accountable for their obligations to respect and protect human rights defenders.
1 - Worldwide, in 2016, Front Line Defenders supported and trained 417 individual HRDs and 103 organizations with direct technical support in the transition to using more secure digital tools.
2 - Worldwide, 18 digital security experts were trained in 2016.
3- For more on HRD experiences with digital surveillance, see: Living Under Digital Surveillance: Human Rights Defender Perceptions and Experiences