Information
Equipo Nizkor
        Bookshop | Donate
Derechos | Equipo Nizkor       

19Jun17

Español


Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families


Mexico's most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.

The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico's most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy.

Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person's cellular life – calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target's smartphone into a personal bug.

The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.

But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government's most outspoken critics and their families, in what many view as an unprecedented effort to thwart the fight against the corruption infecting every limb of Mexican society.

"We are the new enemies of the state," said Juan E. Pardinas, the general director of the Mexican Institute for Competitiveness, who has pushed anti-corruption legislation. His iPhone, along with his wife's, was targeted by the software, according to an independent analysis. "Ours is a society where democracy has been eroded," he said.

The deployment of sophisticated cyberweaponry against citizens is a snapshot of the struggle for Mexico itself, raising profound legal and ethical questions for a government already facing severe criticism for its human rights record. Under Mexican law, only a federal judge can authorize the surveillance of private communications, and only when officials can demonstrate a sound basis for the request.

It is highly unlikely that the government received judicial approval to hack the phones, according to several former Mexican intelligence officials. Instead, they said, illegal surveillance is standard practice.

"Mexican security agencies wouldn't ask for a court order, because they know they wouldn't get one," said Eduardo Guerrero, a former analyst at the Center for Investigation and National Security, Mexico's intelligence agency and one of the government agencies that use the Pegasus spyware. "I mean, how could a judge authorize surveillance of someone dedicated to the protection of human rights?"

"There, of course, is no basis for that intervention, but that is besides the point," he added. "No one in Mexico ever asks for permission to do so."

The hacking attempts were highly personalized, striking critics with messages designed to inspire fear – and get them to click on a link that would provide unfettered access to their cellphones.

Carmen Aristegui, one of Mexico's most famous journalists, was targeted by a spyware operator posing as the United States Embassy in Mexico, instructing her to click on a link to resolve an issue with her visa. The wife of Mr. Pardinas, the anti-corruption activist, was targeted with a message claiming to offer proof that he was having an extramarital affair.

For others, imminent danger was the entry point, like a message warning that a truck filled with armed men was parked outside Mr. Pardinas's home.

"I think that any company that sells a product like this to a government would be horrified by the targets, of course, which don't seem to fall into the traditional role of criminality," said John Scott-Railton, a senior researcher at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which examined the hacking attempts.

The Mexican government acknowledges gathering intelligence against legitimate suspects in accordance with the law. "As in any democratic government, to combat crime and threats against national security the Mexican government carries out intelligence operations," it said in a statement.

But the government "categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person without prior judicial authorization."

The Mexican government's deployment of spyware has come under suspicion before, including hacking attempts on political opponents and activists fighting corporate interests in Mexico.

Still, there is no ironclad proof that the Mexican government is responsible. The Pegasus software does not leave behind the hacker's individual fingerprints. Even the software maker, the NSO Group, says it cannot determine who, exactly, is behind specific hacking attempts.

But cyberexperts can verify when the software has been used on a target's phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.

"This is pretty much as good as it gets," said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.

Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.

The company is part of a growing number of digital spying businesses that operate in a loosely regulated space. The market has picked up in recent years, particularly as companies like Apple and Facebook start encrypting their customers' communications, making it harder for government agencies to conduct surveillance.

Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names. One of them, OSY Technologies, paid Michael T. Flynn, President Trump's former national security adviser, more than $40,000 to be an advisory board member from May 2016 until January, according to his public financial disclosures.

Before selling to governments, the NSO Group says, it vets their human rights records. But once the company licenses the software and installs its hardware inside intelligence and law enforcement agencies, the company says, it has no way of knowing how its spy tools are used – or whom they are used against.

The company simply bills governments based on the total number of surveillance targets. To spy on 10 iPhone users, for example, the company charges $650,000 on top of a flat $500,000 installation fee, according to NSO marketing proposals reviewed by The New York Times.

Even when the NSO Group learns that its software has been abused, there is only so much it can do, the company says, arguing that it cannot simply march into intelligence agencies, remove its hardware and take back its spyware.

"When you're selling AK-47s, you can't control how they'll be used once they leave the loading docks," said Kevin Mahaffey, chief technology officer at Lookout, a mobile security company.

Rather, the NSO Group relies on its customers to cooperate in a review, then turns over the findings to the appropriate governmental authority – in effect, leaving governments to police themselves.

Typically, the company's only recourse is to slowly cut off a government's access to the spy tools over the course of months, or even years, by ceasing to provide new software patches, features and updates. But in the case of Mexico, the NSO Group has not condemned or even acknowledged any abuse, despite repeated evidence that its spy tools have been deployed against ordinary citizens and their families.

From Hope to Intimidation

Journalists, human rights defenders and anti-corruption campaigners have long faced enormous risks in Mexico. For decades, they have been followed, harassed, threatened and even killed for their work, occupational hazards more common in authoritarian states than in countries in good standing with the Organization for Economic Cooperation and Development, as Mexico is.

But when President Enrique Peña Nieto came into office in 2012, promising to lift Mexico to its rightful place on the world stage, there was an inkling of hope that the nation's democracy was coming into its own.

His party passed a list of badly needed changes, taking aim at the failing education system and moving to enhance the transparency of Mexico's bureaucracy. Competition in some core industries, like telecommunications, has increased.

But by 2014, much of the early promise of the Peña Nieto administration was dashed by the crises subsuming it, including the mysterious disappearance of 43 teaching students after a clash with the police, and accusations that the president and his wife got a special deal on a multimillion-dollar home from a government contractor.

The scandals have left an enduring mark on the president's reputation. After a stunning rise built on a perfectly crafted image – a young, energetic president working across party lines, the embodiment of a new Mexico – Mr. Peña Nieto was suddenly recast as an out-of-touch, corrupt politician with abysmal approval ratings.

In no small part, that fall was thanks to the Mexican journalists who broke news of the scandals, as well as the lawyers and activists who refused to let the country forget about them.

"You have to remember this was a government that went from setting the agenda to being entirely reactive," said Carlos Loret de Mola, a news anchor for Televisa who has some of the best sources inside the Mexican government.

Mr. Loret de Mola, who received at least eight messages laced with NSO software, added, "They looked at journalists and thought, 'They are bringing these things out and embarrassing us, so it's better if we spy on them.'"

Mexico is still a far cry from Turkey, which jails more journalists than any other nation in the world. It is hardly China, an authoritarian state where critics are silenced and a Western-style free press has been cast as a political peril by the government. But Mexico is in crisis on these fronts all the same.

More journalists were killed in Mexico last year than during any other year this century, and 2017 is off to an even worse start. Government critics are routinely harassed and threatened, and now they are being targeted with incredibly sophisticated software.

"The fact that the government is using high-tech surveillance against human rights defenders and journalists exposing corruption, instead of those responsible for those abuses, says a lot about who the government works for," said Luis Fernando García, the executive director of R3D, a digital rights group in Mexico that has helped identify multiple abuses of Pegasus in Mexico. "It's definitely not for the people."

'About Getting Revenge'

Perhaps no journalist in Mexico has done as much to damage the reputation of the president than Carmen Aristegui. And few have paid as dearly for it.

In 2014, she and her team broke the scandal of the so-called Casa Blanca, or White House, a story of real estate intrigue that involved a special deal handed to Mexico's first lady, Angélica Rivera, by a major government contractor close to the president.

The story reached a worldwide audience and forced the president's wife to surrender the house, presenting the Mexican government with the sort of ethical quandary that in a different country might result in a congressional inquiry or the appointment of an independent prosecutor.

Instead, the president was cleared of wrongdoing by a prosecutor who had worked closely with his campaign team, while Ms. Aristegui lost her job. That moment marked the beginning of a sustained campaign of harassment and defamation against her: lawsuits, break-ins at her offices, threats to her safety and the monitoring of her movements.

"It's been about getting revenge for the piece," she said. "There's really no other way to see it."

So when she began receiving text messages in 2015 from unknown numbers, instructing her to click on a link, she was suspicious. One message asked for her help in locating a missing child. Another alerted her to sudden charge on her credit card. And she received a text message purportedly from the American Embassy about a problem with her visa. Impersonating an American government official is a possible violation of United States law.

When the messages failed to entice her to click on the links and inadvertently download the software, they grew increasingly strident, including one warning that she could be imprisoned. Several came from the same phone number, leaving a record of the spyware operator's sloppiness.

Still, the spyware operators pressed on. Starting as early as March, they began targeting Ms. Aristegui's then-16-year-old son, Emilio, who was living in the United States at the time. Some of the texts were similar to the ones she had received. Others were made-up headlines about Ms. Aristegui, sent from what appeared to be a news agency.

"The only reason they could be going after my son is in the hopes of finding something against me, to damage me," she said.

Ms. Aristegui is the embodiment of the hope – and the crushing limitations – for a free media in Mexico. Though she was fired over what her employer called internal disagreements, she continued publishing on her own, eventually drawing enough of an audience to sustain a team of reporters.

But the work has taken its toll. In one lawsuit, filed by the president of her former employer, a judge cited Ms. Aristegui last November for her "excessive use of freedom of speech."

Her website, Aristegui Noticias, has been hacked numerous times, including on the eve of publishing a major investigation into the massacre of more than a dozen civilians by the federal police.

And her offices were broken into last November. So brazen were the assailants that they didn't bother wearing masks. Nor did they steal much – one computer, a watch and a bag hanging from the back of a chair. Their faces and fingerprints were captured on cameras in the office. Still, no one has been caught.

The threats, harassment, even the spying, all of it she channels into work.

"For me, I have opted to believe that my public work is what will best protect me," she said. "The great challenge for journalists and citizens is that the fear serve us, and not conquer us."

Texts Laced With Menace

It was Dec. 21, 2015, and Mr. Pardinas was at the beach with his family, trying to enjoy the start of his Christmas vacation. But his phone kept buzzing, at first with calls from lawyers, and then with an odd text message.

It had been a long few months in an even longer campaign: to pass an unprecedented law forcing Mexico's public servants to disclose their financial conflicts of interest.

In November, he had presented a study on the costs of corruption in Mexico, confirming with facts and figures something that nearly all Mexicans knew in their hearts – that corruption was crippling the country.

He followed it up with media interviews, poking fun at the Mexican government's embarrassing response to corruption. He joked that it probably spent more money on coffee and cookies than on the office in charge of prosecuting graft.

The study, the interviews, a seemingly endless gantlet of meetings with politicians – it all laid the groundwork for the new law, which Mr. Pardinas, a private citizen directing a public policy group, was helping to write.

So even as Christmas approached and his family relaxed in the coastal town of Puerto Vallarta, Mr. Pardinas was busily consulting lawyers on the final draft, which he had just over a month to submit.

And then a message: "My father died at dawn, we are devastated, I'm sending you the details of the wake, I hope you can come." Attached was a link.

Mr. Pardinas thought it odd that whoever had sent such a personal text was not even among the contacts in his phone. He showed his wife the message, and decided to ignore it.

Things only picked up from there, both on his proposed law and the odd messages. The government roundly ignored his bill, until he and others gathered more than 630,000 signatures supporting it.

Mr. Pardinas's tone grew bolder. He told one radio host that "for the government of Mexico, anti-corruption measures are like garlic to a vampire."

Then came another text message. This one appeared to be from the news outlet Uno TV, which sends daily news headlines to cellphone users across the country. The headline struck him: "The History of Corruption Within the Mexican Institute for Competitiveness." It was particularly alarming because that was his organization.

He declined once more to click on the link, suspecting foul play. More text messages came, including the next day. Only this time, having failed with Mr. Pardinas, they tried his wife.

The message, sent from the same news headline service, said that leaked videos showed Mr. Pardinas having sexual relations with a member of his staff. It was also sent to a colleague.

Mr. Pardinas called his wife, telling her that she appeared to be part of a broader harassment effort. "Oh, it's these people again," she responded.

The campaign to pass the law continued, and the bill made it through Congress relatively unscathed. But the Senate decided to add an extra provision: Everyone who worked for a company that received government money would also have to disclose their interests and assets. That meant the bill would cover more than 30 million people.

The president vetoed the bill, saying it needed more discussion, essentially kicking the can down the road.

Mr. Pardinas continued his broadsides in interviews, naming obstructive lawmakers and well-connected companies that benefited from government money. Few activists go so far as to name names in interviews, but Mr. Pardinas, who holds a Ph.D. from the London School of Economics, plowed ahead anyway.

The initiative seemed doomed. Yet another message arrived, on Aug. 1, this one laced with menace: "Listen, outside of your house is a truck with two armed guys, I took their photo look at them and be careful."

Mr. Pardinas, who was at work when this message came, once again declined to take the bait. But he did call his wife, again, asking her to look out their window to see if there was a truck parked outside. There was not.

"By the end, my wife had Olympic-style training in this hacking stuff," Mr. Pardinas said.

Mr. Pardinas continued his broadsides in interviews, naming obstructive lawmakers and well-connected companies that benefited from government money. Few activists go so far as to name names in interviews, but Mr. Pardinas, who holds a Ph.D. from the London School of Economics, plowed ahead anyway.

The initiative seemed doomed. Yet another message arrived, on Aug. 1, this one laced with menace: "Listen, outside of your house is a truck with two armed guys, I took their photo look at them and be careful."

Mr. Pardinas, who was at work when this message came, once again declined to take the bait. But he did call his wife, again, asking her to look out their window to see if there was a truck parked outside. There was not.

"By the end, my wife had Olympic-style training in this hacking stuff," Mr. Pardinas said.

'It Comes With the Territory'

Mario E. Patrón was on edge. The conference table was packed with fellow human rights defenders, including the United Nations commissioner for human rights in Mexico. Everyone was there to discuss the bombshell expected to drop.

An international panel brought to Mexico to investigate the haunting disappearance of 43 teaching students was releasing its final report the next day, at the end of April 2016. The findings, Mr. Patrón knew, were going to be brutal.

The government would be accused of negligence, incompetence, even malfeasance in its handling of the case. Like others in the room, Mr. Patrón, whose organization represents the parents of the missing students, was wondering how the government would respond.

His phone buzzed and he glanced at the screen. "THE GOVERNMENT OF MEXICO GETS OUT IN FRONT OF THE GIEI," the text message read, using the acronym for the international panel. It seemed like the news he had been waiting for.

He showed the message to his colleague, then clicked on the link. But instead of an article or a news release, it simply redirected him to a blank page. Confused, he left the meeting and raced to his office to begin making calls to see what the government had in store.

And like that, he fell into their trap.

Mr. Patrón is the executive director of the Miguel Augustín Pro Juárez Human Rights Center, perhaps the most highly respected human rights group in Mexico. The group focuses on the nation's most serious cases of human rights abuses, making it a nettlesome critic of the government.

In addition to Mr. Patrón, two other lawyers for the group were targeted with the software: Santiago Aguirre, the primary lawyer representing the families of the missing students, and Stephanie E. Brewer, a Harvard-educated American lawyer who has worked for the group since 2007.

"We have always suspected they spied on us and listened to us," Mr. Patrón said. "But to have evidence that we are victims of actual surveillance – it confirms that we are under threat. And that the government is willing to use illegal measures to try and stop us."

Beyond the missing students, Centro Prodh, as the group is called, is representing one of the few survivors of a military raid in 2014 in the town of Tlatlaya, where the army stormed a suspected cartel hide-out and killed 22 people.

While pursuing the case, the group unearthed a memorandum ordering the soldiers to kill suspected cartel members, strengthening the argument that the events did not unfold as a firefight, as the military claimed, but were instead extrajudicial executions carried out by the soldiers.

The organization's clients also include the women of Atenco, a group of 11 university students, activists and market vendors who were arrested by the police more than 10 years ago during protests in the town of San Salvador Atenco and brutally sexually assaulted on the way to prison.

Aside from the grave abuse of power, the case was especially sensitive: The governor who ordered the crackdown on the protesters was Enrique Peña Nieto, now the president of Mexico.

From the very beginning, the case was an uphill battle. Arrested on trumped-up charges, some of the women spent more time in prison than the officers who raped them.

Finding no recourse in Mexico, Ms. Brewer and others appealed to the Inter-American Commission on Human Rights, a regional body outside the Mexican judicial system, to review the case. And they waited – for nearly seven years.

Finally, in 2015, the commission found in favor of the women, ordering the government to investigate the case all the way up the chain of command, a directive that would include Mr. Peña Nieto. Ultimately, the case was sent to the Inter-American Court, an independent judiciary with jurisdiction over Mexico, a major blow to the nation's presidency.

One evening Ms. Brewer was at home, getting ready for bed when a text message arrived. The date practically coincided with the 10-year anniversary of the assaults on the women, an eerie bookend to their decade-long struggle for justice.

On her phone was a provocative question, a taunt even, asking whether anyone defended the soldiers and members of Mexico's navy who also suffered abuse.

"And you guys that do human rights against this, what about the dignity of them …" The message contained a link, presumably to a news story or a tip.

Intrigued, Ms. Brewer clicked on it. She was directed to a broken link, a telltale sign of the malware.

"It's just part of defending human rights in Mexico," she said. "It comes with the territory."

[Source: By Azam Ahmed and Nicole Perlroth, The New York Times, Mexico City, 19Jun17]

Bookshop Donate Radio Nizkor

Privacy and counterintelligence
small logoThis document has been published on 21Jun17 by the Equipo Nizkor and Derechos Human Rights. In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.