Mexico City, June 19, 2017. Today, Citizen Lab, along with ARTICLE 19’s Office for Mexico and Central America, R3D: Network for the Defense of Digital Rights, and SocialTIC, published a new investigation, picked up by the New York Times, that exposes the use of sophisticated malware, sold exclusively to governments, to spy on the cell phones of human rights defenders, journalists, and anticorruption activists. According to reports from the New York Times (NYT), each malware license costs around $77,000.00 American dollars (or close to one million four hundred thousand pesos from the public treasury).
These new investigations come in the wake of the recent exposure of espionage perpetrated against proponents of a soda tax in Mexico. Dr. Simón Barquera, investigator at the National Institute of Public Health (INSP), Alejandro Calvillo, director of the organization The Power of the Consumer, and Luis Encarnación, coordinator of the ContraPESO coalition, all received text messages with apparently benign links that turned out to be infected.
The principle means of infection documented by Citizen Lab and the other organizations is through sending SMS messages with links that, once clicked, allow the malicious software to be installed covertly. The surveillance of these right to health activists triggered the Mexican civil society that was part of the Alliance for Open Government to end their partnership with the Federal Government and with INAI.
Today´s report reveals that other organizations, journalists, and government critics have also received similar messages, and have been targets of malware attacks designed to gain access to and control over their devices. The new cases include the following:
- The Miguel Agustín Pro Juárez Human Rights Center (Center Prodh): Between April and June of 2016, Mario Patrón, Director of Center Prodh, Stephanie Brewer, Coordinator of the International Team, and Santiago Aguirre, Assistant Director of the organization, received messages confirmed to be attempted attacks of the surveillance malware Pegasus. The messages were received on key dates during their human rights defense work, while Center Prodh was working on high impact cases like the forced disappearance of the 43 students at Ayotzinapa, the Tlatlaya massacre, and the sexual torture cases in Atenco.
- Aristegui News (Carmen Aristegui, Emilio Aristegui, Rafael Cabrera and Sebastián Barragán): In 2015 and 2016, Carmen Aristegui, her minor son Emilio Aristegui, and members of her investigative team like Sebastián Barragán and Rafael Cabrera, received close to 50 messages. In recent years, the journalist activity of Aristegui News has revealed numerous corruption cases, like the White House report and the plagiarism of President Enrique Peña Nieto’s thesis. Additionally, the site has produced reports about cases of grave violations of human rights in Mexico. Aristegui News has suffered numerous instances of harassment because of their investigative work, including a raid of their offices.
- Carlos Loret de Mola (Televisa/ El Universal / Radio Fórmula): Loret de Mola is a radio, television, and print journalist. In 2015 and 2016, he received at least 7 messages attempting to infect his device with the Pegasus The majority of the messages were received during August and September of 2015, while Loret de Mola was finishing investigating extrajudicial killings by the Federal Police in Tanhuato, Michoacán.
- Mexicans Against Corruption and Impunity (MCCI): Journalists Salvador Camarena and Daniel Lizárraga, the organization’s General Director of Journalist Investigation and Head of Information respectively, received at least 3 messages attempting to infect their phones with the NSO malware in May of 2016. The messages came right as the project’s founding became public, and around the same time that they published investigations into acts of corruption by the former governor of Veracruz Javier Duarte, and the former director of CONAGUA.
- Mexican Institute for Competitiveness (IMCO): At the end of 2015 and in May of 2016, Juan Pardinas, Director of the organization, and Alexandra Zapata, an investigator with the organization, received at least 4 messages attempting to infect their devices. IMCO has been a leader in the fight for legal anticorruption reform, and was a driving force behind the law known as “Law 3 of 3,” which generated extensive resistance and attacks from political forces associated with the federal government during the first semester of 2016, right as they received the malware infected messages.
Once a phone has been infected by the installation of the malware, after the recipient has clicked on the infected link, the attacker gains access to all the information stored in the phone, including messages, emails, contacts, a register of every key entered, remote monitoring of location data, and even information obtained through the phone’s microphone and camera.
According to Citizen Lab’s investigation, most of the domain names of NSO’s infrastructure are linked to Mexico, which, together with other evidence presented in the new report, reaffirms that Mexican authorities, like the National Defense Secretary (SEDENA), the Attorney General’s Office (PGR), and the National Center of Investigation and Security (CISEN), are NSO clients, and that people in Mexico are being subjected to this kind of surveillance.
The evidence shows that these cases are not isolated events, but rather part of a systemic political harassment against human rights defenders, journalists, and anticorruption activists. Similarly, the evidence indicates the absence of judicial authorization, legality, necessity and proportionality in the exercise of the exceptional authority of civilian surveillance. This conduct violates personal privacy, inhibits free expression, and damages the right to defend human rights.
We accordingly reject this new attack against civil society, and demand that the Mexican Government produce an account of the use of this software to conduct surveillance, open an independent, exhaustive and transparent investigation, and sanction those responsible who, through the abuse of power, have illegally violated the privacy of these social actors. In addition, we demand that legal reforms be implemented, in accordance with human rights guarantees, to ensure government accountability.
Today, a formal criminal complaint for these actions has been made before the Attorney General’s Office, and precautionary measures have been requested from the National Human Rights Commission (CNDH). Other international human rights organizations have also been informed.
Espionage in Mexico has become an effective intimidation mechanism against human rights defenders, activists, and journalists. It constitutes a form of control over the flow of information and the abuse of power. Given the facts of this new investigation, the Mexican government should make itself accountable to society over the indiscriminate and arbitrary use of espionage tactics, explain how they used the information they obtained, and conduct investigations that allow for the sanctioning of those responsible. The authorities are obligated to use all their legal and constitutional power to promptly and diligently attend to the grave harassment perpetrated against journalists, activists, and human rights defenders in Mexico. As a society, we cannot continue to accept silence and impunity as a response.
 Periroth, Nicole (June 19, 2017) ‘Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families. ’ Available at: https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html?ref=nyt-es&mcid=nyt-es&subid=article
 “Malware” or “malicious software,” a software used to collect confidential information or gain access to private information systems. https://www.eff.org/issues/state-sponsored-malware
 Corrupted software known as Pegasus developed by the Israeli Company NSO Group.
 Perlroth, Nicole (September 2, 2016) How Spy Tech Firms Let Governments See Everything on a Smartphone. The New York Times. Available at: https://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html
 Perlroth, Nicole (February 11, 2017) Spyware’s Odd Targets: Backers of Mexico’s Soda Tax. The New York Times. Available at: https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html?smid=fb-share&_r=0 ; Scott-Railton, John. Marczak, Bill. Guarnieri, Claudio. Crete-Nishihata, Masashi. Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links. The Citizen Lab. Available at: https://citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/ ; R3D. Destapa la Vigilancia: promotores del impuesto al refresco, espiados con malware gubernamental. Available at: https://r3d.mx/2017/02/11/destapa-la-vigilancia-promotores-del-impuesto-al-refresco-espiados-con-malware-gubernamental/
 “Por espionaje sociedad civil concluye participación en la Alianza para el Gobierno Abierto”, 23 de mayo de 2017, available at: https://articulo19.org/por-espionaje-sociedad-civil-concluye-participacion-en-el-secretariado-tecnico-tripartita-de-la-aga/
 Domain names, also known as Internet domains, allow links or URL addresses to be identified not only by a series of numbers denoting the IP identification, but also through a domain name. This facilitates access to the site, so it is unnecessary to memorize the string of numbers to access links on the Internet.
 Redacción (September 12, 2016) “Adquiere la PGR equipo para espiar”, Reforma. Available at: http://www.reforma.com/aplicacioneslibre/preacceso/articulo/default.aspx?id=937450; Perlroth, Nicole (September 2, 2016), “How Spy Tech Firms Let Governments See Everything on a Smartphone“, The New York Times. Available at: https://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html?_r=0 ; R3D (11 de febrero de 2017) “Destapa la Vigilancia: promotores del impuesto al refresco, espiados con malware gubernamental”. Available at: https://r3d.mx/2017/02/11/destapa-la-vigilancia-promotores-del-impuesto-al-refresco-espiados-con-malware-gubernamental/