Yet More Evidence of Gross Misuse of NSO Group Spyware In Mexico

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here: