Mexican Surveillance Abuse Continues

We are publishing yet another update to the ongoing investigations Citizen Lab has been conducting, in partnership with R3D, SocialTic, and Article 19, on abuse of commercial spyware in Mexico.  

Our latest report shows that the Claudio X. González, director of the Mexican anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), was targeted with SMS messages containing links to the exploit infrastructure of the Israeli spyware company, NSO Group.   Had the links been clicked on, González’s phone would have been silently commandeered allowing the operators to surreptitiously turn on the camera and microphone, read emails and texts (even those that are encrypted), and track his movements.

This most recent case brings the total number to 22 individuals that we have confirmed being targeted with NSO Group spyware in Mexico.  NSO Group claims it restricts sale of its powerful spyware to government agencies to combat terrorism and track criminals.  Our investigations have shown that it has been used instead to target an alarming number of people who are exercising their political rights and / or doing their jobs as lawyers, journalists, and investigators.   As for who is responsible, we have no specific evidence. However, leaked documents show the Mexican Attorney General’s office is a client of NSO Group and the President of Mexico has gone on record with the admission that it has purchased NSO Group technology.  It is also highly incriminating of the Mexican government that many of the targets we confirmed, including the latest, share a common characteristic: investigations into official Mexican government corruption.

The spyware market is very lucrative and growing, but also replete with abuse.  NSO Group’s US-based majority owner, Francisco Partners, was recently reportedly looking to sell partial ownership of NSO Group to another investment firm, Blackstone Group, for $400 million.  When we learned of the possible sale, we published an open letter to Blackstone Group informing them of our research on the abuse of NSO Group’s spyware in Mexico and elsewhere, and urging them to exercise due diligence over the company’s behavior should the sale go through. Reports of the deal also attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.  On August 15 2017, Reuters reported that the Blackstone Group deal had fallen through.

The research on the use of NSO Group in Mexico is led by Citizen Lab senior researcher, John Scott-Railton.  Our ability to positively identify NSO Group’s spyware is based on careful network scanning and reverse engineering, undertaken by Citizen Lab’s Bill Marczak.  Using the technical indicators collected from this research, Scott-Railton engages with local advocacy partners to help identify targets in civil society who are willing to cooperate in the research.  We then compare the domains contained in the links in the SMS messages sent to the targets to known NSO Group infrastructure. Overall, this case is a good example of the general mission of the Citizen Lab, which aims to use mixed methods research to highlight digital security issues that arise out of human rights concerns, and then engage in high-level policy and legal engagement to try to mitigate the problem.

As to how this type of abuse can ultimately be solved, there is no simple remedy.  Companies like NSO Group are not violating any law by selling their technology to countries like Mexico.  And if a corrupt government client chooses to use that technology for abusive purposes, there is little that can be done to prevent it.

But that does not mean the situation is hopeless.  Companies like NSO Group can be encouraged to undertake more responsible “know your customer” practices to prevent abuse of their product. That pressure can come from the countries within which they are domiciled as companies (e.g., Israel) who can pass more strict export control regulations that require NSO Group to undertake due diligence. It can come from ownership groups and investment firms that control the purse strings and who themselves are sensitive to public criticism (as our open letter and the other campaigns described above may demonstrate). It can come from legal action in cases in which local laws are violated, as in the targeting of US citizens we discovered in the Mexico NSO Group case (which would be a violation of the U.S. criminal code).  

However, all the above depends in the first instance on patient, evidence-based research of the sort we are undertaking in collaboration with our Mexican partners.

Read the full report here: https://citizenlab.ca/2017/08/nso-spyware-mexico-corruption/