Slain Mexican Journalist’s Colleagues Targeted With NSO Spyware

Photo Source: ContraLínea.com.mx

Javier Valdez Cárdenas was an award-winning Mexican investigative journalist known for his reporting on drug trafficking and organized crime. As with dozens of other investigative journalists in Mexico, Cárdenas’ brave reporting ended up having lethal consequences. On May 15, 2017 around noon, Cárdenas was forcibly removed from his vehicle and gunned down on the street, steps away from the offices of Río Doce, the newspaper he founded.

Our latest Citizen Lab report shows that in the days after his death, two of Cárdenas’ colleagues at Río Doce — Andrés Villarreal and Ismael Bojórquez — each received carefully crafted text messages on their iPhones containing links to highly sophisticated surveillance technology sold by Israeli-based “cyber warfare” company, NSO Group. Had they clicked on the links, the operators of the spyware would have been able to silently take over their devices and monitor everything they do, including intercepting emails, text messages (even those encrypted), turn on the camera, and silently record audio.

NSO Group claims that they sell their powerful surveillance technology only to governments to be used strictly for legitimate law enforcement and national security investigations, and have a strict oversight mechanism to ensure their technology is not abused. They also claim that they have rescinded sales to clients who are caught abusing their product. (As is customary, we sent NSO Group a letter prior to publication detailing the findings of this report and offering to publish their response in full, but we have received no reply).

Instead, as this latest case and numerous past reports we and others have published show, their technology is being used repeatedly to target members of civil society, including lawyers, health scientists, human rights defenders, activists, and journalists. These two additional targets bring the total number of individuals we (and our Mexican civil society partners R3D, Article19, and Social Tic) have been able to identify who were targeted with NSO Group spyware in Mexico to 24. None of them are either criminals or terrorists by any reasonable, rights-respecting legal standard.

Of particular concern with this latest report is yet more evidence of the abuse of NSO Group spyware to specifically target journalists and those associated with journalists. The targeting of Cárdenas’ colleagues mere days after his assassination suggests the operators were interested in what the journalists knew about who was responsible. Our prior reporting has shown several other Mexican journalists investigating murders or corruption were targeted with NSO Group spyware in much the same way. In one case, the minor child of Mexican journalist Carmen Aristegui was repeatedly sent text messages laden with NSO Group spyware links in an attempt to infect his phone — while he was attending boarding school in the United States.

Beyond Mexico, there is now growing evidence that NSO Group’s spyware was also potentially implicated in the murder of exiled Saudi dissident and Washington Post journalist Jamal Khashoggi. On October 1, 2018, we published a report detailing our discovery that the iPhone of Canadian permanent resident Omar Abdulaziz was infected with NSO Group spyware. Forbes followed up our report showing that London-based Saudi dissident Ghanem Almasarir had his phone targeted by the same Saudi operator we had earlier identified as targeting Omar Abdulaziz. Notably, both Omar Abdulaziz and Ghanem Almasarir were collaborating with Jamal Khashoggi around social media activism, and were reportedly viewed by Saudi Crown Prince Mohammed bin Salman as major threats.

The reckless and abusive use of commercial spyware to target journalists, their associates, and their families adds to the numerous and growing risks that journalists worldwide now face. Media organizations and investigative journalists are valuable “soft” targets who control important information, including information on sources, that threaten powerful actors. Thanks to companies like NSO Group, unscrupulous dictators and autocrats now have a powerful tool to aid in their sinister aims to stifle dissent and quell controversial reporting.

What is to be done? Unfortunately, liberal democratic governments who ostensibly support human rights and could take concerted action against the proliferation of commercial spyware seem unwilling to address the problem squarely. For example, in spite of the Citizen Lab’s discovery of apparent espionage by Saudi Arabia against a Canadian permanent resident using Israeli-made spyware — seemingly a significant violation of Canada’s sovereignty — the Trudeau government has only barely acknowledged our report possibly out of concern to not offend either Israel or Saudi Arabia (with whom Canada has weapons deals). Meanwhile, Donald Trump’s constant maligning of the press as the “enemy of the people,” and his decision to throw Khashoggi under the bus in favour of naked realpolitik calculations, shows clearly where the United States stands.

What about Israel, the sovereign jurisdiction in which NSO Group is headquartered? Earlier this week, Haaretz published a detailed investigation showing NSO Group may have sidestepped Israeli government export controls and negotiated a sale with Saudi Arabia directly. Revelations such as these may trigger greater scrutiny by the Israeli public and official regulators to strengthen export controls that are apparently very lax, if not ineffective altogether. However, in light of the close links between the Israeli government and the surveillance industry, and the strategic benefits that undoubtedly accrue to Israeli decision makers from the export of such technologies, I wouldn’t hold my breath in hope of something happening there either.

But the lack of government action does not mean there are no avenues left for recourse. The growing number of cases of harm caused by the abuse of commercial spyware we and others have documented may provide strong grounds for civil litigation and / or criminal prosecution. Indeed, NSO Group is currently facing two separate lawsuits (one of which was brought by Mexican journalists and activists), and one of its competitors, UK-based Gamma International Ltd, is the subject of another in the United Kingdom.

Should these legal efforts succeed in bringing real costs to bear on owners, they may prove to be the most effective remedy for the abuses of the commercial spyware market.

Until such time, we are now facing a crisis rich in terrible irony: a service marketed to government clients to assist in “cyber security” is quickly becoming one of the greatest sources of widespread insecurity instead.