San Diego Union-Tribune (Sunday)
SPYING IS NOW ROUTINE FOR THOSE IN POWER IN MEXICO
U.S. court case offers look at vast surveillance technology being used
government-contracted auditor was in the middle of his investigation into a political controversy over water debts in Baja California in 2020 when the series of humiliating videos went public.
The footage captured the audibre,” tor, sometimes shirtless, appearing to snort and ingest a white powder, oblivious that he was being surveilled in his personal space — possibly by someone remotely controlling the camera on his own phone or computer.
The privacy intrusion was almost certainly illegal. It was also not that surprising.
Mexico has been revealed as one of the most prolific consumers of surveillance technology over the past decade, bringing modern-day meaning what is known colloquially as “pájaros en el alama or birds on the wire.
Spying is believed to be such a widespread tactic used by government officials and others in power in Mexico that countermeasures have become routine for many people who might be targets, including politicians, community leaders, activists, journalists, lawyers and executives.
For others, the possibility of being hacked is met with grudging resignation as a cost of doing business.
“Many people feel powerless about it,” said Luis Fernando
García, director of R3D, a digital rights nonprofit in Mexico that has been investigating statesponsored surveillance for years. “You don’t know for sure (if you are being tracked) and you don’t know how to prevent it.”
The government build-up and exploitation of surveillance technology in Mexico has been largely documented through unofficial means, including independent investigations, information leaks and personal anecdotes.
This past week, many of those
widely held suspicions were further confirmed in a rare official acknowledgment in San Diego federal court.
Carlos Guerrero, a Tijuanabased broker for overseas spyware companies, admitted in a plea agreement to selling surveillance technology to Baja California and Durango state governments beginning in 2014, knowing that it would likely be abused. He also admitted to enabling other mystery clients to hack the communications of targets in Mexico and the United States for reasons that include corporate espionage.
Part of the country’s obsession with spying on its citizens is seen as a result of 70 years of one-party rule by the Institutional Revolutionary Party, or PRI.
“The party tried to have its fingers in every aspect of political life and was a mediating umpire between organized crime groups, as well,” said Adam Isaacson, director of defense oversight for WOLA, an advocacy group for human rights in the Americas, based in Washington. “PRI, which ruled from 1929 to 2000, was an octopus.”
More recently, the fight against organized crime and violence has been used as a pretext to justify the government’s accumulation of high-tech surveillance tools, including spyware that gives complete access and even remote control to a target’s cellphone or computer. How they are being used, and by whom, is another matter, according to experts.
“It’s a powerful tool to make someone do what they want,” García said. “It’s power.”
It’s unclear who recorded and leaked the compromising videos of the Baja California auditor, but the public humiliation was sending a message. The auditor was wounded in an ambush shooting in Tijuana months later. Now he is at the center of a criminal investigation.
Narrow authority
There are legitimate — if narrow — uses for spyware in Mexico. Under the Mexican constitution, only federal and state prosecutors, federal police and the nation’s main intelligence agency have legal authority to use such tools against citizens in criminal or national security investigations. And that is only with a court order that limits the scope of who is being watched, what information is being gathered and for how long.
However, government agencies big and small are acquiring stateof-the-art systems in a free-for-all marketplace with little to no oversight.
That technology includes IMSI catchers — which act as fake cellphone towers to intercept conversations in a given radius — Wi-fi intercepts and other tools that can geolocate cellphone users.
“For government, buying spyware in Mexico is as easy as buying pants,” Garcia said. “There are no rules.”
Recent glimpses into the business dealings of two major companies — Israel-based NSO Group, purveyor of the powerful Pegasus program, and Italy’s Hacking Team, which markets Remote Control System, or RCS — show Mexico as one of the top global clients for such surveillance.
Both companies, which sell their products through Mexican based intermediaries, insist they sell only to vetted clients.
But leaked emails, phone lists and court documents show several non-authorized buyers and users, as well as a who’s who of intended spying targets.
Hacking Team, which itself was hacked in 2015, sold licenses to Mexican state-owned petroleum company Pemex, Baja California’s finance and planning department and the Mexican navy — none of which are allowed to have such equipment, according to a trove of internal emails posted on Wikileaks.
According to the recent San Diego-based prosecution involving the Tijuana brokerage Elite by Carga, the firm’s owner, Guerrero, arranged for the mayor of a town in the state of Morelos to have unauthorized access to a political rival’s Twitter, Hotmail and icloud accounts.
In another case, Mexican authorities are prosecuting a businessman tied to another spyware brokerage who is accused of operating Pegasus himself to monitor a journalist.
The Pegasus leaks
Mexico also appears to have an outsized number of spy targets compared to other nations using Pegasus, according to a leak of some 50,000 phone numbers dating back to 2016 that were analyzed by Amnesty International.
Roughly 15,000 were tied back to Mexico, including union figures, journalists and activists, according to reporting by Forbidden Stories, an international reporting consortium formed to expose such abuse.
Two Mexican lawyers who questioned the prosecutors’ handling of the 2015 killings of government critic Nadia Vera, journalist Ruben Espinosa and three other women in a Mexico City apartment were hacked with Pegasus, according to an analysis by Citizen Lab, a research group based at the University of Toronto.
In 2016, a human rights advocate representing the families of 43 students slain in Guerrero state found out he was being monitored when a recording of a phone conversation with a parent was made public.
Even President Andrés Manuel López Obrador’s inner circle, including family members, were targeted before he took office in 2018.
“The government has resorted to this method of control to prevent any opposition movement from gaining strength politically,” said Benedicto Ruiz Vargas, a Tijuana political analyst who writes a weekly column for the news daily El Imparcial. “This is the intent of the government to scare, to spread fear that they’re going to get involved in an area of your private life that you want to maintain (privacy).”
At the beginning of his term, López Obrador swore against using Pegasus — or any surveillance against journalists and opponents — and put a figure on just how pervasive the country’s spying problem was under the previous two administrations: $300 million in federal government contracts.
Some of those contracts were brokered for the Mexican military by Security Tracking Devices, owned at the time by José Susumo Azano Matsura, a Mexican tycoon who was later convicted in San Diego for operating a political campaign contribution scheme.
What’s even more troubling in hindsight is who had command over some of the federal spy capabilities: cabinet members who have recently been accused by the U.S. of conspiring with drug cartels, including Genaro García Luna and Salvador Cienfuegos.
“Now everyone can talk on the phone,” promised López Obrador, “there are no more birds on the wire.”
A driver of violence
Even if López Obrador’s administration is keeping its spying in check, there is little belief among experts that its use has waned
among local and state governments, which operate with great independence and are in many ways more susceptible to corruption.
“All the regulatory pieces that enable this mess continue to be in place,” said García, criticizing the president for failing to tackle broader oversight reforms around surveillance.
And it is likely to get worse, experts said, as technology improves, access to it widens and Mexico figures out what kind of democracy it wants to be after a decade of swift political transition.
“There’s a real sense of winnertake-all, a kind of ruthlessness in competition,” University of San Diego professor David Shirk, director of the Justice in Mexico research and policy initiative, said of the current political landscape. “No one knows where things are headed. And in times of uncertainty, everybody’s looking for an edge.”
The same can be said for drug cartels, too.
Criminals are using much of the same surveillance to get ahead, often suspected of procuring it from corrupt officials who already have access to the government contracts or making their own side deals with local brokerage firms disguised as shell companies, according to law enforcement sources.
“Unfortunately, the line between authorities and organized crime is nonexistent, or blurry at best,” said García, the digital rights director.
Rather than being used to fight violence, this targeted surveillance is partly driving it, according to experts.
Journalists targeted
Among the phone numbers chosen for apparent Pegasus infiltration was that of freelance journalist Cecilio Pineda Birto, who covered corruption and drug trafficking, according to Forbidden Stories.
He was killed in 2017 outside a car wash in Guerrero.
When another journalist, Javier Valdez, co-founder of the news weekly Riodoce, was murdered in Sinaloa in 2017, his widow was targeted in an attempted spyware attack 10 days later, Citizen Lab found.
An open question in the investigation of two Tijuana journalists who were killed last month — Margarito Martínez Esquivel and Lourdes Maldonado — is whether they were being monitored by spyware.
Martinez’s phone was taken from the crime scene and has not been recovered. Three people were arrested in connection with Maldonado’s ambush shooting death, but no motive or other details have been released.
Tijuana journalists remain paranoid about their digital security, making for arduous safeguarding routines.
Joe Black, a photojournalist, says he always searches with his web browser in private mode, deletes his cookies and search history daily, changes his passwords every two weeks and avoids apps that ask to sync his contacts.
García, who’s based in Mexico City, typically communicates with others on encrypted apps such as Signal but leaves sensitive subjects for in-person conversations — with phones left in another room.
“It is intimidating,” said a human rights defender in Tijuana, who did not want to be identified for fear of her safety, of the targeted violence against journalists and other vulnerable targets. “I think it discourages people from wanting to get involved and participate.”
She, too, operates under the assumption that she is being watched.
“We do the best we can to keep ourselves safe, but at the end of the day, we do have this sense that there’s really very little we can do if someone really wants to hack us or someone really wants to hurt us. We’re completely exposed,” she said.
“We just do the best we can and remember what we’re fighting for so we can stay strong and keep going.”