Spyware in Mexico: an interview with Luis Fernando García of R3D Mexico

In early May, Access Now sat down to interview Luis Fernando García, Executive Director of R3D Mexico, a leading digital rights group in the country. R3D was founded relatively recently but has already helped unearth a major surveillance scandal — together with security experts at our 24/7 Digital Security Helpline and researchers at Citizen Lab — that twice made front page news in publications worldwide. The scandal reveals the sinister and complex international trade of spyware that is being used to target rights activists and journalists. As Luis warns, “Surveillance can cost you your life or your liberty.”

Senior Global Advocacy Manager Deji Bryce Olukotun was joined by Access Now’s General Counsel, Peter Micek.

The transcript has been edited for clarity.

Deji Bryce Olukotun (DBO): What do you do at R3D Mexico?

Luis Fernando García (LFG): We’re a young organization that started just two years ago. We’re now a leading digital rights organization in Mexico that conducts research, advocacy, and litigation to defend human rights in the digital environment. We work on issues like privacy, freedom of expression, and access to knowledge.

DBO: I can’t believe R3D is only two years old — we already see you in news headlines around the world. What are some of the most pressing digital rights issues confronting Mexico today?

LFG: One of the main issues in Mexico is surveillance. Since we started, we looked at legislation that gave broad surveillance powers to different government authorities. Recently, we conducted research with Citizen Lab and Access Now into sophisticated malware used against journalists, human rights defenders, and political opponents. We’ve documented that Mexico is one of the biggest purchasers of these types of malware from different companies, such as Hacking Team in Italy and NSO Group in Israel.

In February, our work was featured on the front page of The New York Times related to a case in which we demonstrated that NSO malware was used to target civil society groups supporting a soda tax to improve public health. Mexico has major problems related to obesity and diabetes, and the soda tax was promoted as a solution. The beverage industry strongly opposed the tax, raising questions about how the malware was used to promote the interests of certain industries in a form of collusion with the government — and not for a legitimate purpose. It also raises questions about who else may have been targeted by the malware.

DBO: Can you tell us more about how the malware worked?

LFG: The NSO malware is very sophisticated. Targets received an SMS message that included a link. One message read that the target was highlighted in a negative news story, and included a link to that article. In another instance, a message said that the target’s daughter had been in an accident, and the link would reveal where she had been hospitalized. When the target clicked the link, the malware exploited vulnerabilities in the user’s iPhone that infected it with NSO Group’s malware, which is called Pegasus. Pegasus takes control of the device and allows you to record voice and video, read messages, and know the device’s location.

DBO: Has anyone been held responsible for these attacks?

LFG: No. After publication of the story, R3D joined other groups in Mexico calling for an official investigation but so far the government hasn’t even acknowledged the attacks, which is concerning. We hope that if we keep up our efforts, there will be an opportunity for justice, especially if the government leaves power in a year during the next election. Then we could see an investigation into this case and other cases as well. If NSO Group’s malware was used against health activists, it has probably been used against other people too.

[Editor’s note: the government of Mexico responded in June 2017, after this interview was recorded, and invited alleged victims to present their complaints to the Attorney General’s office.]

Peter Micek: You mentioned that companies have provided the Mexican government with surveillance capabilities. Has there been an effort by groups in Mexico to approach these vendors and to talk to them about their products and the impacts they’ve been having?

LFG: Civil society groups can raise awareness, but our work can’t substitute for an official investigation. These companies have been caught in a lie. They say they only sell this type of surveillance malware directly to governments, but we have seen that the malware has been marketed through intermediaries. The intermediaries have ties to the government. There is this whole economy — that is prone to corruption — in which authorities will pick an intermediary vendor without a legal tender, and pay way beyond the market value of the product. There are many actors that profit from international companies like NSO, including the vendors and government employees.

DBO: What are some key takeaways for people to understand about digital rights in Mexico?

LFG: Surveillance can have real consequences. Sometimes in the global north, privacy is considered a luxury, and people claim to have “nothing to hide.” But in Mexico, there isn’t a contradiction. Your privacy is your security. They’re the same thing. People should understand that there are legal safeguards in Mexico, but they don’t work. We’ve shown that 99% of government surveillance of metadata occurs without a warrant when the law requires one. More than 90% of people surveilled during criminal investigations have not been charged with a crime. These tools have been used to abuse human rights defenders, and probably even to commit crimes against citizens. Surveillance can cost you your life or your liberty.

DBO: Is there anything people can do to help out?

LFG: You can help spread the word by visiting our homepage. You can follow us on Twitter at @R3Dmx or on Facebook, where we post in Spanish and English. We’re also grateful for your donations.