Letter to Mexican government on the reported hacking of civil society

On 28 June 2017, Privacy International and R3D sent a letter and briefing to the Mexican government following reports indicating that Mexican authorities had used NSO Group’s Pegasus spyware to target journalists and human rights defenders working to expose government corruption and human rights abuses. NSO Group is a surveillance technology company that sells products and services, including malware, exclusively to government clients. These attacks were designed to compromise the mobile phones of targeted individuals, permitting the attackers to surreptitiously turn on cameras and microphones, record calls, read messages, and track movements. In these documents, Privacy International addresses how Mexican government hacking, including the use of NSO Group spyware, raises grave human rights concerns and calls into question whether Mexico is meeting its obligations under international human rights law.

The letter is below, with the full briefing accessible here: https://privacyinternational.org/node/1470

Dear President Peña Nieto,

Privacy International is a United Kingdom-based non-governmental organization, which is dedicated to protecting the right to privacy around the world. Privacy International is committed to ensuring that government surveillance complies with the rule of law and the international human rights framework. As part of this commitment, Privacy International researches and investigates government surveillance to raise public awareness about technologies and laws that place privacy at risk.

The Red en Defensa de los Derechos Digitales (R3D) is a Mexican organization dedicated to the defence of human rights in the digital environment. R3D use various legal and communication tools for policy research, strategic litigation, advocacy and campaigns with the aim of promoting digital rights in Mexico, and with particular attention to freedom of expression, privacy, access to knowledge and free culture.

On 19 June 2017, Citizen Lab at the University of Toronto’s Munk School of Global Affairs, together with R3D, SocialTIC and Article 19 Mexico, published the results of an investigation, which indicated that Mexican authorities had used NSO Group’s Pegasus spyware to target journalists and human rights defenders working to expose government corruption and human rights abuses. NSO Group is a surveillance technology company that sells products and services, including malware, exclusively to government clients. These attacks were designed to compromise the mobile phones of targeted individuals, permitting the attackers to surreptitiously turn on cameras and microphones, record calls, read messages, and track movements.

This investigation expands upon a Citizen Lab report in February 2017, which suggested that Mexican authorities had used NSO Group’s Pegasus spyware to similarly target individuals involved in a high-profile “soda tax” campaign in Mexico.

Following the publication of the 19 June 2017 report, victims of the spyware campaign have called for an independent inquiry by an international team of experts. In addition, nine of the victims have filed a criminal complaint with the office of the Attorney General of Mexico. On 22 June 2017, you acknowledged that the Mexican government had purchased the NSO Group’s Pegasus spyware but denied involvement in the attacks against journalists and human rights defenders.

As explained in the attached briefing, Mexican government hacking, including the use of NSO Group spyware, raises grave human rights concerns and calls into question whether Mexico is meeting its obligations under international human rights law. We therefore urge Mexican authorities to immediately cease all hacking activities. We further support the calls by the victims for an independent inquiry and call on the Attorney General’s Office to conduct a prompt, thorough and independent investigation of the criminal complaint.

In addition, Privacy International and R3D make the following further recommendations.

To the President of the United Mexican States to:

• Make public what hacking activities Mexican authorities have undertaken to date and by which authorities, including avowing the reported use of NSO Group spyware against journalists, human rights defenders and activists;

• Clarify the Mexican government’s understanding of the legal basis for its hacking activities and what rules and safeguards, if any, regulate its hacking activities;

• Confirm what types of hacking tools, including malware, are employed by Mexican authorities and how the acquisition and use of these technologies is regulated and monitored.

To the Attorney General’s Office, the General Congress of the United Mexican States, the National Human Rights Commission, the Mechanism to Protect Human Rights Defenders and Journalists, and the National Institute for Transparency, Access to Information and Personal Data Protection to:

• Conduct prompt, thorough and independent investigations into:

•The nature and scope of government hacking activities, including whether such activities are compliant with international and domestic law;

•The reported use of NSO Group spyware against journalists, human rights defenders and activists, with a view to bringing to justice the perpetrators and providing redress to the victims of these abuses;

• The types of hacking tools, including malware, employed by Mexican authorities and whether their acquisition and use are compliant with international and domestic law.

• Make publicly available any findings related to the above investigations.

To all Mexican authorities that are conducting or have conducted hacking activities to:

• Notify all targets of their hacking activities to date, indicating the purported legal basis and relevant rules, if any, governing such activities;

• Destroy all material obtained through their hacking activities;

• Provide all targets of their hacking activities with an avenue for redress.

We thank you for your attention in this matter and look forward to a prompt response.

Sincerely,

Privacy International and R3D

CC: Miguel Ángel Osorio Chong, Minister of the Interior

Raúl Cervantes Andrade, Attorney General

Javier Bolaños Aguilar, President of the Chamber of Deputies

Pablo Escudero Morales, President of the Senate

Luis Raúl González Pérez, President of the National Commission of Human Rights

Francisco Javier Acuña Llamas, President Commissioner, National Institute for Transparency, Access to Information and Personal Data Protection

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.