Last week's hack of an Italian cybersecurity firm known as The Hacking Team revealed that Mexico was — by leaps and bounds— the company's leading client for surveillance software that some fear could be used for domestic spying.
The leaked documents show the company's Mexican client list included the Ministry of the Interior (SEGOB), Federal Police, the army, the navy, the National Investigation and Security Agency (CISEN), The Attorney General’s Office (PGR), the state-owned oil company (PEMEX), and a gaggle of state governments: Campeche, Baja California, Tamaulipas, Puebla, Estado de México, Yucatán, Durango, Jalisco, Querétaro, and Mexico City.
The most controversial item found on Mexico's purchase order is a surveillance software known as “Remote Control System," which some Mexicans suspect the government used to spy on its own citizens or to conduct politically motivated hacks.
The Hacking Team markets the Remote Control System software as such:
“Take control of your targets and monitor them regardless of encryption and mobility. It doesn’t matter if you are after an Android phone or a Windows computer: you can monitor all the devices. Remote Control System is invisible to the user, evades antivirus and firewalls, and doesn’t affect the devices’ performance or battery life. Hack into your targets with the most advanced infection vectors available. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move. Keep an eye on all your targets and manage them remotely, all from a single screen. Be alerted on incoming relevant data and have meaningful events automatically highlighted. Remote Control System: the hacking suite for governmental interception. Right at your fingertips.”
Minister of the Interior Miguel Angel Osorio Chong has tried to downplay the scandal by insisting all the purchases were made under the previous administration of President Felipe Calderón. But he didn't say what the software was used for, or whether it's still being used by the current administration of Enrique Peña Nieto.
Subsequent documents published from the leak revealed that Mexico’s National Investigation and Security Agency (CISEN) purchased additional software from The Hacking Team as recently as this year. The government hasn't responded to those allegations.
Mexican digital rights activist Jesus Robles Maloof claims the leak is further proof that the government has been “systematically lying” for years about the purchase and use of surveillance software.
“In 2013 congress requested a full report on this technology — FinFisher and other similar software — and SEGOB said there was none,” Maloof told Fusion. He said the Ministry of the Interior “lied again” by declaring The Hacking Team software had been acquired by the previous administration and was never put to use.
“Paying for a license evidences use,” Maloof argues. “We need to know how frequently it was used to get an idea on who the government was targeting.”
Maloof acknowledges that hacking software like FinFisher has helped the government's drug-war efforts, aiding the capture of Zetas cartel boss Miguel Angel "Z-40" Treviño. But the activist says there needs to be greater transparency and accountability to safeguard Mexican citizens against domestic spying. The government obviously wants to keep these kinds of tools hush-hush so as not to alert law enforcement’s targets, but activists worry about the potential for domestic spying and the lack of debate about how and when these tools should be used.
“This software works like a shotgun; while it scans and looks for a specific target, it gathers information from others,” Maloof explained. “The government has also been clearly overpaying for the software.”
Mexico's hacker community is also critical of the software.
A purported group of hackers known as "Mexican H Team," which has claimed responsibility for various hacks on government websites, claims authorities are using the Remote Control System software to deliver malware to protest groups and potential dissidents, because cartel kingpins are aware of surveillance efforts and avoid going online.
“It’s much easier to infect common users since they are uninformed about these technologies,” Mexican H Team told Fusion via Twitter. “It wouldn’t be surprising if there’s more tools like these. The only thing we can do is have precaution; we are living in an information war.”
Members of the Anonymous hacker collective think the spy software also has the ability to infect computers and create false archives to justify unlawful entry.
Mexico’s Ministry of the Interior did not respond to Fusion’s request for comment.
Some believe the purchase of this software just represents a government effort to have the necessary tools to fight what has become an increasingly online battle against organized crime.
A 2014 Latin America cybersecurity report by the Organization of American States (OAS) shows that cybercrime is on the rise in Mexico, and authorities are ill-prepared to deal with it.
"The limited capacity of law enforcement to act in many instances undermines investigations, perpetuates a sense of impunity among organized criminal groups, and enables the latter to deploy the latest technologies and techniques to commit crimes,” the report found.
According to Federal Police, cybersecurity incidents increased 113 percent from 2012 to 2013. Preliminary data for 2014 shows an additional spike of 300 percent last year alone.
Despite the government's need to acquire new tools to fight cyber crime, some experts claim the software it purchased from The Hacking Team doesn’t get the job done.
Rodrigo Samano, director of Mexico City-based cybersecurity startup ISLA, told Fusion the Remote Control System software is “mediocre at best.”
“This is a remote spying tool of low quality … it's neither effective in most cases nor infallible,” he said.