MEXICO CITY — Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists.
The targets include lawyers looking into the mass disappearance of 43 students, a highly respected academic who helped write anti-corruption legislation, two of Mexico’s most influential journalists and an American representing victims of sexual abuse by the police. The spying even swept up family members, including a teenage boy.
Since 2011, at least three Mexican federal agencies have purchased about $80 million worth of spyware created by an Israeli cyberarms manufacturer. The software, known as Pegasus, infiltrates smartphones to monitor every detail of a person’s cellular life — calls, texts, email, contacts and calendars. It can even use the microphone and camera on phones for surveillance, turning a target’s smartphone into a personal bug.
The company that makes the software, the NSO Group, says it sells the tool exclusively to governments, with an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans.
But according to dozens of messages examined by The New York Times and independent forensic analysts, the software has been used against some of the government’s most outspoken critics and their families, in what many view as an unprecedented effort to thwart the fight against the corruption infecting every limb of Mexican society.
“We are the new enemies of the state,” said Juan E. Pardinas, the general director of the Mexican Institute for Competitiveness, who has pushed anti-corruption legislation. His iPhone, along with his wife’s, was targeted by the software, according to an independent analysis. “Ours is a society where democracy has been eroded,” he said.
The deployment of sophisticated cyberweaponry against citizens is a snapshot of the struggle for Mexico itself, raising profound legal and ethical questions for a government already facing severe criticism for its human rights record. Under Mexican law, only a federal judge can authorize the surveillance of private communications, and only when officials can demonstrate a sound basis for the request.
It is highly unlikely that the government received judicial approval to hack the phones, according to several former Mexican intelligence officials. Instead, they said, illegal surveillance is standard practice.
“Mexican security agencies wouldn’t ask for a court order, because they know they wouldn’t get one,” said Eduardo Guerrero, a former analyst at the Center for Investigation and National Security, Mexico’s intelligence agency and one of the government agencies that use the Pegasus spyware. “I mean, how could a judge authorize surveillance of someone dedicated to the protection of human rights?”
“There, of course, is no basis for that intervention, but that is besides the point,” he added. “No one in Mexico ever asks for permission to do so.”
The hacking attempts were highly personalized, striking critics with messages designed to inspire fear — and get them to click on a link that would provide unfettered access to their cellphones.
Carmen Aristegui, one of Mexico’s most famous journalists, was targeted by a spyware operator posing as the United States Embassy in Mexico, instructing her to click on a link to resolve an issue with her visa. The wife of Mr. Pardinas, the anti-corruption activist, was targeted with a message claiming to offer proof that he was having an extramarital affair.
For others, imminent danger was the entry point, like a message warning that a truck filled with armed men was parked outside Mr. Pardinas’s home.
“I think that any company that sells a product like this to a government would be horrified by the targets, of course, which don’t seem to fall into the traditional role of criminality,” said John Scott-Railton, a senior researcher at Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which examined the hacking attempts.
The Mexican government acknowledges gathering intelligence against legitimate suspects in accordance with the law. “As in any democratic government, to combat crime and threats against national security the Mexican government carries out intelligence operations,” it said in a statement.
But the government “categorically denies that any of its members engages in surveillance or communications operations against defenders of human rights, journalists, anti-corruption activists or any other person without prior judicial authorization.”
The Mexican government’s deployment of spyware has come under suspicion before, including hacking attempts on political opponents and activists fighting corporate interests in Mexico.
Still, there is no ironclad proof that the Mexican government is responsible. The Pegasus software does not leave behind the hacker’s individual fingerprints. Even the software maker, the NSO Group, says it cannot determine who, exactly, is behind specific hacking attempts.
But cyberexperts can verify when the software has been used on a target’s phone, leaving them with few doubts that the Mexican government, or some rogue actor within it, was involved.
“This is pretty much as good as it gets,” said Bill Marczak, another senior researcher at Citizen Lab, who confirmed the presence of NSO code on several phones belonging to Mexican journalists and activists.
Moreover, it is extremely unlikely that cybercriminals somehow got their hands on the software, the NSO Group says, because the technology can be used only by the government agency where it is installed.
The company is part of a growing number of digital spying businesses that operate in a loosely regulated space. The market has picked up in recent years, particularly as companies like Apple and Facebook start encrypting their customers’ communications, making it harder for government agencies to conduct surveillance.
Increasingly, governments have found that the only way to monitor mobile phones is by using private businesses like the NSO Group that exploit little-known vulnerabilities in smartphone software. The company has, at times, operated its businesses under different names. One of them, OSY Technologies, paid Michael T. Flynn, President Trump’s former national security adviser, more than $40,000 to be an advisory board member from May 2016 until January, according to his public financial disclosures.
Before selling to governments, the NSO Group says, it vets their human rights records. But once the company licenses the software and installs its hardware inside intelligence and law enforcement agencies, the company says, it has no way of knowing how its spy tools are used — or whom they are used against.
The company simply bills governments based on the total number of surveillance targets. To spy on 10 iPhone users, for example, the company charges $650,000 on top of a flat $500,000 installation fee, according to NSO marketing proposals reviewed by The New York Times.
Even when the NSO Group learns that its software has been abused, there is only so much it can do, the company says, arguing that it cannot simply march into intelligence agencies, remove its hardware and take back its spyware.
“When you’re selling AK-47s, you can’t control how they’ll be used once they leave the loading docks,” said Kevin Mahaffey, chief technology officer at Lookout, a mobile security company.
Rather, the NSO Group relies on its customers to cooperate in a review, then turns over the findings to the appropriate governmental authority — in effect, leaving governments to police themselves.
Typically, the company’s only recourse is to slowly cut off a government’s access to the spy tools over the course of months, or even years, by ceasing to provide new software patches, features and updates. But in the case of Mexico, the NSO Group has not condemned or even acknowledged any abuse, despite repeated evidence that its spy tools have been deployed against ordinary citizens and their families.
Journalists, human rights defenders and anti-corruption campaigners have long faced enormous risks in Mexico. For decades, they have been followed, harassed, threatened and even killed for their work, occupational hazards more common in authoritarian states than in countries in good standing with the Organization for Economic Cooperation and Development, as Mexico is.
But when President Enrique Peña Nieto came into office in 2012, promising to lift Mexico to its rightful place on the world stage, there was an inkling of hope that the nation’s democracy was coming into its own.
His party passed a list of badly needed changes, taking aim at the failing education system and moving to enhance the transparency of Mexico’s bureaucracy. Competition in some core industries, like telecommunications, has increased.
But by 2014, much of the early promise of the Peña Nieto administration was dashed by the crises subsuming it, including the mysterious disappearance of 43 teaching students after a clash with the police, and accusations that the president and his wife got a special deal on a multimillion-dollar home from a government contractor.
The scandals have left an enduring mark on the president’s reputation. After a stunning rise built on a perfectly crafted image — a young, energetic president working across party lines, the embodiment of a new Mexico — Mr. Peña Nieto was suddenly recast as an out-of-touch, corrupt politician with abysmal approval ratings.
In no small part, that fall was thanks to the Mexican journalists who broke news of the scandals, as well as the lawyers and activists who refused to let the country…