Thursday, July 25, 2013

Mexico: Corruption scandal reveals use of surveillance software in Mexico


Privacy International

Following reports that the Mexican prosecution authority appears to be not only using FinFisher, but also to be involved in a corruption scandal surrounding the purchase of this intrusive surveillance technology, the Mexican Permanent Commission (composed of members of the Mexican Senate and Congress) has urged Mexico's Federal Institute for Access to Public Information and Data Protection (IFAI) to investigate the use of spyware in Mexico.

The corruption scandal, which entails the price of the surveillance technology being purchased at more than double the market rate, revealed that the Mexican government had bought FinFisher from Obses, a company which has been on the receiving end of dozens of no-bid governmental projects.

While we don't know if Obses purchased the malware from Gamma International, the British company that developed FinFisher, this is the first instance we are aware of where a reseller was involved in the sale of FinFisher. The emergence of FinFisher resellers contradicts statements made by Gamma International in the context of ongoing OECD complaint proceedings that they only sell directly to law enforcement and government. The standards of international responsible business conduct of the OECD guidelines however remain relevant even if a reseller is selling its products.

FinFisher in Mexico

The revelations followed a recent access to information request of a group of Mexican human rights activists and journalists that urged the IFAI to investigate the use of FinFisher in Mexico.

According to the group, which includes individuals as well as civic organisations such as Propuesta Civica A.C., Al Consumidor and Contingente MX, the malware has been used to spy on journalists and activists in the country and breaches Mexico's data protection law. The Federal Law for the Protection of Personal data applies to both private and public entities, and regulates the collection, use and disclosure of personal data. The law also provides limitations on government access to data. FinFisher is particularly intrusive spyware that once installed, will gain complete control over a computer, mobile phone or other device. As a result, every keystroke can be recorded, email and chat conversations can be monitored and Skype calls can be listened into.

FinFisher has been linked to Mexico by researchers of the Citizen Lab, a research centre based at the Munk School of Global Affairs of the University of Toronto, who found FinFisher command and control servers with two local Internet service providers, IUSACELL and UNINET. Mexican newspaper Reforma revealed that in Mexico the Procuraduría General de la Nación and several other governmental organisations are using FinFisher. Privacy International supported the acces to information request via a letter to the IFAI.

Selling to resellers

In February 2013, Privacy International with the European Center for Constitutional and Human Rights, the Bahrain Center for Human Rights, Bahrain Watch and Reporters without Borders filed an OECD complaint against Gamma in relation to alleged exports of surveillance technology to Bahrain. In the statement released by the OECD National Contact Point, Gamma claims to sell its products exclusively to government agencies:

"The company notes that it only supplies the product that is the subject of the complaint to the police and security forces of sovereign states."

However, contracts obtained by Reforma suggest otherwise: FinFisher was sold to the Mexican authorities by Mexican security company called Obses.

In the past Gamma has claimed their products found to be used by repressive regimes have been demo copies or even stolen. However, Gamma's responsibility cannot be limited by pushing their products through resellers. Gamma has a responsibility to act in accordance with the OECD guidelines. On the basis of these guidelines, Gamma should undertake human rights due diligence to assess the impact of its business activities on human rights. This assessment includes consideration of possible adverse impacts that are directly linked to their products or services provided.

Example for other countries

In recent years Mexican authorities have sought to improve their surveillance capabilities in an effort to combat drug-related violence. According to Latin American human rights activist Renata Avila:

"Mexico's public has been overwhelmed by drug-related violence in recent years, a problem that has left citizens fearing for their safety and generally unopposed to aggressive surveillance practices. As a result, the government has been able to launch sophisticated surveillance programs without facing significant resistance from civil society."

A turning point seems to have been reached however, now that civic organisations have called for transparency on the use of FinFisher in Mexico, suggesting it is not only being used to combat crime, but also to spy on activists and journalists. Concerned by the capabilities of FinFisher and its ramifications for the privacy of individuals, the Permanent Commission has already asked IFAI to investigate, and has proposed to request full disclosure of the contracts on the basis of which FinFisher was bought, together with detailed information on all other federal purchases of surveillance technologies. The Permanent Commission will meet this week to discuss the proposal.

This strong response is an example for the 36 other countries in which FinFisher command and control servers have been found.

Why HMRC must investigate

In particular, the Mexican response stands in stark comparison to HMRC – the UK authority responsible for the enforcement of export controls – which has yet to confirm whether or not it is investigating exports by Gamma International after Privacy International filed a complaint regarding potential illegal exports to Bahrain. An investigation into Gamma's exports could prevent further harm to human rights from being done, and yet we still await an answer on our complaint.

If Gamma exported FinFisher to a reseller in Mexico, this appears to have been an illegal export that should be investigated by HMRC as well. In September of last year, the Department for Business, Information and Skills informed Privacy International that it had advised Gamma International that the export of FinFisher requires a licence, and that Gamma had not obtained any such licence at the time. Gamma has indicated in the media that it has not exported FinFisher since April 2012.

Without a strong rule of law, there is nothing to prevent that this type of surveillance technology is being used to target human rights activists and journalists. Constant surveillance of their online communications will not only affect their right to privacy, but also their freedom of expression and freedom of assembly. It is therefore critical that the export of this technology is carefully monitored and, where there is an indication that surveillance technology has been exported illegally, that this is investigated.