Mexico City - Griselda Triana, the widow of slain Mexican journalist Javier Valdez, was targeted by government-owned spyware less than two weeks after the prominent reporter was killed, according to Citizen Lab, a Toronto-based internet watchdog group.
The group said on Wednesday that Triana was sent bait messages 10 days after her husband, who covered drug trafficking, was killed in May 2017 on the streets of Culiacan, Sinaloa's capital.
Valdez's laptop and mobile phone were removed from the crime scene and are still missing from the investigations, according to official reports.
Triana's case comes after previous investigations by Citizen Lab revealed that journalists covering corruption, human rights lawyers leading high-profile cases involving the government, anti-corruption activists, opposition politicians and others have been targeted in recent years with carefully tailored bait SMS messages containing links to install Pegasus - the spyware - on their phones without any legal grounds for these actions.
"I felt desecrated," Triana told Al Jazeera.
"I would have done anything to help the authorities find whoever murdered my husband, so why would they do this without my consent?" she added.
|Protesters call for justice after attacks on journalists in Mexico [Sashenka Gutierrez/EPA]|
Triana told Al Jazeera she didn't know the messages were baits until she read in November how Valdez's colleagues had been targeted with Pegasus a couple of days after his death, and prompted her to reach out to NGOs to figure out whether she had been a target.
"I can't think of any legitimate reason as to why Griselda was targeted, especially since she fully cooperated with the authorities," said Luis Fernando Garcia, a lawyer who is head of the digital rights organisation R3D.
"When a journalist is killed in Mexico, it's not unusual authorities try blaming the victims instead of trying to solve the case," he told Al Jazeera.
Garcia is part of an international team of lawyers representing the Pegasus victims who filed an ongoing lawsuit in Israel against NSO Group in 2018. NSO Group is an Israeli company that develops and sells Pegasus.
"NSO licenses technology to governments and law enforcement agencies for the sole purpose of fighting terrorism and crime to save lives," an NSO spokesperson told Al Jazeera in an emailed statement.
"While we cannot discuss whether a particular government or agency has licensed our technology for these purposes, anything that falls outside of preventing or investigating crime and terror is considered a misuse and will be investigated. The company takes misuse seriously and has the right to shut down the system if necessary," the statement continues.
Since Pegasus is allegedly only sold to governments, and there are official records of the Mexican government purchasing Pegasus in 2014, as well as extensive publicly available research and media coverage pointing to 24 cases of misuse in the country since 2017, Al Jazeera specifically asked NSO what measures it took to prevent the Mexican government from misusing the software - or cutting its access - and also asked whether there were any inaccuracies in the reported research.
NSO declined to comment arguing it had no knowledge of the new case of alleged misuse.
A cover-up effort?
"It's clear that the previous administration had no interest in solving the case and actually everything points to an active effort to cover up the perpetrators' tracks," said Leopoldo Maldonado, a lawyer working with the victims and in charge of the legal programme of Mexico's Article 19, a UK-based press freedom group.
Documents show Mexico's federal prosecution agency (known as PGR under the former government of Enrique Pena Nieto), purchased at least 500 Pegasus software licenses in 2014 and paid for upgrades in 2016 and 2017, spending at least over $40m in the software. But when the federal transparency agency (INAI) required it to reveal the documents in October 2018, PGR declared they did buy the software but never used it.
"It doesn't make any sense they would spend that exorbitant amount of money on the software and then never use it," said Garcia. "It just doesn't make any sense."
The software can be used with a court order, but no government agency has produced a court order to back up the investigations.
PGR was one of three government agencies accused of using Pegasus illegally and was the same agency in charge of investigating the case. Last month, PGR reported to INAI it had uninstalled the software from its computers, ruling out the possibility of finding evidence of its use.
"The problem is not only that the government used the software wrongfully, but also that it tried to cover it up," Maldonado told Al Jazeera.
According to Garcia, it still might be possible to find evidence of its use through witnesses, including the people that were trained to use the software, and with NSO cooperation.
The current government, which took office in December 2018, has told Article 19 and R3D that it will fully investigate the cases of alleged misuse.
In a statement to Al Jazeera, the prosecutor's office (known as FGR under the current government) said it is "attentive" to Triana's complaint.
It added that because "investigation are ongoing, it is legally not possible reveal details about the acts that have been carried out and that continue to be carried out."
A spy in your pocket
Once a mobile phone is infected with the software, it enables the operators to gain full control of the device, allowing unrestricted access to its camera, microphone, photos, videos, files, encrypted messages, emails, calendar, and even managing the phone's settings and planting files on it.
"A phone infected with Pegasus becomes a spy in the victim's pocket," said John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto's Munk School who identified the links in Triana's and the other targets in Mexico as links to install Pegasus. "Everything is available to the spyware operator," he told Al Jazeera.
Although the 25 the victims in Mexico were allegedly targeted using a malicious SMS message containing a link to install the software, the PGR acquisition documents reveal that is only one of the multiple ways available for installing the software; it is also possible to install it by pushing into the phone using an invisible message without the user's knowledge or interaction.
Scott-Railton added that even though investigations so far reveal that only 500 licences were purchased, that number only translates into a number of concurrent targets, meaning there may be more than 500 victims.
Triana told Al Jazeera that while she didn't remember clicking on the malicious links she received, she passed on her phone to a "loved one" that might have clicked on the links and activated the software.
"Griselda's case is disturbing," said Scott Railton. "She is one of many who demanded justice for the victims of cartel-linked killings, but got infection attempts with Pegasus instead."
Maldonado added Article 19 is aware of at least four other Pegasus targets that haven't gone public yet, but that also involve people like journalists, activists and politicians. "We think there must be many more. This is just the tip of the iceberg," he said.