Some 15,000 Mexican cellphones appeared on the leaked list of surveillance, at least 50 people close to president.
A rights group on Thursday called on the Mexican government to suspend all use of surveillance spyware until robust and transparent regulations are put in place that respect human rights.
Of the more than 50,000 phone numbers that a collaboration of 17 media organisations and a rights organisation found were selected for surveillance by clients of the Israeli tech firm NSO Group, 15,000 were in Mexico.
Politicians from across the political spectrum, journalists, human rights activists, judges and doctors were allegedly targeted for spying between 2016 and 2017, according to the investigation. In Mexico, 27 journalists and activists were possibly targeted.
And at least 50 people linked to the leftist President Andres Manuel Lopez Obrador, back when he was a candidate for president – including his wife, children, drivers and even his cardiologist – were on the list.
“We are calling on governments to suspend the purchase and use of instruments of surveillance until adequate regulations that respect human rights are put in place,” Edith Olivares Ferreto, executive director of Amnesty International Mexico, said during a virtual news conference on Thursday.
“We hope that the revelation of the magnitude of illegitimate surveillance and impunity that operates in the NSO Group and its clients will lead to a revision of the accounts and to the regulation of an opaque sector,” she said.
Amnesty International, a United Kingdom-based rights group, provided technical assistance to the “Project Pegasus” investigation. Researchers say their analysis found that “mass and selective surveillance” has been taking place in Mexico that unjustly targeted activists and journalists.
The group launched a petition on Wednesday entitled Pegasus in Mexico: No to Surveillance.
“Mass surveillance like this violates the rights to freedom of privacy and expression, to personal security, to the presumption of innocence, and the State has the obligation to protect people,” reads the petition.
Ten countries have been named as having allegedly used the software, including Bahrain, Hungary, India, Morocco, Saudi Arabia and the United Arab Emirates (UAE). Mexico is the only Latin American country on the list.
NSO’s Pegasus spyware can infiltrate a mobile device either through a text message that the user would click or more recently through “zero-click attacks” that compromise phones without any action by the user. Messages, chats, phone calls, contacts and emails can be monitored.
Amnesty says the results of its research in Mexico call into question NSO’s claim that its product is only used by states to tackle serious crime and terrorism.
“Despite the fact that the NSO Group has repeatedly said that they only sell their software to states and solely for the purpose of combatting terrorism and crime, the targets of surveillance have been human rights defenders, activists, people in the opposition and journalists,” Olivares Ferreto told Al Jazeera
“Mexico did not use this software to combat terrorism or organised crime, but to spy on people for political purposes,” she said.
Mexico has been widely reported as being NSO Group’s first client, and the administration of Lopez Obrador said previous Mexican governments have purchased and used Pegasus spyware.
Mexico’s Public Safety Secretary Rosa Icela Rodriguez said on Wednesday that the country’s two previous administrations had signed at least 31 contracts with NSO Group and spent $61m to purchase Pegasus hardware, software and equipment. She said the contracts date back to the administrations of Felipe Calderon, who was president from 2006-2012, and Enrique Pena Nieto, who governed from 2012-2018.
She said many of the contracts were signed with front companies, allegedly to facilitate kickbacks.
Speaking during Lopez Obrador’s daily news conference, she vowed to “find those responsible for this illegal practice who violated rights”.
Lopez Obrador said he would make the contracts with NSO Group public.
Cybersecurity experts in Mexico say there is currently little to no regulation or legislation in the country to oversee the use of privately purchased spyware, and virtually anyone is at risk.
“Mexico has not had clear policies in relation to protections of data or technology,” Victor Ruiz, a cybersecurity expert and owner of SILIKN, a technology startup.
“This has allowed the proliferation and the growth of this monitoring and spying and there has not been any punishment or clear legislation or regulation that could in some way hold those responsible – even less so when the government is the one doing it,” Ruiz told Al Jazeera.
Lopez Obrador took office in 2018 promising to tackle governmental corruption and mismanagement.
Since becoming president, he has slashed his own salary, eschewed living in the presidential palace and travelled on commercial flights instead of on the lavish presidential jet. But observers say he has done little to address the deeply-rooted systems that enable corruption and abuse to run rampant.
On July 20, he called the alleged spying into his entourage “shameful” and denied that his own government has engaged in similar practices.
But now, the revelation into his predecessor’s alleged abuses is likely to prove useful for Lopez Obrador, analysts say.
“This is something that could potentially be good because it does lend validity to the accusations that Enrique Pena Nieto and the old guard of the political establishment are corrupt,” said Gladys McCormick, history professor at Syracuse University and an expert on security.
“It serves a political purpose as far as Lopez Obrador is concerned because it gives evidence to that narrative that the long-standing political establishment is anything but democratic because they are very much willing to do this type of illegal surveillance of not just political leaders, but members of the press and human rights activists,” McCormick told Al Jazeera.
Amnesty International’s Security Lab says it conducted forensic examinations on 67 phones from around the world and found traces of attack or infection by Pegasus in at least 37 devices.
Etienne Maynier, a tech security researcher with Amnesty, who contributed to the analysis, said smartphones are particularly vulnerable to spying, and anyone is at risk.
“Technically it’s very hard to protect yourself against this software,” Maynier said during Thursday’s news conference. “We won’t solve this issue only with technical solutions, because the technology doesn’t happen in a vacuum, it happens in a context, and this context is political.”