Edward Snowden’s revelations have given rise to criticism of the governments of many countries, including Mexico. Credit: The Guardian/Glenn Greenwald and Laura Poitras

By Emilio Godoy
MEXICO CITY, Sep 13 2013 (IPS)

Non-governmental organisations are urging the United Nations Human Rights Council to demand explanations from the Mexican state for the weak protection it provided its citizens from large-scale spying by the United States.

On Oct. 23, the U.N. Human Rights Council will review Mexico’s human rights record at its Universal Periodic Review, during its 17th session, to be held Oct. 21-Nov. 1 in Geneva.

The other countries to be reviewed in the session are Belize, Central African Republic, Chad, China, Congo, Jordan, Malaysia, Malta, Mauritius, Monaco, Nigeria, Saudi Arabia and Senegal.

“The issue is on the radar now more than ever due to Edward Snowden’s revelations and the recent developments,” said Carly Nyst, head of international advocacy at Privacy International (PI), a UK-based registered charity that defends and promotes the right to privacy across the world.

She was referring to Snowden, the low-level employee of Booz Allen Hamilton who blew the whistle on the U.S. National Security Agency’s (NSA) global electronic surveillance.

“The U.N. is slowly acknowledging the implications of the surveillance,” she told IPS. “Mexican civil society has the best opportunity to ask the Council to hold its government accountable.”

In March, PI presented the report “The Right to Privacy in Mexico”, warning of the risks of government meddling in this country’s electronic communications.

“Despite Mexico’s efforts to strengthen and embed protection of personal data both in its constitutional and legislative framework, there are concerns over certain surveillance practices and laws that have come into force since Mexico’s last UPR,” the report says.

“However, there is in general a lack of information and transparency surrounding the purchase and use of surveillance software by the Mexican government,” it adds.

The British newspaper the Guardian reported in June that the NSA was collecting the telephone records of millions of customers of the Verizon phone company, both within the United States and between the U.S. and other countries.

The source of that information was Snowden, who is wanted by Washington on charges of espionage and has been granted temporary asylum in Russia.

Since then, a river of ink has flowed on the U.S. surveillance of private communications around the world, including Mexico.

Mexico has also acquired software to monitor telephone calls, email, chats, social media activity and browsing history.

“The [U.N. Human Rights] Council could hold it accountable for failing to react,” said Cédric Laurant, one of the four founders of the Mexican NGO Son Tus Datos (It’s Your Information), which has been advocating protection of privacy since 2012.

“It would be good if it did so. It would be good if pressure were put on the Mexican government,” he told IPS.

In its report to the Human Rights Council, Mexico makes no mention of protecting privacy or personal information.

The Federal Law on the Protection of Personal Data, which went into effect in 2010, guarantees privacy and regulates the collection, use and disclosure of personal data, applying to both private and public entities.

But the law’s guarantees were undermined when a Law on Geolocalisation entered into force in 2012. This legislation allows the government to gather, without notification and in real time, geographic data from cell-phone users.

In its March report “You Only Click Twice: FinFisher’s Global Proliferation”, the
Citizen Lab – an interdisciplinary laboratory at the University of Toronto, Canada – identified command and control servers for intrusive surveillance technology called FinFisher, sold by Gamma International UK Ltd, in a number of countries, including two in the networks of private Mexican phone companies.

After the report was released, two Mexican organisations, Propuesta Cívica and ContingenteMX, asked the Federal Institute of Access to Information (IFAI) in June to investigate the use of the FinFisher spyware.

U.S. journalist Glenn Greenwald reported on Sept. 1 that the NSA monitored the communications networks of Brazilian President Dilma Rousseff and Mexican President Enrique Peña Nieto, including telephone, Internet and social network exchanges, during their election campaigns.

Only then did the Mexican government react sharply, calling on the U.S. administration of Barack Obama to conduct a thorough investigation, although in a less strongly worded statement than the one issued by the Brazilian government.

“I’m not sadly surprised, because governments have one perspective when it’s about the citizens and another about the politicians,” Nyst said.

“It’s important Mexican society takes this opportunity and targets the government so that it doesn’t create more insecurity. We’re not going to get rid of surveillance, but we can ask for more transparency and accountability,” she added.

PI, which also drew up reports on Senegal and China, is preparing a legal offensive against Gamma International for exporting FinFisher.

It is working with Mexican civil society organisations to get the IFAI to take in-depth action on intrusive surveillance by the government and private parties.

The issue will also be raised at the 35th International Conference of Data Protection and Privacy Commissioners, to take place Sept. 23-26 in Warsaw with the participation of civil society.

PI warns that “without adequate safeguards, such legislation, which endows government authorities with broad surveillance powers, compromises Mexican citizens’ right to privacy, and is in any event an inappropriate and disproportionate response to the intended purpose.”

It also recommends ensuring “that the use of surveillance software is strictly regulated and monitored by the Department of Defence and overseen by judicial and other independent authorities.”

In addition it calls for ensuring “that appropriate mechanisms and reviews are put in place to guarantee that use of surveillance software is and remains necessary, legitimate and proportionate…[and demonstrating] transparency with respect to the purchase and use of surveillance software by government authorities.”

Civil society “can demand to be allowed active participation in legislative processes, and ways for different sectors to be represented. They can send letters to the Mexican state, the presidency, Congress, as people do in the United States,” Laurant said.

What was Mostapha Maanna of Hacking Team, an Italian surveillance company, doing on his three trips to Saudi Arabia in the last year? A new data trove from WikiLeaks reveals travel details for salesmen like Maanna who hawk electronic technology to track communications by individuals without their knowledge.

Wikileaks suspects that Hacking Team technology is used to snoop on activists and dissidents.

Julian Assange, the editor in chief of WikiLeaks, says that the information came from a special counter-intelligence unit that his organisation created “to protect WikiLeaks’ assets, staff and sources from hostile intelligence operations and to reveal the nature of intelligence threats against journalists and sources more broadly.”

According to research conducted by the Kaspersky Lab, an anti-virus company, Hacking Team sells technology that can be used to create emails to target suspects by inviting them to click on a link or attachment that then installs a spy tool called Remote Control System (RCS) on the target’s computer.

RCS (also known as DaVinci) can then copy the Web browsing history of its targets, turn on their computer microphone and webcam to eavesdrop on them, as well record their conversations on computer applications like Skype.

Wikileaks documented the travels of two Hacking Team salesmen to countries with a poor record of human rights.

The first was Maanna, whose LinkedIn profile confirms that he works for Hacking Team in Milan. He came to work for the company in January 2011 after completing high school in Tyre, Lebanon, and an undergraduate and graduate degree in telecommunications engineering from Politecnico di Torino in
Turin, Italy.

In addition to three trips to Saudi Arabia, Maanna’s travel profile places him in Egypt three times in 2013. He also made two trips each to Malaysia and Morocco in the last three years, among other countries, including United Arab Emirates (UAE) and Turkey, according to the documents released by WikiLeaks.

The second individual is Marco Bettini, a sales manager for almost 10 years at HackingTeam whose LinkedIn profile says he studied at the Instituto Radiotecnico Beltrami. Bettini is also identified as traveling to Morocco and UAE in February 2013.

Three of these countries – Morocco, Turkey and the UAE – are nations in which Hacking Team has come under fire from groups like Privacy International and Reporters Without Borders for the alleged use of its software.

For example, Mamfakinch, a Moroccan citizen journalist group that was created during the 2011 Arab Spring, believes that it was targeted with a “backdoor” attack by software that is identical to Hacking Team’s RCS system, according to an analysis by Dr. Web, an anti-virus company.

Slate Magazine described how the Mamfakinch’s computers were infected by spy software after members opened an email titled “Dénonciation” (denunciation) that contained a link to what appeared to be a Microsoft Word document labeled “scandale (2).doc” alongside a single line of text in French, which translates as: “Please do not mention my name or anything else, I don’t want any problems.”

Wired magazine recently published details of an attack on a U.S. activist who was sent an email about Turkey that appeared to come from a trusted colleague at Harvard that “referenced a subject that was a hot-button issue for the recipient, including a link to a website where she could obtain more information about it.” Although she did not click on the email, Arsenal Consulting, a digital forensics company, analysed the link and discovered that it, too, contained RCS attack software.

And Citizen Lab, a computer security research group in Canada, identified emails sent to Ahmed Mansoor, a UAE human rights activist, which were also allegedly designed with Hacking Team software. Mansoor was a member of a group of activists who were imprisoned from April to November 2011 on charges of insulting an Emirati royal family. He told Bloomberg that he was identified and then beaten after he clicked on an email that contained a Microsoft attachment that infected him with the spy software.

Company response

A spokesperson for Hacking Team says the company strictly follows applicable export laws and other regulations and only sells its products to governments or government agencies.

“The point that is generally missed in discussions like this is that the world is a dangerous place, with plenty of criminals and terrorists using modern Internet and mobil technologies to do their business, and that threatens us all,” Eric Rabe, the general counsel of Hacking Team, told Corpwatch via email.

“We firmly believe that the technology we make available to government and law enforcement makes it harder for those criminals and terrorists to operate.”

Rabe says that Hacking Team understands the potential for abuse of its products, so it reviews customers before a sale to determine whether or not there is “objective evidence or credible concerns that Hacking Team technology provided to the customer will be used to facilitate human rights violations.”

He noted that his company’s products have an auditing feature that cannot be turned off so that government agencies can check how and when surveillance occurs.

“Of course, HT cannot monitor the use of our software directly since clients must have the ability to conduct confidential investigations,” Rabe added. “Should we suspect that abuse has occurred, we investigate. If we find our contracts have been violated or other abuse has occurred, we have the option to suspend support for the software. Without support, the software is quickly rendered ineffective.”

Rabe says that Hacking Team did investigate “the Morocco and UAE assertions” but he was not able to comment since the company “does not share the results of such investigations nor do we publish whatever actions we may subsequently take.”

But activists still say that they are very concerned about details in the travel logs released by Wikileaks.

“The evidence and timeline does give credence to the idea that the discovery of Hacking Team software in Morocco and UAE corroborates with their sales team visit to those countries,” Kenneth Page, a policy officer at Privacy International, told Corpwatch.

“This is clearly not an ad-hoc process within a small industry, but a calculated and considered business deal in a global trade with profits made off the suffering of individuals,” says Page. “As the Wikileaks release today has shown, the business procedure behind the sale of surveillance technology is as well laid out as any other international trade – including proposals and presentations, site and country visits, contracts, and costing packages.”

Page said that the companies that develop and sell surveillance technology to such regimes should not be allowed to abdicate responsibility for freely selling this technology to just any government regardless of their human rights record.

“Companies know full well how their products work and, after tailoring to their specific clients’ need, know how they will be used,” added Page.

*A longer version of this story originally appeared on Corpwatch.org.