Map showing the NSA’s collection of intelligence from computer networks around the world. The colour scheme ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). Credit: Creative Commons

By Emilio Godoy
MEXICO CITY, Jun 1 2014 (IPS)

A lack of controls, regulation and transparency marks the monitoring and surveillance of electronic communication in Mexico, one year after the revelations of cyberespionage shook the world.

This Latin American country of 118 million people was one of the targets of the massive illegal cyberespionage practiced by the U.S. National Security Agency (NSA). But no substantial changes have been made in response, to prevent further interception.

“There is no legislation on surveillance and intervention, no good practices for companies,” Jesús Robles, with the non-governmental organisation Propuesta Cívica, told IPS. “There is a legal vacuum. They could be gathering metadata.”

Metadata is information that describes other information – data generated as people use technology, such as the date and time of a phone call, the location where someone last accessed their email, who sent or received an email, or where someone made a phone call and how long it lasted.

The British newspaper The Guardian reported on Jun. 5, 2013 that the NSA had been collecting the telephone metadata of the customers of Verizon Wireless, the biggest U.S. mobile phone provider, both within and outside the United States.

It was just the first of a series of leaks to the press about the secret operations of the agency, made by Edward Snowden, a former U.S. Central Intelligence Agency (CIA) contractor, now hiding under guard in Russia, which granted him political asylum.

The NSA used the PRISM internet surveillance programme to spy on a number of countries, including Mexico, in areas like anti-drug efforts, energy and security.

And with BLARNEY, the international version of the PRISM programme, the United States intercepted the communications of several embassies in Washington, including Mexico’s. Using another tool, Boundless Informant, it illegally intercepted phone calls and email that passed through U.S. telecoms networks.

On Sep. 1, 2013, U.S. journalist Glenn Greenwald revealed that in 2012 the NSA had spied on the email of Brazilian President Dilma Rousseff and Mexican President Enrique Peña Nieto, in the latter case during his presidential campaign.

The United States has ignored Mexico’s protests, including a diplomatic note demanding an investigation and a condemnation by Congress.

Greenwald’s online U.S. publication The Intercept reported on May 19 that a surveillance programme, Mystic, collects metadata on the nearly 100 million cell phones operating in Mexico.

“Not much has been done,” Cédric Laurant, one of the four founders of the Mexican non-governmental group Son Tus Datos (It’s Your Information), dedicated since 2012 to advocating the protection of privacy in communications, told IPS. “If the public knew more, they could pressure local and foreign businesses to exert more pressure on the government.”

Mexico also acquired computer programmes to record voices and track phone calls, emails, chat conversations, visited website addresses and social networks.

Since 2010, Mexico’s Federal Law for the Protection of Personal Information Data guarantees the right to privacy and establishes that, if an institution wants to transfer information to third parties at home or abroad, it must give the owners of the information notice and explain the purpose for which it was authorised.

But the law’s guarantees were undermined when a Law on Geolocalisation entered into force in 2012. This legislation allows the government to gather, without notification and in real time, geographic data from cell-phone users.

Furthermore, the new national penal procedures code in effect since March allows the authorities to access real-time geo-location data without a court order.

In March 2013, the interdisciplinary Citizen Lab at the University of Toronto in Canada
reported that FinFisher surveillance software command and control servers, made by the U.K.-based company Gamma Group, were hosted on two Mexican Internet service providers: Iusacell, a small provider; and UniNet, one of the largest in Mexico, a subsidiary of Teléfonos Mexicanos (Telmex).

After this was discovered, Propuesta Cívica and the digital rights collective ContingenteMX asked the Federal Institute for Access to Information and Data Protection (IFAI) to investigate the Obses company for the use of the programme.

In March IFAI approved sanctions against Obses for selling FinFisher to the government at more than double the market rate. Obses is a Mexican firm that has received dozens of no-bid governmental projects.

On May 12 a British court ruled that UK Revenue & Customs acted unlawfully in refusing to disclose information on the status of an investigation into the export of British Gamma International’s FinFisher surveillance technology, paving the way for a review of the programme’s sales abroad.

In February, Citizen Lab produced two reports on the use of spy programmes. In one of them, “Mapping Hacking Team’s ‘Untraceable’ Spyware”, it reported that agencies in 21 countries used or use the Remote Control System (RCS), sophisticated computer spyware marketed and sold exclusively to governments by the Milan-based Hacking Team, including Mexico, Colombia and Panama.

The RCS can copy files from a computer’s hard disk, record Skype calls, emails, instant messages, and passwords, and turn on a device’s webcam and microphone to spy on a target.

Citizen Lab reported that it mapped out “covert networks of ‘proxy servers’ used to launder data that RCS exfiltrates from infected computers, through third countries, to an ‘endpoint,’ which we believe represents the spyware’s government operator. This process is designed to obscure the identity of the government conducting the spying.

“For example, data destined for an endpoint in Mexico appears to be routed through four different proxies, each in a different country.”

And in another article, “Hacking Team’s U.S. Nexus”, Citizen Lab said that in at least 12 cases, U.S.-based data centres are part of a “dedicated foreign espionage infrastructure.”

Citizen Lab states that in tracing these “proxy chains,” it found that U.S.-based servers appeared to assist the governments of 10 countries, including Mexico and Colombia, in espionage and/or law enforcement operations.

Citizen Lab found 14 IP addresses, 12 of which are apparently still active.

Mexico’s legislation does not require telecommunications companies to reveal government requests about the activities of Internet users.

“The action taken has not proven to be effective; rights are violated,” Robles said.

“Awareness-raising is needed among users so that a larger number of them exercise mass pressure on companies, in order for users to take privacy into their own hands, using new tools that are available,” Laurant said.

Edward Snowden’s revelations have given rise to criticism of the governments of many countries, including Mexico. Credit: The Guardian/Glenn Greenwald and Laura Poitras

By Emilio Godoy
MEXICO CITY, Sep 13 2013 (IPS)

Non-governmental organisations are urging the United Nations Human Rights Council to demand explanations from the Mexican state for the weak protection it provided its citizens from large-scale spying by the United States.

On Oct. 23, the U.N. Human Rights Council will review Mexico’s human rights record at its Universal Periodic Review, during its 17th session, to be held Oct. 21-Nov. 1 in Geneva.

The other countries to be reviewed in the session are Belize, Central African Republic, Chad, China, Congo, Jordan, Malaysia, Malta, Mauritius, Monaco, Nigeria, Saudi Arabia and Senegal.

“The issue is on the radar now more than ever due to Edward Snowden’s revelations and the recent developments,” said Carly Nyst, head of international advocacy at Privacy International (PI), a UK-based registered charity that defends and promotes the right to privacy across the world.

She was referring to Snowden, the low-level employee of Booz Allen Hamilton who blew the whistle on the U.S. National Security Agency’s (NSA) global electronic surveillance.

“The U.N. is slowly acknowledging the implications of the surveillance,” she told IPS. “Mexican civil society has the best opportunity to ask the Council to hold its government accountable.”

In March, PI presented the report “The Right to Privacy in Mexico”, warning of the risks of government meddling in this country’s electronic communications.

“Despite Mexico’s efforts to strengthen and embed protection of personal data both in its constitutional and legislative framework, there are concerns over certain surveillance practices and laws that have come into force since Mexico’s last UPR,” the report says.

“However, there is in general a lack of information and transparency surrounding the purchase and use of surveillance software by the Mexican government,” it adds.

The British newspaper the Guardian reported in June that the NSA was collecting the telephone records of millions of customers of the Verizon phone company, both within the United States and between the U.S. and other countries.

The source of that information was Snowden, who is wanted by Washington on charges of espionage and has been granted temporary asylum in Russia.

Since then, a river of ink has flowed on the U.S. surveillance of private communications around the world, including Mexico.

Mexico has also acquired software to monitor telephone calls, email, chats, social media activity and browsing history.

“The [U.N. Human Rights] Council could hold it accountable for failing to react,” said Cédric Laurant, one of the four founders of the Mexican NGO Son Tus Datos (It’s Your Information), which has been advocating protection of privacy since 2012.

“It would be good if it did so. It would be good if pressure were put on the Mexican government,” he told IPS.

In its report to the Human Rights Council, Mexico makes no mention of protecting privacy or personal information.

The Federal Law on the Protection of Personal Data, which went into effect in 2010, guarantees privacy and regulates the collection, use and disclosure of personal data, applying to both private and public entities.

But the law’s guarantees were undermined when a Law on Geolocalisation entered into force in 2012. This legislation allows the government to gather, without notification and in real time, geographic data from cell-phone users.

In its March report “You Only Click Twice: FinFisher’s Global Proliferation”, the
Citizen Lab – an interdisciplinary laboratory at the University of Toronto, Canada – identified command and control servers for intrusive surveillance technology called FinFisher, sold by Gamma International UK Ltd, in a number of countries, including two in the networks of private Mexican phone companies.

After the report was released, two Mexican organisations, Propuesta Cívica and ContingenteMX, asked the Federal Institute of Access to Information (IFAI) in June to investigate the use of the FinFisher spyware.

U.S. journalist Glenn Greenwald reported on Sept. 1 that the NSA monitored the communications networks of Brazilian President Dilma Rousseff and Mexican President Enrique Peña Nieto, including telephone, Internet and social network exchanges, during their election campaigns.

Only then did the Mexican government react sharply, calling on the U.S. administration of Barack Obama to conduct a thorough investigation, although in a less strongly worded statement than the one issued by the Brazilian government.

“I’m not sadly surprised, because governments have one perspective when it’s about the citizens and another about the politicians,” Nyst said.

“It’s important Mexican society takes this opportunity and targets the government so that it doesn’t create more insecurity. We’re not going to get rid of surveillance, but we can ask for more transparency and accountability,” she added.

PI, which also drew up reports on Senegal and China, is preparing a legal offensive against Gamma International for exporting FinFisher.

It is working with Mexican civil society organisations to get the IFAI to take in-depth action on intrusive surveillance by the government and private parties.

The issue will also be raised at the 35th International Conference of Data Protection and Privacy Commissioners, to take place Sept. 23-26 in Warsaw with the participation of civil society.

PI warns that “without adequate safeguards, such legislation, which endows government authorities with broad surveillance powers, compromises Mexican citizens’ right to privacy, and is in any event an inappropriate and disproportionate response to the intended purpose.”

It also recommends ensuring “that the use of surveillance software is strictly regulated and monitored by the Department of Defence and overseen by judicial and other independent authorities.”

In addition it calls for ensuring “that appropriate mechanisms and reviews are put in place to guarantee that use of surveillance software is and remains necessary, legitimate and proportionate…[and demonstrating] transparency with respect to the purchase and use of surveillance software by government authorities.”

Civil society “can demand to be allowed active participation in legislative processes, and ways for different sectors to be represented. They can send letters to the Mexican state, the presidency, Congress, as people do in the United States,” Laurant said.