FinFisher in Mexico: Smile, you are still being spied

by Digital Rights LAC on June 12, 2023

In March 2013, the Citizen Lab of the University of Toronto published the report For Their Eyes Only: The Commercialization of Digital Spying. For Mexico, this report marked a turning point: the researchers found the surveillance software FinFisher operating in two telecommunication networks: Iusacell and Uninet (a subsidiary of Telmex).

By Pepe Flores, Digital Rights Latin America & The Caribbean*

FinFisher is a surveillance software made by Gamma International, supposedly sold to national security officers. The software is installed in the devices of the supervised person (mobile phone, computer), supplanting a legitimate program. For example, in May 2013, the Mozilla Foundation denounced that FinFisher supplanted the Firefox brand to go unnoticed. Once that FinFisher is installed, it gives the attacker remote control of the device, allowing him to record conversations, access saved files, download contact lists, e-mails, SMS, amongst others. FinFisher can also intervene the camera and microphone of the infected gadget. 

These findings mobilized the Mexican activists in 2013 to demand to the Federal Institute of Information Access (INAI, formerly IFAI) to open an investigation, specially because of the suspicion that activists, journalists, and human rights defenders were target of this software. Jesús Robles Maloof, lawyer, published the column “Smile, you’re being spied”, on which he points out that FinFisher may have been purchased by the Federal government or a local one – or even by a body of the organized crime.

The revelations incited the deputy Juan Pablo Adame to issue a call to the Federal administration to submit a report about the use of FinFisher in the intelligence collection activities, exhorting both the INAI and the Secretary of the Interior to inquire into the matter. In the same month, members of the Desobediencia Civil (Civil Disobedience) group accused to have found traces of the spyware in their cellphones and computers. 

However, two years have passed and the uncertainty remains about the government’s accountability regarding the acquisition and use of FinFisher. Recently in April 2015, the Special Commission of Digital Agenda and Information Technologies of the Mexican Congress –presided by Adame himself– hosted a hearing with diverse specialists in the FinFisher issue. In front of the representatives, the organization SonTusDatos presented the report Global Information Society Watch 2014. Communications Surveillance in the Digital Age (GISWatch 2014).

During her intervention in the hearing with the Special Commission, Korina Velázquez, member of SonTusDatos, emphasized that “Mexico holds the presidency of the Open Government Partnership. In that sense, it would be totally congruent to try to solve some issues like its little transparency and accountability for purchasing and using spyware. It is unknown how much money is spent on what, who is being spied and why.” Nevertheless, the investigation about FinFisher (actually ongoing) has not shown any intentionality from the government in order to clarify the discussed points. 

The chapter about Mexico in GISWatch 2014, written by Korina Velázquez, Cédric Laurant and Monserrat Laguna Osorio, shows that a journalistic investigation from the newspaper Reforma, published in July 2013, found that Obses de México sold FinFisher to the Office of the General Prosecutor (Procuraduría General de Justicia), and to other government agencies in the country. IFAI investigated the Obses company, which failed to contribute with enough information regarding its transactions, gaining a fine of approximately USD 100.000 for obstruction of the investigation.

The commercialization made by Obses contradicts the Gamma International’s supposed politics of no resale. Questioned by Privacy International in the Organization for Economic Cooperation and Development (OCDE) for the purchasing of FinFisher by countries like Bahrain, Gamma International affirmed that they only provide their services to security forces in sovereign States, arguing that there are nations that use illegitimate copies of the software. However, a posterior leak from WikiLeaks in September 2014 showed that Gamma International is aware of who are distributing their software and their purposes. The leak also notified about a visit from the owners of the company to Mexican government facilities in 2013. 

An independent research made by ContingenteMX and Propuesta Cívica found that FinFisher was used in at least four security agencies in Mexico: the Public Security Secretary, the Office of the General Prosecutor, the National Center of Investigation and Security, and the Presidential Guard. Meanwhile, the two companies involved in the Mexican case (Uninet and Iusacell) answered in 2013 that they didn’t have servers with FinFisher installed in their datacenter. but as the activist Jacobo Nájera pointed out, the companies did not dismissed the possibility of any of their users doing it. Likewise, the Citizen Lab reported that, at least by September 2013, they had information about FInFisher still running in the monitored networks. 

In 2014, between January and June, the lawyers Luis Fernando García and Jesús Robles Maloof made a report about surveillance technologies in Mexico, citing the case of FinFisher, amongst others. “The information obtained through the research has made possible to document a high presumption that the surveillance measures are being used with political purposes against determined groups”, they claim in the conclusions of the study. “There are enough hints that surveillance measures are used against human rights defenders, activists, and journalists.”

Also a piece published in August 2014 in Reforma, written by the journalist Martha Martínez (paywalled original and free access) shows that “the ilegal intervention of private communications is not a theme present in neither the Federal government nor the Congress agenda” and probably “this is because the espionage is a weapon also used by those who are responsible to sanction this felony.” 

García and Robles’ report also places Mexico amongst the top five buyers of surveillance technologies, showing an increase in the acquisition from Federal and local governments. The document suggests that these methods are being used in at least the states of Chiapas, Coahuila, Quintana Roo, Puebla, Tamaulipas, and Veracruz, while the audit of the appropriate use of this software is in question because of the lack of a legal system which allows transparency and accountability. About this, it was also mentioned in the Congress that “the travels documented in the WikiLeaks filtrations [in 2014] make seem Mexico at the level of Siria, Russia, and China” in comparison with the countries that buy surveillance technologies. 

Unfortunately, as exposed in these lines, the FinFisher case makes evident the lack of commitment of the Mexican authorities with the transparency and accountability in the purchase and use of surveillance technologies; specially in the actual Federal administration, whose espionage and privacy violation records promote a reasonable doubt about the ilegal use of those tools. Meanwhile, these programs and devices are still in hands of the governments, without any warrant of audit nor any possibility of documenting their abuses. So, two years later since the original denunciation, I close this text with a sad continuation of the Robles’ famous column: Smile, you are still being spied.

*Pepe Flores (@padaguan) is the editor of Digital Rights Latin America and The Caribbean bulletin since March 2015. He is the editorial director of FayerWayer and has reported on the FinFisher case in Mexico since 2013 in different online media.