BOB GARFIELD: This is On the Media. I’m Bob Garfield.
BROOKE GLADSTONE: And I'm Brooke Gladstone. This week, The New York Times broke an explosive story.
MALE CORRESPONDENT: A cyberattack via text message, that's what the Mexican government is suspected of doing to some of its critics, using advanced spyware technology.
FEMALE CORRESPONDENT: Among those reportedly spied on were the lawyers representing the families of the 43 students who disappeared from the Ayotzinapa Teachers' College in 2014 in Mexico, as well as award-winning journalist Carmen Aristegui.
JOHN SCOTT-RAILTON: They send you a text message, essentially. It might be something that involves you, something that involves your company, and if you click on the link it downloads the software and that software then basically takes over your phone.
BROOKE GLADSTONE: That software is called Pegasus, and it's developed by the NSO Group, an Israeli cyber arms dealer. NSO is just the latest such dealer to be exposed, but this one has strong ties to the US.
JOHN SCOTT-RAILTON: The majority owner appears to be a San Francisco-based firm named Francisco Capital Partners.
BROOKE GLADSTONE: John Scott-Railton, senior researcher at the Toronto-based Citizen Lab, has been investigating the use of spyware against Mexican activists and journalists. Tracking this kind of spyware is tough, he says, but not in this case.
JOHN SCOTT-RAILTON: The operator of NSO was reckless in how they conducted this targeting and how noisy and visible it was. But it's a microcosm of the much more subtle targeting that takes place undiscovered.
BROOKE GLADSTONE: This isn’t the first investigation the Citizen Lab has conducted into misuse of NSO software, and he says each investigation opens a window onto the next.
JOHN SCOTT-RAILTON: The case that we’re talking about here began in August, 2016, with two text messages sent to a human rights defender in the United Arab Emirates named Ahmed Mansoor. The text messages came bearing links. Had Mansoor clicked on those links, they would have infected his iPhone, turning it into a spy in his pocket, capable of monitoring his phone calls, the things he says around his microphone and his movements, too. And from that investigation, we found evidence that there were also Mexican cases. That led to a collaboration with several Mexican organizations, R3D, Social Tic and Article 19, to gather evidence of potential targeting of Mexican civil society.
BROOKE GLADSTONE: Mansoor didn't click on it but how was he enticed to click on it?
JOHN SCOTT-RAILTON: Well, the text messages proposed new secrets about people jailed in Emirati prisons, which was an issue that Mansoor’s advocacy touches on. Instead of clicking, he thought something was amiss. This isn't the first time or even the second time that Mansoor’s government targeted him with sophisticated government-exclusive spyware. It's the third time. And so, Mansoor each time has shared the targeting with Citizen Lab, resulting in investigations of the companies.
When we found the first case, we were able to scan for other servers that behaved in a similar way. And, by far, the largest apparent use was in Mexico.
BROOKE GLADSTONE: One of the people targeted in Mexico was the journalist Carmen Aristegui who'd been instrumental over the past few years in revealing a corruption scandal involving Mexican President Peña Nieto’s wife. How was she targeted?
JOHN SCOTT-RAILTON: Carmen received, over the course of a year and a half, a slew of messages, some of them abusive, some of them sexual, some of them threatening, some pretending to be the United States government, all with the same goal, to convince her to click on a link, which would result in the infection of her phone. The people operating the campaign though were not satisfied with targeting Carmen, and they sent over 20 messages to her son who was located in the United States during the time that they were targeting his mother.
BROOKE GLADSTONE: So you say that the United Arab Emirates used it and the government of Mexico used it. How do you know that it's the governments?
JOHN SCOTT-RAILTON: We have strong circumstantial evidence, based on who was targeted with infection attempts, based on the substance of the targeting, based on the location of the targets.
BROOKE GLADSTONE: This is government-exclusive software, right? It’s only sold to governments?
JOHN SCOTT-RAILTON: That's correct, which means that when you find it you know that you're looking at a government. Governments purchase a certain number of infections that they can have live at any given time. So I might purchase the ability to have 10 phones under monitoring, which means that the companies that sell this stuff keep the technology under fairly close control.
What we’re looking at is an environment in which technologies that perhaps 10 years ago were only the purview of governments that could sort of develop them in-house are now being sold to any government that can pay.
BROOKE GLADSTONE: So that means that the smallest government or even a well-heeled independent organization could do it.
JOHN SCOTT-RAILTON: Well, so this is an interesting question. We published a report back in February that showed that Mexican campaigners for the soda tax, public health scientists and consumer advocates, were targeted with NSO Group’s spyware. Now, it’s unclear why the Mexican government would target those individuals. Others have raised the possibility that the government might have been working on behalf of private interests who had a lot to lose from the soda tax.
BROOKE GLADSTONE: Mm. This kind of software is marketed to investigate criminals and to track terrorists.
JOHN SCOTT-RAILTON: That’s right. Every company that Citizen Lab has investigated makes the same pitch. But time and time again, what our investigations and other groups’ investigations reveal is something that we like to call informally the principle of misuse. If you take something so powerful and so hard to discover and you put it in the hands of a government that does not have a robust rule of law and accountability around the use of secret surveillance, it will be misused for political purposes. It’s only a matter of time.
The NSO Group claim that they do due diligence around a sale. Now, taking the example of the UAE for a second, you have not one but two prior cases of the misuse of government-exclusive spyware by the UAE government, the misuse of a tool called FinFisher, made by a UK and German company named Gamma Group, and the misuse of Hacking Team’s Remote Control System, made by an Italian company. Now, if I were selling government-exclusive spyware and the UAE asked me for a bid, I can't think of a better case where due diligence was suggested it was likely to be misused again.
BROOKE GLADSTONE: You’ve mentioned a bunch of other companies that do the same thing. Is this a new industry, government- exclusive spyware?
JOHN SCOTT-RAILTON: The industry is relatively new. Historically, whenever that despot encounters somebody who he wants to monitor, somebody scurries off and monitors a phone line. As more and more communications are encrypted, which is great, that doesn't work as well. Enter government-exclusive spyware, which promises that regime the ability to regain visibility on communications that they could no longer monitor.
BROOKE GLADSTONE: Let's talk about NSO, which is at least partly owned by an American company, Francisco Capital Partners. It’s operating internationally. It's claiming to do its due diligence. But I guess ultimately it exists in a fairly ambiguous space, from a legal standpoint. Are there legal implications for these companies for the misuse of their software?
JOHN SCOTT-RAILTON: The legal environment in which these companies operate is still fairly gray, They may be subject to certain export restrictions from the countries where the technology originates. However, a little bit like the arms market, this market thrives in the gray spaces that are less than fully regulated. R3D, Social Tic and Article 19 presented a formal complaint to the Mexican government, which points out the likelihood that this targeting was illegal under Mexican law. There was an announcement in the middle of this week that the Mexican government would be conducting an investigation into this case, although it remains to be seen, given that they are the party accused of using this, whether or not that investigation will be capable of finding the truth.
BROOKE GLADSTONE: You know, it's interesting how responsive to the market these organizations are because they don’t only sell bugs, they also sell bug detectors. It is kind of like the arms market, isn’t it?
JOHN SCOTT-RAILTON: That’s right and, indeed, some of the companies that play in this space get their investment from arms dealers. There are reports that NSO Group, trying to hide from the bad publicity caused by our reports and others, may be considering a name change, changing their name to Q - like the letter – Cyber Technologies. This would not be the first time that a company selling spyware has tried, by using a name change, to escape the bad Google results.
Ultimately though, what is shows and what they must know is that even potential customers can't necessarily trust that another customer will not expose the whole operation by using the technology recklessly. And it points to the uncertainty even that a government interested in purchasing the stuff would face because the recklessness of the use in Mexico, for example, brings risk to all of the other government users of this technology by exposing how the technology works to researchers like us.
BROOKE GLADSTONE: Thank you very much, John.
JOHN SCOTT-RAILTON: Thank you so much.
BROOKE GLADSTONE: John Scott-Railton is a senior researcher at Citizen Lab at the Munk School of Global Affairs at the University of Toronto.
We contacted NSO for an interview. They declined to speak to us.
Salvador Camarena is a Mexican journalist who knows the consequences of government pressure and hacking all too well. He joined broadcast journalist Carmen Aristegui’s reporting team in January, 2015, two months after it broke the news of the major scandal called Casa Blanca or White House.
SALVADOR CAMARENA: About how the President Peña Nieto and his family has a fancy house in a very fancy neighborhood that is valued in something around $7 million. The tricky question was, how come the President has this house if he has been in politics his whole life?
BROOKE GLADSTONE: The answer was not good for the President.
FEMALE CORRESPONDENT: The Mexican journalist revealed he is living in a new mansion in Mexico City, which is owned by a Mexican construction firm, a firm that has won many government contracts. The $7 million home is spectacular, all white, marble floors, a very modern….
BROOKE GLADSTONE: It looked especially bad for Peña Nieto, whose party had ruled for seven decades, until pushed out by a population weary of corruption. He’d just brought his party back in 2012.
SALVADOR CAMARENA: Yeah, and they have this promise that they have changed and they have learned a lesson, but when we discovered these things, it was like the old times, the corruption times.
BROOKE GLADSTONE: Facing public outrage, the President actually apologized.
[PRESIDENT PEÑA NIETO APOLOGIZING IN SPANISH]
Carmen Aristegui’s reporting team, meanwhile, lost their jobs and her popular show was canceled.
SALVADOR CAMARENA: We got fired at March, 2015. And they say it was a difference between Carman and the company, and it’s a private company. But everyone was crystal clear that it was a punishment.
BROOKE GLADSTONE: Broadcasters in Mexico rely on government advertising for survival, and the employer of this intrepid team of investigative reporters may have caved in to bottom-line pressure. Meanwhile, Sal Camarena, like Carmen Aristegui, started to receive strange text messages.
SALVADOR CAMARENA: Like someone trying to reach you in order to let you know that his father has died and he said, check this link for the details about the ceremony. These messages were trying to pull you to do the click.
BROOKE GLADSTONE: Unfortunately, he did click and then he, too, carried a spy in his pocket. But he didn't realize that until about a year later, when a former colleague of his, Rafael Cabrera, who was also getting weird texts, learned from Citizen Lab that they were part of a much larger hacking scheme. Now, Camarena is director of investigative journalism at an NGO called Mexicans Against Corruption and Impunity.
Mexican President Peña Nieto has denied his government hacked journalists and activists, but those hacked demand the inquiry, even if no justice is done. In fact, they don't expect it. When 43 students from a rural school in the state of Guerrero disappeared in 2014, there also was an investigation but no justice.
SALVADOR CAMARENA: They were on several buses on a trip. The police detained those buses and after that we don’t have any news. We don’t have real answers about what happened to these 43 students.
BROOKE GLADSTONE: Who stood to gain by eliminating 43 students who were studying education?
SALVADOR CAMARENA: Guerrero, this state is, is a mess. Sorry but that’s the perfect word. We don’t have –
BROOKE GLADSTONE: Because of drug cartels or because -
SALVADOR CAMARENA: Yes.
BROOKE GLADSTONE: Yeah.
SALVADOR CAMARENA: Yes, because of heroin.
BROOKE GLADSTONE: Heroin.
SALVADOR CAMARENA: Most of the heroin consumed in the United States is produced in Guerrero.
BROOKE GLADSTONE: The buses were being used to transport heroin?
SALVADOR CAMARENA: Actually, yeah. Brooke, [LAUGHS] for us it took like 18 months to get to that kind of a clue. It’s very important to remember one thing. In order to get to that point, we had to ask an international body, the Organization of American States. They came and they helped us to investigate. We need help from abroad in order to know what is happening in Mexico.
BROOKE GLADSTONE: Because the government is not willing, you believe, to investigate this crime.
SALVADOR CAMARENA: Yeah. At the very beginning, they were thinking and they were saying it was a local problem, unbelievable!
BROOKE GLADSTONE: And so, circling back to the surveillance, has anybody in the government ever gone to jail for performing this kind of surveillance without a warrant?
SALVADOR CAMARENA: Mm, good question. I don't remember and I don't want to lie or to mislead, but let me tell you something that could answer that kind of question.
BROOKE GLADSTONE: Mm-hmm.
SALVADOR CAMARENA: In 1984, so long time ago, Manuel Buendía, the most respected journalist at the moment, was killed in Mexico City. For that case, yes, some people went to jail. From the year 2000 to now, more than 100 journalists have been killed. In 17 years, no more than five people have been charged for more than 100 cases. No one in the government was able to conduct an investigation in the proper manner in order to get someone in jail.
BROOKE GLADSTONE: So five people charged, no convictions, 100 dead journalists, 17 years.
SALVADOR CAMARENA: That’s correct.
BROOKE GLADSTONE: Sal, thank you very much.
SALVADOR CAMARENA: Brooke, I am a big fan. Thank you. [LAUGHS] And -
BROOKE GLADSTONE: You risk yourself to do the work you do.
We just sit in our semi air-conditioned offices [LAUGHS] doing it.
SALVADOR CAMARENA: No, no, no. Working in Mexico City as a journalist is very close to working in New York City as a journalist, and I know that. I have been living in both cities doing journalism.
BROOKE GLADSTONE: Mm-hmm.
SALVADOR CAMARENA: So I can prove that.
BROOKE GLADSTONE: Mm-hmm.
SALVADOR CAMARENA: But doing journalism outside Mexico City, it’s a hell, a living hell. So thank you for watching us. Thank you for calling us. And please, let’s keep in touch because so many good reporters are facing real threats around my country, and it’s very important to have international attention to them.
[MUSIC UP & UNDER]
BROOKE GLADSTONE: We will continue. Thank you so much, Sal.
SALVADOR CAMARENA: Brooke, una braco, we say in Spanish.
BROOKE GLADSTONE: [LAUGHS] Sal Camarena is the director of investigative journalism at Mexicans Against Corruption and Impunity.
BOB GARFIELD: That’s it for this week’s show. On the Media is produced by Meara Sharma, Alana Casanova-Burgess, Jesse Brenneman, Micah Loewinger and Leah Feder. We had more help from Jane Vaughan. And our show was edited - by Brooke. Our technical director is Jennifer Munson. Our engineers this week were Sam Bair and Terence Bernardo.
BROOKE GLADSTONE: Katya Rogers is our executive producer. Jim Schachter is WNYC’s vice president for news. Bassist composer Ben Allison wrote our theme. On the Media is a production of WNYC Studios. I’m Brooke Gladstone.
BOB GARFIELD: And I’m Bob Garfield.