MEXICO CITY — Almost every Latin American government has purchased or shown interest in obtaining aggressive surveillance software, taking advantage of a failure to enforce lax regulations but potentially violating human rights, according to a new report by the Santiago-based NGO, Derechos Digitales.
Authorities in Brazil, Chile, Colombia, Ecuador, Honduras, Mexico and Panama have all bought software licensed from Hacking Team, an Italian company that sells some of the most invasive spying software in the world. Argentina, Guatemala, Paraguay, Uruguay and Venezuela have negotiated with the company but do not appear to have bought any products as of July, according to the report, released last week. The report was based on a 2015 breach of Hacking Team’s internal emails, which made public over one million internal emails detailing how the company used malware and software vulnerabilities to create spyware that can get into nearly any computer and smartphone.
As BuzzFeed News previously revealed, in many cases the purchases were made through intermediaries like Israeli software company NICE Systems, as Hacking Team is subject to certain export restrictions on its software.
One of the biggest concerns for Derechos Digitales is that the spying software is being used in a region that is fraught with deep political divisions, where some governments are known for their repressive, authoritarian practices and where the rule of law is weak.
“Despite there being solid legal framework that protects human rights and regulates interception of communications, in practice these spying activities in these countries are disproportionate and, in many cases, directed toward members of the opposition or activists and dissidents,” reads the report, referring to surveillance practices in Colombia, Ecuador and Mexico.
In Colombia, journalist Vicky Davila reported to the deputy attorney general that her and her family’s private communications were intercepted, possibly because she had access to information on a prostitution ring inside the police force. During the RightsCon conference in San Francisco last week, members of Derechos Digitales told BuzzFeed News that journalists and NGOs were among the most frequent targets for surveillance by their governments. Simple spear phishing emails, in which a person is lured into clicking on and downloading malware that appears as a document or attachment, were among the most commonly used. In one case, said the group during its presentation, journalists in Mexico were sent emails that appeared to come from the president’s office, only to, in fact, contain malware when the attachment was opened.
Eight out of ten Mexican government entities that purchased the software are not authorized to intercept communications; one of these, the government in the state of Puebla, spied on members of the opposition and journalists, the report reveals.
And in Ecuador, judges and electoral authorities who opposed Rafael Correa’s government were spied on with Hacking Team’s “Remote Control System,” which the company boasts can enable governments to monitor the communications of people online on various platforms, including those using encrypted systems, as well as remotely activate microphones and cameras.
Only Panama’s current government has any sort of ongoing investigation into Hacking Team or Robotec, an intermediary agency who sold Hacking Team’s software in Latin America, according to the report. In 2011, former Panamanian president Ricardo Martinelli’s office of security purchased “Galileo,” a communications monitoring system created to combat crime. Shortly before the current president took office in July 2014, the spying software — which intercepted communications during the elections — disappeared. Anti-corruption authorities began an investigation into the disappearance of the spying equipment.
There are no specific regulations for Galileo and other communications monitoring systems in the Latin American countries that negotiated with Hacking Team. However, these countries require a judicial order prior to intercepting private communications. If evidence is obtained without meeting this requirement, then it cannot be used in court.
There is also the matter of how long intercepted information is kept: in Guatemala and Paraguay everything that is not related to the matter that is being investigated must be destroyed, though few other countries have this standard.
“In Latin America, surveillance and government spying activities are worthy of suspicion, especially if we take into account the history of authoritarianism and repression in the region,” the report concludes. “Spying programs that are as invasive as Hacking Team lend themselves to human rights abuses and violations.”
Karla Zabludovsky is the Mexico bureau chief and Latin America correspondent for BuzzFeed News and is based in Mexico City.
Contact Karla Zabludovsky at Karla.Zabludovsky@buzzfeed.com.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at email@example.com.
Got a confidential tip? Submit it here.