When a Military Spies on Citizens’ Phones

Tech companies, like Meta and Apple, sell users the promise of privacy. They say the encryption on their smartphones and apps will keep user data safe.

But there is one powerful form of spyware, called Pegasus, that we know can break through. The tool allows remote access to just about everything on a device, including its microphone, camera and location data.

You’ve probably heard of it: Governments have been using it in high-profile cases for more than a decade. But the scope of that spying has been hard to track.

The maker of Pegasus does not disclose its clients, and it’s difficult to tell if a phone has been infected with it. It has also been unclear what information the authorities go looking for in a device — until last week, when my colleagues Natalie Kitroeff and Ronen Bergman reported that the Mexican military spied on citizens who were trying to expose its misdeeds.

The case provides a rare view into the mechanics of how, exactly, governments can misuse Pegasus. Their reporting also illuminates critical details about the state of Mexico’s democracy in a moment of civil unrest. Below, Natalie explains why this case is so significant, and what it means for the country.

Lauren: Hi, Natalie. Are you worried the Mexican military could be listening to your phone?

Natalie: I get my phone checked every few days for Pegasus. But we haven’t found anything yet.

Let’s take a step back. How have governments around the world been using Pegasus?

Both democratic and autocratic countries have bought the tool from the NSO Group, an Israeli company. The company says it requires its clients to agree to use the spyware only to fight terrorism or serious crime. And there are examples of that: European investigators have used it to bring down a global child-abuse ring, for instance.

But reporting has revealed that, again and again, governments have also used it to spy on journalists, activists and human rights defenders.

The Mexican government also used Pegasus to capture the drug lord known as El Chapo. So we’ve known the government has used the spyware in the past. What is new about this story?

The Mexican government has for years been implicated in scandals around its use of Pegasus, including spying on journalists and activists. That’s not new.

What’s new is that we know definitively how the military is spying on civilians. A group of hackers that call themselves Guacamaya, or Macaw in English, hacked millions of military emails and unearthed an absolutely stunning amount of data. Among all those documents were these newly discovered files, which revealed the details of how Mexico used Pegasus against a human rights defender and journalists who were investigating allegations that soldiers had gunned down innocent people.

That’s a big deal for Mexico, but can you explain to me what this means for our understanding of spyware use more broadly?

This case offers for the first time a clear paper trail showing what a state actor, in this case the Mexican military, wanted to see on a human rights defenders’ phone. It’s a remarkable document.

A researcher put it to me this way: It shows us how the spyware operators took this person’s private digital life, dumped it all out on the table and then selected the parts most harmful to him

This news comes at a time of political turmoil for the country. People in more than 100 cities recently protested the government’s overhaul of a major election watchdog. What does this reveal about the Mexican government in this moment?

Mexico’s president, Andrés Manuel López Obrador, came to office in 2018 on a wave of discontent. He railed against corruption and promised not to spy on people. This demonstrates that spying by the government has continued under his administration.

As he is commander in chief of the armed forces, it also suggests that either he knew about this spying and he tolerated it, or he didn’t know, and his own armed forces were disobeying him. It has raised a growing fear about the increasing power of the military.

The news has also broken at a moment when López Obrador’s relationship to democratic norms and institutions is being questioned across the world, but especially in the United States.

This revelation offers the U.S. a specific example of its ally and neighbor acting in antidemocratic ways. Will Washington do anything in response?

Washington has been asking: What is the appropriate role of the military in a democratic country? The kidnapping of four Americans in Mexico this month has only ratcheted up their broader concerns about Mexican stability.

But the U.S. also needs Mexico really badly. The Biden administration has not wanted to publicly criticize the Mexican government because officials fear threatening cooperation on migration.

It’s a tense moment for Mexico’s democracy and it shows how spyware bought by democratic countries can potentially be misused as certain factions within the government, in this case the military, gain more power. We don’t yet know what impact this series of revelations, and others that may come, will have on Mexico’s government. But I don’t think we should count it out as something that could leave a longer-lasting mark on this administration.

Related: Read Natalie and Ronen’s article on Mexico’s use of Pegasus.

Leave a Reply

Your email address will not be published. Required fields are marked *