Interview: the risks to democracy of digital surveillance
Luis Fernando García, Executive Director of the Mexican NGO, Red en Defensa de los Derechos Digitales (The Defence of Digital Rights Network) tells how his country´s government used spyware to track civil society
Luis Fernando García, diretor-executivo da ONG mexicana Red en Defensa de los Derechos Digitales Foto: Divulgação
LUIS FERNANDO GARCÍA
He is the Executive Director at Red en Defensa de los Derechos Digitales. He works in the area of human rights and technology and graduated in Law at the Universidad Iberoamericana, where he was also a Lecturer. He has a Master’s Degree in International Law and Human Rights from Lund University, in Sweden and received a grant from the Google Policy Fellowship for the Associação de Direitos Civis da Argentina (Argentinian Association of Civil Rights).
“Even if people follow very good digital security guidelines, it is almost impossible to avoid a Pegasus attack.” Says Luis Fernando García, Executive Director at Red en Defensa de los Derechos Digitales, the Mexican organisation that brought to light a number of cases of illegal spying on human rights defenders, lawyers and journalists, by his country´s government.
Pegasus was developed by the Israeli company, NSO Group. It is a powerful spyware that accesses all the information available on a device. As well as Mexico, other countries, like India and Saudi Arabia have also used the programme to spy on different groups.
Here in Brazil, a report by the UOL portal indicated that the federal government had shown interest in buying the programme in a public tender by the Ministry for Justice and Public Security, without the participation of the Institutional Security Cabinet (GSI) and the Brazilian Intelligence Agency (Abin).
This led to civil society organisations launching a campaign calling for the Supreme Audit Agency (TCU) and Federal Justice to block the hiring of illegal espionage. In May, Conectas, Instituto Igarapé, Instituto Sou da Paz, Rede Liberdade and Transparência Internacional Brasil registered a denouncement at the TCU, indicating irregularities in the project.
The document draws attention to the fact that “this is a question of illegal procurement, in an unsuitable manner, of a system that could potentially harm the collective, that will allow for the indiscriminate and inappropriate harvesting of information and that could even be used for shady political purposes.”
Following the repercussions of the case, the NSO Group abandoned the public tender and as the bidding was suspended, another company, Harpia Tecnologia Eireli, won. They will receive R$ 5.5 million to supposedly monitor the internet.
In the interview below, García talks about how illegal espionage, using advanced software technology, harms democratic activities and affects people´s security. In his opinion, there is a need to fight for legal mechanisms to prevent governments from purchasing and using these programmes illegally.
Conectas – Who were the victims of Pegasus in Mexico and how were these cases made public?
Luiz Fernando García – There are over 20 registered victims, mainly human rights defenders, activists, lawyers and journalists who work in media outlets or organisations investigating corruption, rights violations on different fronts or working on campaigns to foster human rights. It must be said, however, that we do not know the identities of the vast majority of the people who suffered attacks. There is evidence that the Mexican government investigated at least 500 people using Pegasus, so the 20 cases we know about are just the tip of the iceberg.
These cases were made public after an investigation we carried out along with other Mexican organisations. We started collecting text messages that seemed to be phishing attacks. We verified that these messages contained links that led to the NSO group infrastructure. So, by means of technical analyses, we were able to identify that clicking the link, led to Pegasus being installed on mobile phones, whereby it gained almost full access to devices. We made this investigation public and the story came out in the New York Times, among others. This had huge public repercussions in the country.
Conectas – What type of data is Pegasus able to access? What are the personal risks to the people affected and what are the risks to democracy?
Luiz Fernando García – It is an invasive and powerful system, able to access practically all the content on a mobile phone: contact lists, calendars and photos. It can activate the camera, microphone and geolocation without the user noticing. Pegasus can also pick up voice and text messages and record everything the user types on their phone. In addition, passwords can be automatically changed, allowing access to other information. The way the system accesses the telephone is silent, autonomous and undetectable, as it has a self-destruct mechanism which means detection by forensic techniques is evaded, if the phone is scanned.
This affects people in many ways: ranging from the possibility of those in possession of information using personal data to obstruct the work of journalists and human rights defenders, to their using the material to ramp up telephone, digital and personal threats and using physical aggression, including kidnapping and death. Clearly, this all affects society as a whole and democracy. For example, it has an impact on contact between journalists and their sources, hindering work which is in the public interest.
Conectas – At the time, what justification did the government give for using this programme?
Luiz Fernando García – Their tone was rather ambiguous regarding their intentions in buying the Pegasus system. There is proof that at least the Federal Prosecutor´s Office (PGR) purchased the software during the Felipe Calderón government and there is evidence that the army also bought it, but never actually used it. During the Peña Nieto government, apart from the PGR purchase, there are indications that the programme was also bought by the National Intelligence Agency (CNI). Initially, the government acknowledged that they had acquired the system and justified themselves saying that it would be used to fight organised crime. Later, the PGR told the authorities that despite spending over US$ 40 million on the equipment, they had never used it. The fact that this amount of money was spent on something that was never used is worrying in itself, however it is of even greater concern that the PGR lied. There is evidence that it was used against human rights defenders and journalists in Mexico.
Conectas – Following denouncements made by civil society, the Mexican government gave clear signs that the programme would no longer be used. Was there any reparation for the victims?
Luiz Fernando García –No. Impunity and lack of transparency have prevailed. The new government [Andrés Manuel López Obrador] stated that the system had been uninstalled which is also worrying because there is an investigation in progress and the dismantling of the spy system could make it difficult to gather proof. The victims received no reparation and no significant progress has been made with the investigation.
Conectas – Given the sophisticated nature of Pegasus, how can civil society organise itself in seeking to put the subject of digital security on the agenda of public debate while, also protecting itself from the programme?
Luiz Fernando García – It is a very sophisticated programme and is very difficult to tackle. Clearly, there are some important digital maintenance and self-defence measures that should be adopted by human rights defenders and journalists, to mitigate and minimise the risk of attack by surveillance systems. But it should be understood that even when people follow very good digital security guidelines, it is practically impossible to avoid an attack by the Pegasus system. Therefore, solutions are not to be found solely in what people can do to protect themselves, but also in accountability and preventing illegal acts, committed using surveillance tools, from going unpunished. Finally, I consider the legal, political and cultural struggle against surveillance of the population to be equally important and particularly when it comes to those whose work is in the public interest.
Conectas – International organisations have expressed concern over the use of Pegasus in different countries. Do you believe the Israeli company NSO Group, the creator of the programme, will be held accountable for these facts?
Luiz Fernando García – Of course. Some of the victims in Mexico are suing the NSO Group. The company may also be held responsible for exploiting the vulnerable messaging app WhatsApp, with headquarters in the United States, for attacking thousands of people around the world. I believe that the company should also be held accountable for failing to cooperate with the investigations in progress. Public statements alone are made saying that they are not responsible when governments use the programme to monitor civilians. Now, if they really weren´t responsible, they would be the first ones with an interest in cooperating with investigations to avoid being complicit in human rights violations.