Last summer, Dr Simon Barquera’s phone started buzzing with a series of disturbing text messages from unknown numbers. One said his daughter had been in a serious accident. Another claimed to be from a friend whose father had died — with a link to funeral details.
Boeque sinulpa vitione ipit unt ipiet, unti voles explaut eseque mill lanti cum eum rem de aut cum eum rem de aut rer kdj dkiligna tibus, ipnti ustiae la doloriss”-Alejandro Calvillo | ounder of El Poder del Consumidor
Yet another message informed Barquera, director of nutrition policy at Mexico’s National Institute of Public Health, that a Mexican news outlet had accused him of negligence, again with a link. And in more menacing messages, someone claimed to be sleeping with Barquera’s wife. That included a link to what the sender claimed was photo evidence of their affair.
That same week, Luis Manuel Encarnacion, then director at Fundacion Midete, a foundation in Mexico City that battles obesity, also started receiving strange messages with links. When he clicked, Encarnacion was ominously redirected to Gayosso, Mexico’s largest funeral service.
The messages Encarnacion received were identical to a series of texts sent to Alejandro Calvillo, a mild-mannered activist and founder of El Poder del Consumidor, yet another Mexico City organisation that has been at the forefront of battling childhood obesity in the country.
What the men had in common was this: All were vocal proponents of Mexico’s 2014 soda tax, the first national soda tax of its kind. It is aimed at reducing consumption of sugary drinks in Mexico, where weight-related diseases kill more people every year than violent crime.
The links sent to the men were laced with an invasive form of spyware developed by NSO Group, an Israeli cyberarms dealer that sells its digital spy tools exclusively to governments and that has contracts with multiple agencies inside Mexico, according to company emails leaked to The New York Times last year.
NSO Group and the dozens of other commercial spyware outfits that have cropped up around the globe over the past decade operate in a largely unregulated market. Spyware makers like NSO Group, Hacking Team in Italy and Gamma Group in Britain insist they sell tools only to governments for criminal and terrorism investigations.
But it is left to government agents to decide whom they will and will not hack with spying tools that can trace a target’s every phone call, text message, email, keystroke, location, sound and sight.
The discovery of NSO’s spyware on the phones of Mexican nutrition policymakers, activists and even government employees, like Barquera, raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.
The soda industry has poured over $67 million (Dh2.4 billion) into defeating state and local efforts to regulate soft drink sales in the United States since 2009, according to the Center for Science in the Public Interest. But the tax in Mexico — Coca-Cola’s biggest consumer market by per capita consumption — posed an exceptional threat. After the tax passed in 2014, Coca-Cola pledged $8.2 billion worth of investments in Mexico through 2020. And soda giants have lobbied against the tax through various industry groups, like ConMExico, which represents Coca-Cola and PepsiCo.
Lorena Cerdan, director of ConMExico, said the group had no knowledge of, or part in, the mobile hacking. “This is the first we’re hearing of it,” Cerdan said. “And frankly, it scares us, too.”
The timing of the hacking coincided with a planned effort by advocacy organisations and health researchers — including Barquera, Calvillo and Encarnacion — to coordinate a mass media campaign to build support for doubling the soda tax, an effort that stalled in Mexico’s Congress in November. The three men also opposed a failed effort by Mexican legislators and soda lobbyists in 2015 to cut the tax in half.
One week after health researchers and advocates announced their campaign in a news conference last summer, their phones began to buzz with the spyware-laced messages.
“This is proof that surveillance in Mexico is out of control,” said Luis Fernando Garcia, director of the Red en Defensa de los Derechos Digitales, a Mexican digital rights non-profit better known by the acronym R3D. “When we have proof that this surveillance is being used against nutritional activists, it’s clear Mexico should not be given these technologies.”
NSO Group’s motto is “Make the World a Safer Place.” But its spyware is increasingly turning up on the phones of journalists, dissidents and human rights activists.
NSO spyware was discovered on the phone of a human rights activist in the United Arab Emirates and a prominent Mexican journalist in August. Researchers at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs discovered NSO had exploited flaws in Apple software — since patched — to infiltrate the phones of Emirati activist and Mexican journalist Rafael Cabrera.
In 2015, Cabrera reported that a luxury home that had been custom-built for President Enrique Pena Nieto of Mexico and his wife was owned by the subsidiary of a Chinese company that had been awarded hundreds of millions of dollars in government contracts. Cabrera’s report forced the presidential couple to forgo its stake in the home and the government to rescind contracts.
The discovery of spyware on Cabrera’s phone prompted digital rights activists to warn more journalists and activists in Mexico to look out for similarly suspicious text messages. In the process, they uncovered a new class of targets: nutrition policymakers and activists, some of whom were government employees.
Each had been targeted by NSO’s main product, a tracking system called Pegasus, that could extract their text messages, contact lists, calendar records, emails, instant messages and location. It turned their phones into recording devices and secretly captured live footage off their cameras. Its full range of capabilities was detailed in an NSO Group marketing proposal leaked to The Times last year.
In interviews and statements, NSO Group — whose headquarters are in Herzliya, Israel, but which sold a controlling stake in 2014 to Francisco Partners, a San Francisco-based private equity firm — claims to sell its spyware only to law enforcement agencies to track terrorists, criminals and drug lords. NSO executives point to technical safeguards that prevent clients from sharing its spy tools.
An NSO spokesman reiterated those restrictions in a statement, and said the company had no knowledge of the tracking of health researchers and advocates inside Mexico.
The health researchers did not discover their phones had been targeted with NSO spyware until August. That month, SocialTIC, a Mexican digital security non-profit, and R3D warned its contacts to look for suspicious messages.
A subsequent forensics investigation by Citizen Lab of the messages sent to Calvillo, Barquera, Encarnacion and others confirmed that they were laced with NSO Group spyware.