NSO Group and the dozens of other commercial spyware outfits that have cropped up around the globe over the past decade operate in a largely unregulated market. Spyware makers like NSO Group, Hacking Team in Italy and Gamma Group in Britain insist they sell tools only to governments for criminal and terrorism investigations.
But it is left to government agents to decide whom they will and will not hack with spying tools that can trace a target’s every phone call, text message, email, keystroke, location, sound and sight.
The discovery of NSO’s spyware on the phones of Mexican nutrition policy makers, activists and even government employees, like Dr. Barquera, raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.
The soda industry has poured over $67 million into defeating state and local efforts to regulate soft drink sales in the United States since 2009, according to the Center for Science in the Public Interest. But the tax in Mexico — Coca-Cola’s biggest consumer market by per capita consumption — posed an exceptional threat. After the tax passed in 2014, Coca-Cola pledged $8.2 billion worth of investments in Mexico through 2020. And soda giants have lobbied against the tax through various industry groups, like ConMéxico, which represents Coca-Cola and PepsiCo.
Lorena Cerdán, director of ConMéxico, said the group had no knowledge of, or part in, the mobile hacking. “This is the first we’re hearing of it,” Ms. Cerdán said. “And frankly, it scares us, too.”
The timing of the hacking coincided with a planned effort by advocacy organizations and health researchers — including Dr. Barquera, Mr. Calvillo and Mr. Encarnación — to coordinate a mass media campaign to build support for doubling the soda tax, an effort that stalled in Mexico’s Congress in November. The three men also opposed a failed effort by Mexican legislators and soda lobbyists in 2015 to cut the tax in half.
One week after health researchers and advocates announced their campaign in a news conference last summer, their phones began to buzz with the spyware-laced messages.
“This is proof that surveillance in Mexico is out of control,” said Luis Fernando García, the director of the Red en Defensa de los Derechos Digitales, a Mexican digital rights nonprofit better known by the acronym R3D. “When we have proof that this surveillance is being used against nutritional activists, it’s clear Mexico should not be given these technologies.”
NSO Group’s motto is “Make the World a Safer Place.” But its spyware is increasingly turning up on the phones of journalists, dissidents and human rights activists.
NSO spyware was discovered on the phone of a human-rights activist in the United Arab Emirates and a prominent Mexican journalist in August. Researchers at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs discovered NSO had exploited flaws in Apple software — since patched — to infiltrate the phones of the Emirati activist and the Mexican journalist, Rafael Cabrera.
In 2015, Mr. Cabrera reported that a luxury home that had been custom-built for President Enrique Peña Nieto of Mexico and his wife was owned by the subsidiary of a Chinese company that had been awarded hundreds of millions of dollars in government contracts. Mr. Cabrera’s report forced the presidential couple to forgo its stake in the home and the government to rescind contracts.
The discovery of spyware on Mr. Cabrera’s phone prompted digital rights activists to warn more journalists and activists in Mexico to look out for similarly suspicious text messages. In the process, they uncovered a new class of targets: nutrition policy makers and activists, some of whom were government employees.
Each had been targeted by NSO’s main product, a tracking system called Pegasus, that could extract their text messages, contact lists, calendar records, emails, instant messages and location. It turned their phones into recording devices and secretly captured live footage off their cameras. Its full range of capabilities was detailed in an NSO Group marketing proposal leaked to The Times last year.
In interviews and statements, NSO Group — whose headquarters are in Herzliya, Israel, but which sold a controlling stake in 2014 to Francisco Partners, a San Francisco-based private equity firm — claims to sell its spyware only to law enforcement agencies to track terrorists, criminals and drug lords. NSO executives point to technical safeguards that prevent clients from sharing its spy tools.
An NSO spokesman reiterated those restrictions in a statement on Thursday, and said the company had no knowledge of the tracking of health researchers and advocates inside Mexico.
It is not clear why any Mexican government agency would deploy the spyware to track those on the front lines of the fight to battle obesity in Mexico — where diabetes was recently declared a national emergency — nor is it clear which Mexican government agency could be behind the surveillance.
“Mexico’s intelligence systems are subject to federal relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican Embassy in Washington, said in a statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.”
The NSO emails leaked to The Times referred to multimillion-dollar, continuing NSO Group contracts with several government agencies inside Mexico, and the Mexican government has been an enthusiastic buyer of foreign spy tools.
Mexico was listed as the biggest client of Hacking Team, the Italian cyber-surveillance firm, which was itself hacked in 2015. Hacked internal documents published online showed that at least 14 Mexican states and government agencies had paid $6.3 million to Hacking Team for its spy tools since 2010.
Mexico’s Interior Ministry, which operates Cisen, the civil national security intelligence service, was listed as Hacking Team’s highest-paying client. Other clients included the Mexican Navy, federal police and attorney general’s office, as well as several Mexican states.
The leaked Hacking Team emails also revealed that the firm was increasingly facing competition from NSO Group to procure contracts with Cisen, the Mexican attorney general’s office and Sedena, an acronym for the office of Mexico’s secretary of national defense.
The health researchers did not discover their phones had been targeted with NSO spyware until August. That month, SocialTIC, a Mexican digital security nonprofit, and R3D warned its contacts to look for suspicious messages. A subsequent forensics investigation by Citizen Lab of the messages sent to Mr. Calvillo, Dr. Barquera, Mr. Encarnación and others confirmed that they were laced with NSO Group spyware.
NSO Group executives say they have a strict vetting process to determine the countries with which they will do business, which includes an ethics committee comprising employees and an outside counsel that vets potential government clients based on human rights rankings set by the World Bank and other bodies. Executives said they had pulled contracts when they uncovered human rights violations.
But it is unclear how the Mexican spy efforts made it through the vetting process.
“This is one of the most brazen cases of abuse we have ever seen,” said John Scott-Railton, a senior researcher at Citizen Lab. “It points to a total breakdown of government oversight in Mexico, and a complete failure of due diligence by the NSO Group.”
The legal case for the use of spyware in Mexico is uncertain. Only the federal and justice authorities can lawfully intercept private communications in Mexico, but require a court order to do so. However, Mr. García and others argue that spyware is more invasive than traditional forms of interception, and they say it is not clear what case the government would have to monitor the communications of health researchers and activists.
“I doubt these intrusions were approved by any judge,” Mr. García, of R3D, said.
In interviews, Dr. Barquera, Mr. Encarnación and Mr. Calvillo all said they were not sure which government agency could be behind the hacking. Each said he was wary of using his phone for sensitive communications. And yet they insist they are undeterred.
“Suddenly, you are aware of everything you say,” Dr. Barquera said. “Everything you say feels like a potential threat, that it could come back to haunt you.”