The challenges in ensuring strong privacy safeguards, proper oversight of surveillance powers, and effective remedy for those arbitrarily affected continued during 2023 in Latin America. Let’s take a few, non-exhaustive, examples.
We saw a scandal unveiling that Brazilian Intelligence agents monitored movements of politicians, journalists, lawyers, police officers, and judges. In Perú, leaked documents indicated negotiations between the government and an U.S. vendor of spying technologies. Amidst the Argentinian presidential elections, a thorny surveillance scheme broke in the news. In México, media reports highlighted prosecutors’ controversial data requests targeting public figures. New revelations reinforced that the Mexican government shift didn’t halt the use of Pegasus to spy on human rights defenders, while the trial on Pegasus’ abuses in the previous administration has finally begun.
Those recent surveillance stories have deep roots in legal and institutional weaknesses, many times topped by an entrenched culture of secrecy. While the challenges cited above are not (at all!) exclusive to Latin America, it remains an essential task to draw attention to and look at the arbitrary surveillance cases that occasionally emerge, allowing a broader societal scrutiny.
The Opacity of Intelligence Activities and Privacy Loopholes
First revealed in March, the use of location tracking software by Intelligence forces in Brazil hit the headlines again in October when a Federal Police’s investigation led to 25 search warrants and the arrest of two officials. The newspaper O Globo uncovered that during three years of former President Bolsonaro’s administration, Intelligence Agency’s officials used First Mile to monitor the steps of up to 10,000 cell phone owners every 12 months without any official protocol. According to O Globo, the software First Mile, developed by the Israeli company Cognyte, can detect an individual based on the location of devices using 2G, 3G and 4G networks. By simply entering a person’s phone number, the system allows you to follow their last position on a map. It also provides targets’ displacement records and "real-time alerts" of their movements.
News reports indicate that the system likely exploits the Signaling System n. 7 (SS7), which is an international telecommunication protocol standard that defines how the network elements in a telephone network exchange information and control signals. It’s by using the SS7 protocol that network operators are able to route telephone calls and SMS messages to the correct recipients. Yet, security vulnerabilities in the SS7 protocol also enable attackers to find out the location of a target, among other malicious uses. While telecom companies have access to such data as part of their activities and may disclose it in response to law enforcement requests, tools like First Mile allow intelligence and police agents to skip this step.
A high-ranking source at Abin told O Globo that the agency claimed using the tool for "state security" purposes, and on the grounds there was a “legal limbo” on the privacy protections for cell phone metadata. The primary issue the case underscores is the lack of robust regulation and oversight of intelligence activities in Brazil. Second, while the Brazilian law indeed lacks strong explicit privacy protections for telephone metadata, the access to real-time location data enjoys a higher standard at least for criminal investigations. Moreover, Brazil counts on key constitutional data privacy safeguards and case law that can provide a solid basis to challenge the arbitrary use of tools like First Mile.
The Good and the Bad Guys Cross Paths
We should not disregard how the absence of proper controls, safeguards, and tech security measures opens the door not only for law enforcement and government abuses but can feed actions from malicious third-parties – also in their relations with political powers.
The Titan software used in Mexico also exploits the SS7 protocol and combines location data with a trove of information it gets from credit bureaus’, government, telecom, and other databases. Vice News unveiled that Mexican cartels are allegedly piggy-backing police’s use of this system to track and target their enemies.
In the Titan’s case, Vice News reported that by entering a first and last name, or a phone number, the platform gives access to a person’s Mexican ID, “including address, phone number, a log of calls made and received, a security background check showing if the person has an active or past warrant or has been in prison, credit information, and the option to geolocate the phone.” The piece points out there is an underground market of people selling Titan-enabled intel, with prices that can reach up to USD 9.000 per service.
In turn, the surveillance scheme uncovered in Argentina doesn’t rely on a specific software, but it may involve hacking and apparently mixes up different sources and techniques to spy on persons of interest. The lead character here is a former federal police officer who compiled over 1,000 folders about politicians, judges, journalists, union leaders, and more. Various news reports suggest how the former police officer's spying services relate to his possible political ties.
Vulnerabilities on Sale, Rights at Stake
Another critical aspect concerns the current incentives to perpetuate, rather than fixing security vulnerabilities – and governments’ role in it. As we highlighted, “governments must recognize that intelligence agency and law enforcement hostility to device security is dangerous to their own citizens,” and shift their attitude from often facilitating the spread of malicious software to actually supporting security for all of us. Yet, we still have a long way ahead.
In Perú, La Encerrona reported that an U.S. based vendor, Duality Alliance, offered spying systems to the Intelligence Division of Perú’s Ministry of Interior (DIGIMIN). According to La Encerrona, leaked documents indicated negotiations during 2021 and 2022. Among the offers, La Encerrona underlines the tool ARPON, which the vendor claimed had the ability to intercept WhatsApp messages by a zero-click attack able to circumvent security restrictions between the app and the operating system Android. DIGIMIN has assured the news site that the agency didn’t purchase any of the tools that Duality Alliance offered.
Recent Mexican experience shows the challenges of putting an end to the arbitrary use of spywares. Despite major public outcry against the use of Pegasus by security forces to track journalists, human rights defenders, political opponents, among others, and President López Obrador’s public commitment to halt these abuses, the issue continues. New evidence of Mexican Armed Forces’ spying during Obrador’s administration burst into the media in 2023. According to media reports, the military used Pegasus to track the country’s undersecretary for human rights, a human rights defender, and journalists.
The kick-off of the trial on the Mexican Pegasus case is definitely good news. It started in December already providing key witnesses' insights on the spying operations, According to the Mexican digital rights organization R3D, a trial witness included the former President Enrique Peña Nieto and other high-ranked officials in the chain of command behind infections with Pegasus. As R3D pointed out, this trial must serve as a starting point to investigate the espionage apparatus in Mexico built between public and private actors, which should also consider most recent cases.
Recurrent Issues, Urgent Needs
On a final but equally important note, The New York Times published that the Mexico City's Attorney General's Office (AGO) and prosecutors in the state of Colima issued controversial data requests to the Mexican telecom company Telcel targeting politicians and public officials. According to The New York Times, Mexico City's AGO denied having requested that information, although other sources confirmed. The requests didn't require previous judicial authorization as they fell into a legal exception for kidnapping investigations. R3D highlighted how the case relates to deep-seated issues, such as the obligation for indiscriminate telecom data retention set in Mexican law and the lack of adequate safeguards to prevent and punish the arbitrary access to metadata by law enforcement.
Along with R3D and other partners in Latin America, EFF has been furthering the project ¿Quién Defiende Tus Datos? ("Who Defends Your Data) since 2015 to push for stronger privacy and transparency commitments from Internet Service Providers (ISPs) in the region. In 2023, we released a comparative report building on eight years of findings and challenges. Despite advances, our conclusions show persistent gaps and new concerning trends closely connected to the set of issues this post indicates. Our recommendations aim to reinforce critical milestones companies and states should embrace for paving a way forward.
During 2023 we continued working for them to come true. Among others, we collaborated with partners in Brazil on a draft proposal for ensuring data protection in the context of public security and law enforcement, spoke to Mexican lawmakers about how cybersecurity and strong data privacy rights go hand in hand, and joined policy debates upholding solid data privacy standards. We will keep monitoring Latin America privacy's ups and downs, and contribute to turning the recurring lessons from arbitrary surveillance cases into consistent responses towards robust data privacy and security for all.
This blog is part of our Year in Review series. Read other articles about the fight for digital rights in 2023.