By Fulton Armstrong

Latin American human rights groups’ outcry about Mexican and Panamanian deployment of the “Pegasus” spying tool to keep tabs on critics has had little or no impact, and governments are suspected of using it more aggressively than ever. The Israeli security company NSO has been licensing the software in the region since at least 2010 supposedly to help law enforcement agencies, but recent revelations about Salvadoran President Nayib Bukele’s extensive use of it indicates that it has become an increasingly powerful tool for repressing political opponents and the media.

• Pegasus gives users total control of targets’ mobile phones using either the Android or Apple operating system, enabling them to exfiltrate all data on them, turn on microphones and cameras, and commandeer owners’ communications. Because it penetrates a device’s root level, the tool can collect WhatsApp and other encrypted services that users generally think are secure.
• NSO claims it licenses the software only to governments and requires them to promise to use it only against terrorists, traffickers, and other criminal enterprises. According to the press, the software helped Mexican authorities capture Joaquín Guzmán Loera (“El Chapo”) in 2016, and European investigators have used it to arrest dozens of suspects in a multinational child-abuse ring.

But the company clearly is not enforcing license restrictions as governments are using it to spy on critics with impunity around the world, including Latin America.

• During the administration of Mexican President Peña Nieto, Mexico used it against human rights experts and journalists investigating disappearances and corruption. Panamanian President Ricardo Martinelli used public health funds to buy Pegasus to harass political opponents. Rights groups cite strong circumstantial evidence that Colombia conducted a Pegasus-style attack against critics during protests last year and that Honduras and Guatemala have purchased licenses for similar software.
• Bukele’s use of a new “zero-click” version of Pegasus – which doesn’t require the victim to tap a malware link – was perhaps the region’s boldest attack yet. It took over the mobile devices of most of the editors, reporters, and staff at the newspaper El Faro. An analysis by the Toronto-based The Citizen Lab found that some of their phones were reinfected up to 40 times to make sure that operating system updates and other adjustments didn’t cut off access to data. The organization said that journalists from other Salvadoran news organizations and prominent human rights activists were also targeted. Bukele’s spokesperson denied it all.

Human rights groups point out that governments that spy on opponents often act on the information they collect – subjecting them to harassment, malicious prosecution, violence, death threats, and physical harm. Observers also warn that the software kit almost certainly has been deployed in other Latin American countries, some of which historically have been aggressive in running tel-taps and electronic intercept operations against citizens.

The international community doesn’t appear likely to categorize it as a serious violation of human rights and demand that NSO stop selling it soon.

• NSO has obvious business reasons for turning a blind eye to abuses, and the Israeli government has used license approvals in many countries to secure diplomatic support for its positions in multilateral contexts. Panamanian observers credit it with persuading Martinelli to make Panama one of only eight countries to vote with Israel on a UN resolution in 2012, and press reports indicate it remains an important diplomatic tool in Israel’s pursuit of objectives in the Middle East.
• The EU, which has jealously protected internet privacy, has been relatively quiet, just recently opening investigations. Last November, Washington put NSO on its “entity list” blocked from receiving certain new U.S. technologies – reportedly because Israel violated its promise to block deployment in the United States – but the U.S. government has bought copies for “testing” purposes. (FBI says it will not deploy it, but NSO has reportedly created a separate product, called Phantom, for U.S. collection operations.) U.S. agencies have fought Apple and other phone manufacturers over encryption technology baked into their devices in the past.

Popular outrage doesn’t seem likely to lead to new legislation either. Most citizens, who see themselves as “doing nothing wrong and having nothing to hide,” do not sense the implications of the theft of their information and are therefore unlikely to call for a crackdown. Indeed, told that the software helps authorities break up criminal rings, many may privately support deployments. Salvadoran President Bukele was caught red-handed, but he probably sees his historically high popularity as a green light to continue.

February 10, 2022