A new report by the Santiago-based NGO, Derechos Digitales (digital rights) claims that nearly every Latin American country, from Mexico to Chile (and practically everywhere in-between) is using aggressive surveillance software to spy on its citizens.
The report relied heavily on information from a 2015 breach of an Italian company, Hacking Team, that made public over a million internal emails detailing the use of malware and system vulnerabilities to create spyware capable of intercepting data on nearly any phone or PC.
Authorities in Brazil, Chile, Colombia, Ecuador, Honduras, Mexico and Panama all currently own the software and several more, such as Argentina, Guatemala, Uruguay and Venezuela have made inquiries but don’t appear to have purchased the tool. Of course, many of these purchases took place through intermediaries — like Israeli software company NICE Systems — due to export restrictions on Hacking Team’s software so the scope of ownership could far exceed the details of the report.
Latin America is already a region overrun with corruption, deep political division, and repressive authoritarian regimes. The new software could facilitate entirely new ways to further divide the populace and silence dissidents and activists.
“In Latin America, surveillance and government spying activities are worthy of suspicion, especially if we take into account the history of authoritarianism and repression in the region,” the report states. “Spying programs that are as invasive as Hacking Team lend themselves to human rights abuses and violations.”
From a legal standpoint, the rule of law is weak, but several countries do have laws that they’re actively ignoring by using the software.
Eight of 10 Mexican entities that purchased the software, for example, are not authorized to intercept communications. One of these, the government in the state of Puebla, actively used the software to spy on political opposition and journalists, the report details. Other Mexican journalists are being targeted in phishing campaigns (spear phishing) that features email believed to be from the president’s office — only the email actually contain malware that executes upon opening an attachment.
Journalist Vicky Davila reported that her family’s private communications had been intercepted due to information she held about a prostitution ring operated by a Colombian police force.
Aside from dubious legality, there’s also the issue of how long this intercepted data should be kept, and where. Guatemala and Paraguay are required to destroy any collected data that is not being used for a current investigation, but vague generalities in law preclude us from determining what exactly a current investigation entails.
Other countries, like Mexico, have no framework in place for this sort of data collection or retention. But then again, it’s hard to have a framework for data collection when the practice is prohibited by law in the areas it’s being used.