SAN FRANCISCO — Last summer, Dr. Simón Barquera’s phone started buzzing with a series of disturbing text messages from unknown numbers. One said his daughter had been in a serious accident. Another claimed to be from a friend whose father had died — with a link to funeral details.
Yet another message informed Barquera, director of nutrition policy at Mexico’s National Institute of Public Health, that a Mexican news outlet had accused him of negligence, again with a link. And in more menacing messages, someone claimed to be sleeping with Barquera’s wife. That included a link to what the sender claimed was photo evidence of their affair.
That same week, Luis Manuel Encarnación, then director at Fundación Mídete, a foundation in Mexico City that battles obesity, also started receiving strange messages with links. When he clicked, Encarnación was ominously redirected to Gayosso, Mexico’s largest funeral service.
The messages Encarnación received were identical to a series of texts sent to Alejandro Calvillo, a mild-mannered activist and founder of El Poder del Consumidor, yet another Mexico City organization that has been at the forefront of battling childhood obesity in the country.
What the men had in common was this: All were vocal proponents of Mexico’s 2014 soda tax, the first national soda tax of its kind. It is aimed at reducing consumption of sugary drinks in Mexico, where weight-related diseases kill more people every year than violent crime.
The links sent to the men were laced with an invasive form of spyware developed by NSO Group, an Israeli cyberarms dealer that sells its digital spy tools exclusively to governments and that has contracts with multiple agencies inside Mexico, according to company emails leaked to The New York Times last year.
NSO Group and the dozens of other commercial spyware outfits that have cropped up around the globe over the past decade operate in a largely unregulated market. Spyware-makers like NSO Group, Hacking Team in Italy and Gamma Group in Britain insist they sell tools only to governments for criminal and terrorism investigations. But it is left to government agents to decide whom they will and will not hack with spying tools that can trace a target’s every phone call, text message, email, keystroke, location, sound and sight.
The discovery of NSO’s spyware on the phones of Mexican nutrition policymakers, activists and even government employees, like Barquera, raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.
The soda industry has poured over $67 million into defeating state and local efforts to regulate soft drink sales in the United States since 2009, according to the Center for Science in the Public Interest. But the tax in Mexico — Coca-Cola’s biggest consumer market by per capita consumption — posed an exceptional threat. After the tax passed in 2014, Coca-Cola pledged $8.2 billion worth of investments in Mexico through 2020. And soda giants have lobbied against the tax through various industry groups, like ConMéxico, which represents Coca-Cola and PepsiCo.
Lorena Cerdán, director of ConMéxico, said the group had no knowledge of, or part in, the mobile hacking. “This is the first we’re hearing of it,” Cerdán said. “And frankly, it scares us, too.”
The timing of the hacking coincided with a planned effort by advocacy organizations and health researchers — including Barquera, Calvillo and Encarnación — to coordinate a mass media campaign to build support for doubling the soda tax, an effort that stalled in Mexico’s Congress in November. The three men also opposed a failed effort by Mexican legislators and soda lobbyists in 2015 to cut the tax in half.
One week after health researchers and advocates announced their campaign in a news conference last summer, their phones began to buzz with the spyware-laced messages.
“This is proof that surveillance in Mexico is out of control,” said Luis Fernando García, director of the Red en Defensa de los Derechos Digitales, a Mexican digital rights nonprofit better known by the acronym R3D. “When we have proof that this surveillance is being used against nutritional activists, it’s clear Mexico should not be given these technologies.”
NSO Group’s motto is “Make the World a Safer Place.” But its spyware is increasingly turning up on the phones of journalists, dissidents and human rights activists.
NSO spyware was discovered on the phone of a human-rights activist in the United Arab Emirates and a prominent Mexican journalist in August. Researchers at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs discovered NSO had exploited flaws in Apple software — since patched — to infiltrate the phones of Emirati activist and Mexican journalist Rafael Cabrera.
In 2015, Cabrera reported that a luxury home that had been custom-built for President Enrique Peña Nieto of Mexico and his wife was owned by the subsidiary of a Chinese company that had been awarded hundreds of millions of dollars in government contracts. Cabrera’s report forced the presidential couple to forgo its stake in the home and the government to rescind contracts.
The discovery of spyware on Cabrera’s phone prompted digital rights activists to warn more journalists and activists in Mexico to look out for similarly suspicious text messages. In the process, they uncovered a new class of targets: nutrition policymakers and activists, some of whom were government employees.
Each had been targeted by NSO’s main product, a tracking system called Pegasus, that could extract their text messages, contact lists, calendar records, emails, instant messages and location. It turned their phones into recording devices and secretly captured live footage off their cameras. Its full range of capabilities was detailed in an NSO Group marketing proposal leaked to The Times last year.
In interviews and statements, NSO Group — whose headquarters are in Herzliya, Israel, but which sold a controlling stake in 2014 to Francisco Partners, a San Francisco-based private equity firm — claims to sell its spyware only to law enforcement agencies to track terrorists, criminals and drug lords. NSO executives point to technical safeguards that prevent clients from sharing its spy tools. An NSO spokesman reiterated those restrictions in a statement Thursday, and said the company had no knowledge of the tracking of health researchers and advocates inside Mexico.
The health researchers did not discover their phones had been targeted until August. That month, SocialTIC, a Mexican digital security nonprofit, and R3D warned its contacts to look for suspicious messages. A subsequent forensics investigation by Citizen Lab of the messages sent to Calvillo, Barquera, Encarnación and others confirmed that they were laced with NSO Group spyware. NSO Group executives say they have a strict vetting process to determine the countries with which they will do business, which includes an ethics committee comprising employees and an outside counsel that vets potential government clients based on human rights rankings set by the World Bank and other bodies. Executives said they had pulled contracts when they uncovered human rights violations.
But it is unclear how the Mexican spy efforts made it through the vetting process.
“This is one of the most brazen cases of abuse we have ever seen,” said John Scott-Railton, a senior researcher at Citizen Lab. “It points to a total breakdown of government oversight in Mexico, and a complete failure of due diligence by the NSO Group.”