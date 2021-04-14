A man talks on a cell phone in downtown Mexico City in December of last year. Hector Vivas / Getty Images

The current Attorney General’s Office (FGR) has bought intelligence programs for the geolocation of cell phones and analysis of massive data. In 2019 and 2020, the Prosecutor’s Office signed at least four contracts for 5.6 million dollars with the company Neolinx de México, according to documentation that EL PAÍS has had access to. This firm has served in the country as an intermediary for the Italian Hacking Team, reported to have been one of the main providers of cyber espionage during the Government of Enrique Peña Nieto (2012-2018). The purchases were made under the secret heading on national security expenses, so the contracts were not made transparent by the Prosecutor’s Office. The Network in Defense of Digital Rights (R3D), which has followed up on this type of contracting, considers that the operation of these systems may violate human rights because in some cases it constitutes a massive surveillance that violates the requirements of necessity, proportionality and judicial authorization.

Neolinx is a Mexican firm created in 2009 and linked to the sale of spy equipment. In 2015, it was revealed that he had served as an intermediary for the Italian Hacking Team in Mexico after hundreds of emails and internal documents with details of its operations were leaked. The information released revealed that the Italian consortium had marketed its products to 35 countries, many of them flagged for human rights violations. Until then, Mexico had been its main customer.

The Network for the Defense of Digital Rights R3D made an analysis of the data released after the leak and denounced that at least 12 states in the country had commercial relations with Hacking Team, through its various intermediaries. According to the analysis made by the R3D at that time, Neolinx would have sold its products to the Government of Guerrero and the State of Mexico, as well as to the Federal Police, PGR and National Defense, among other agencies. In April 2018, he would have signed the last contract with the Prosecutor’s Office before the change of administration. It is now known that Neolinx has continued to sell its supplies and services to the current government, this time as an intermediary for the Israeli company Rayzone Group.

EL PAÍS found in various reports from the FGR’s internal control body that the Prosecutor’s Office headed by Alejandro Gertz Manero has entered into at least four contracts for consulting services and massive data analysis, as well as for geographic location. The acquisition of these programs is not illegal and they are used, as justified by the authorities, to combat organized crime. However, they can also be used arbitrarily, violating the right to privacy and the presumption of innocence, as R3D has warned in various reports. Although invasions of privacy by the authority are not absolutely prohibited, there are strict limits to this type of surveillance activity, says Luis Fernando García Muñoz, director of the R3D. Furthermore, in Mexico the use of these surveillance systems are extremely problematic because they grant a broad invasive power. “Mass surveillance is not compatible with the principles of necessity and proportionality,” he reiterates.

The first contract signed during Gertz Manero’s administration as head of the FGR was in charge of the Specialized Office of the Investigation of Organized Crime (SEIDO) and was signed on May 30, 2019 for an amount of 2.4 million dollars. The object was: “Real-time geographic location service for mobile communication equipment associated with a telephone line, consisting of installation set-up, configuration and release of 135,000 searches, without there being a limit of daily searches”, according to a report of the OIC consulted by this newspaper. The service described in the contract is known in the cyber espionage market as Geomatrix and is the same one that the Prosecutor’s Office had acquired in the previous six-year term and that was used without controls, according to a 2019 publication made by R3D in collaboration with Indigo Report. This product is developed by Rayzone Group, a consortium that designs and manufactures cyber and intelligence solutions for government and federal agencies. On its website, it describes the product it sold to the FGR through Neolinx as a unique solution that allows intelligence and law enforcement agencies to locate, track and manipulate GSM / UMTS / 3G / 4G (LTE) subscribers. ) covertly and from virtually anywhere in the world, all in real time. “The solution stealthily determines the status, location and movement of targets of interest, from anywhere in a city or area to the entire country and beyond borders, locating them with high precision in real time,” he details.

Another of the contracts signed by the FGR with Neolinx was for the acquisition of the “Echo-Platform for consultation and analysis of massive data”. The purchase was in charge of the Federal Ministerial Police, according to the documentation consulted. In 2019 the cost was $ 1.1 million, while in 2020 the Prosecutor’s Office paid $ 1.7 million for the service. The product is also manufactured by the Israeli company Rayzone, which defines it as a strategic SIGINT (Signal Intelligence) system that provides intelligence and law enforcement agencies with broad, diverse and in-depth information on global internet users. It is a platform that allows users (such as the FGR) to obtain information on a particular point of interest or the massive collection of information from all Internet users in the country. It does not require pre-installation of any physical equipment and operates silently and covertly. Although the position of the FGR was sought in order to know what use was being given to these services contracted through Neolinx, no response was received.

Reporters use their cell phones to broadcast President López Obrador’s morning conference in February of last year. Victoria Valtierra / CUARTOSCURO

One of the biggest scandals that former President Enrique Peña Nieto faced was the acquisition of cyber espionage programs from the Hacking Team and NSO Group consortiums. The case that caused the most outrage was spying on journalists and activists through the Pegasus malware. The acquisition of this software, which infiltrated the phones of the targets to be eavesdropped, having access to all their files and applications, was made from the Israeli NSO Group (Hacking Team’s competition), through various Mexican intermediary firms. In June 2017, a group of journalists and human rights defenders publicly denounced that their phones had been infected with the sophisticated software And after the scandal, the Prosecutor’s Office opened an investigation that to date is still pending. President López Obrador has assured on several occasions that his government has not used Pegasus or any other spyware. “From now on I tell you that we are not involved in that. Here it was decided that no one was going to be persecuted, ”López Obrador said at one of his 2019 press conferences.

Surveillance with few controls

Surveillance measures through various technological tools should not be carried out in a discretionary and opaque way. The authorities, such as the Prosecutor’s Office, are obliged by law to make public the list of requests made to telecommunications concessionaires and internet application service providers for the intervention of private communications and the real-time geographic location of communication equipment. The information of the agencies that must be published in the National Transparency Platform (PNT) must contain the object, scope and legal fundamental of the request, as well as specify if it has judicial authorization. However, this documentation is not presented in a complete or detailed manner.

In 2019, when the FGR signed the contract with Neolinx for the real-time geographic location service, the Prosecutor’s Office reported in the National Transparency Platform that it had requested judicial authorization for geographic location 124 times, explains activist García Muñoz. “The contract involves 135 thousand searches and according to the data reported in the PNT it only reported 124 times, so once again its illegal use is enormously presumed. This indicates a huge underutilization of the system or, more likely, implies an illegal use of the tool ”, he highlights. For this reason, the R3D has spoken out for the application of various control measures and institutional counterweights that prevent the abusive exercise of government surveillance.

The purchases of these technological services from Neolinx de México were made under item 33701 called “public and national security expenses”. In the previous six-year term, the purchase of the Pegasus program with which activists and journalists were spied on was also carried out against this budget bag, which is used in a discretionary manner and is not very transparent. In its most recent report, the Superior Audit of the Federation (ASF) revealed that in the contracts signed by the General Prosecutor’s Office with the signature in 2019, weaknesses were detected in the award, contracting and verification of the resources exercised under item 33701. An example of this is that a market investigation was not carried out that would make it possible to compare the price established by the awarded supplier with other sellers. Lacking this document, it was not guaranteed that the best conditions would be obtained for the State in terms of price, quality and financing.

The ASF pointed out that in the geolocation services contract, the FGR officials did not verify the documentation proving that the service provider (Neolinx) had the technical capacity, qualified personnel and certified by the system manufacturer to provide the services, and it will not ensure that said personnel keep absolute confidentiality regarding the service. “They did not verify that there was evidence that proved the configuration of the location service for 20 computer equipment, as well as the configuration of accesses and the updated service, nor that there were detailed reports for each technical support required, thus as evidence of the certificates or certificates of knowledge transfer granted to 39 public servants, ”the report reads.

In the conditions for the provision of services, it was established that Neolinx had the experience, technical, financial and labor capacity, as well as qualified personnel, adequate equipment and resources to fulfill the contract. However, after a visit to the company by audit personnel, the firm’s legal representative stated that personnel subcontracted to other companies participated in the maintenance service of the platform. The Audit warned that the service provider did not guarantee the confidentiality of the sensitive information to which it could have access. “It was not verified that the awarded companies proved that they had the technical and human resources capacity, which, since they were services that imply confidentiality and secrecy, should have ensured that the service provider had its own personnel to grant the services ”, was established in the opinion.

