The New York Times reported last month that Alejandro Encinas, Mexico’s top human rights official and a personal friend of President Andrés Manuel López Obrador, was repeatedly targeted with Pegasus spyware while investigating abuses by the Mexican military. It was the latest in a series of scandals revealing Mexican law enforcement’s expensive love affair with one of the world’s most notorious hacking tools.
Forensic analysis has confirmed the use of Pegasus, a tool licensed to government agencies that enables full remote access to a target’s device, to target journalists and civil society in three Latin American countries: Mexico, El Salvador and, most recently, the Dominican Republic.
It’s all part of a broader regional trend in which more Latin Americans than ever are having their movements, communications and even body temperatures tracked by their governments. Throughout the hemisphere, governments are signing lucrative contracts for monitoring tools—not all as invasive as Pegasus, to be sure, but still a potential cause for alarm in a region with a history of intelligence agencies surveilling their own citizens with little accountability, oversight or basic information about their use.
“The degree of intrusiveness and naturalization of these technologies has been advancing in the region over the last 10 years,” said Veridiana Alimonti, the Electronic Frontier Foundation’s associate director for Latin American policy.
While the evolution and accelerating deployment of surveillance technologies are global issues, some experts say Latin America is particularly vulnerable. They argue that the region’s especially weak legal frameworks, combined with expansive budgets for intelligence and law enforcement agencies to purchase crime-fighting tools, create an environment ripe for abuses.
Cynthia Picolo, executive director of Brazilian digital policy think tank LAPIN, divides the umbrella of “surveillance technology” into three main elements. The first, government hacking, includes tools that enable remote or direct access to mobile devices. The second category, covering mass surveillance and biometric collection systems, is more integrated into citizens’ daily lives, from traffic cameras to facial-recognition software at soccer stadiums. A third involves the integration of different official databases, such as combining public health and criminal records or cross-border law enforcement collaboration.
In Mexico, federal and state agencies spent more than US$14.4 million on spyware contracts from 2018-21 alone, according to data gathered by e-consulta, Connectas and the Digital Rights Defense Network (R3D). Mexican authorities, including the military, have also repeatedly used Pegasus against activists and journalists. Former Panamanian president Ricardo Martinelli allegedly used the costly spyware prolifically—prosecutors accused him of diverting more than US$13 million to create a shadow intelligence division that spied on business competitors, political opponents, union leaders and journalists. (Martinelli has denied wrongdoing.) Cellebrite’s Universal Forensic Extraction Device (UFED), a forensics analysis tool that extracts information from a mobile device, has been deployed in Latin America by law enforcement agencies in countries including Argentina, per a government report, and Honduras, according to the U.S. State Department. Technology sold by intelligence company Circles that can identify a device’s location using just a phone number has been detected in Chile, Ecuador, El Salvador, Guatemala, Honduras, Mexico and Peru.
In Brazil, where use of facial-recognition technology has expanded significantly since 2021, according to LAPIN, the Justice Ministry created Cortex, a program that integrated automated license-plate readers with surveillance camera networks and other databases to track individuals’ movements in real time. Experts say such programs—in which location data is collected en masse rather than by targeting individuals suspected of committing crimes—raise concerns about privacy and other rights violations. Other countries, including the entire Southern Cone, have rolled out similar anti-crime initiatives utilizing facial recognition and camera networks.
Reliance on biometric data for public health interventions during the COVID-19 pandemic has only accelerated this trend. Governments introduced thermal cameras in transportation hubs and tracked users’ movements to ensure compliance with lockdown measures, with little accountability for how the data is used or stored.
The lack of oversight is especially troubling, experts say.
“How can you guarantee rights with no possibility of oversight?” said Alimonti. “The control and accountability mechanisms aren’t there. By the time someone finds out they’ve been targeted, it’s too late.”
“[Officials] sign contracts that they know are not transparent, that didn’t go through a normal public consultation process,” Picolo told AQ. “There’s a narrative of ‘this technology will increase public security,’ so we go there, we buy it, and that’s it.”
The manufacturers—mostly companies based in Israel, China, Japan, the U.K., France or the U.S.—maintain that their products and activities are legal, but often dodge responsibility for their clients’ actions.
In many places, the law simply hasn’t caught up to the technology, and sellers and buyers exploit these gaps. Even countries with more robust legislation, such as Brazil’s data protection law, often grant broad exceptions for public security.
“Suppliers take advantage of this legal vacuum. They try to legalize the technology without using proper law, because there is no proper law,” said Picolo. “And all these agencies want to buy this technology for public security, so they ignore the law. It’s a gray area, and they take advantage of it.”
Such carve-outs give state actors a pretext to justify monitoring targets’ movements and communications, even without a court order—as in Mexico, where federal prosecutors used an anti-crime law to access phone records of three people investigating a 2011 massacre.
“These are technologies that, by design, undermine human rights,” said Ángela Alarcón, campaigner for Latin America and the Caribbean at digital rights organization Access Now. Yet a recent analysis of 23 surveillance technology producers, conducted by Access Now, LAPIN and other organizations, found that the companies did not clarify whether they consider potential clients’ track record of human rights abuses.
This is critical, Alarcón noted, because the contracts and tools belong to the state, not an official or party. “These instruments stay in place for future governments, not just the figures in power right now.”
—
Southwick is a freelance journalist and communications manager at the New York City Bar Association’s Vance Center for International Justice.