Surveillance-oriented spyware is dodgy in itself, but it’s even worse when it’s abused to intimidate political enemies — just ask Mexican health advocates. The New York Times has learned that someone used commercial spyware from NSO Group to target proponents of Mexico’s soda tax, including researchers and activists, right as they were rallying support for doubling the tax. The attackers sent personalized messages that warned of bogus news (say, a daughter’s accident) and urged the victims to tap a link. If they did, the hostile would infect their devices and track everything from messages to location. It’d even quietly record camera footage.
It’s not clear who the culprit may be. Soft drink industry group ConMéxico says this is the first time it heard of the spyware intrusion, and it’s not clear which government agency would oppose the soda tax so vehemently that it would spy on prominent supporters. While there was a separate incident where a journalist fell victim to spyware after uncovering a presidential housing scandal, there’s no evidence that the soda campaign was ordered at the highest levels.
Whoever’s responsible, there’s one overriding concern: how did NSO Group’s tool find its way into the wrong hands? The company says it only sells to law enforcement agencies after a thorough vetting process, and there are software measures that stop customers from sharing the technology. Either corrupt officials misused the software to further a pro-soda agenda, or some private actor had unauthorized access. And if the government was involved, it suggests that companies like NSO should have a stricter screening process that rules out sales when there’s a realistic chance of misuse.