In 2022, cyber-attacks on government databases and systems broke into headlines in several Latin American countries. These attacks have exposed government systems’ vulnerabilities—including sometimes basic ones, like failing to keep software updated with critical patches—and shown how attacks can affect government data, services, and infrastructure. On the other hand, they also served to shed light on arbitrary government surveillance practices concealed from proper oversight.
To give some examples, ransomware attacks affected government services in Quito, Ecuador; targeted Chile’s judicial system and the National Consumer Service (Sernac); as well as impacted operations that are dependent on the digital platforms of the Colombian sanitary authority (Invima) and companies’ oversight agency (Supersociedades). Probably the most extensive attack took place in Costa Rica, disrupting government services and leading President Rodrigo Chaves to declare a national emergency.
The Conti group, responsible for Costa Rica’s first hit in April, has also accessed two email boxes belonging to the Intelligence Division of Perú’s Ministry of Interior (DIGIMIN), seeking a ransom in order not to publish the information obtained. Conti’s message states there was no data encryption in DIGIMIN’s network, and that almost all documents the group downloaded were classified as secret. According to media reports analyzing what Conti eventually published online, DIGIMIN has monitored—under the label of “terrorism,”—public events about missing persons and forced disappearances even when government entities were the organizers. The state’s arbitrary monitoring of human rights defenders, political parties, journalists, and opposition leaders came more strongly into the spotlight with the “Guacamaya Leaks.”
#Guacamaya Leaks and #Ejército Espía
Guacamaya is the name of the hacktivist group that in September leaked around 10 terabytes of emails from mainly military institutions in Chile, México, Perú, Colombia, and El Salvador. This was not the first round of “Guacamaya Leaks,” though.
Earlier in 2022, the hacktivist group leaked documents related to mining projects in Guatemala and mining and oil companies in Chile, Ecuador, Colombia, Brazil, and Venezuela. The earlier leak led to the Forbidden Stories’ “Mining Secrets” series, which reported alarming abuses by the Swiss mining conglomerate Solway Group in Guatemala. Delving into documents from its local subsidiary, they discovered how reporters publishing about the mine in Guatemala were “systematically profiled, surveilled and even followed by drones.” Finally, Guacamaya accessed emails from Colombia’s General Attorney office, making them available by request for journalists and others committed to investigating the institution’s ties with drug trafficking, military and paramilitary groups, and corrupt companies.
In that later hack first released in September, which Guacamaya dubbed “Repressive Forces,” they obtained emails from the Chilean Armed Forces’ Joint Chiefs of Staff (EMLO), the Mexican National Defense Secretariat (SEDENA), Perú’s Army and Joint Command of Armed Forces, Colombia’s General Command of the Military Forces, and El Salvador’s National Civil Police and Armed Forces. In most of them, the hacktivist group exploited Proxy Shell vulnerabilities in Microsoft Exchange email servers. Although Microsoft released security updates in 2021, the attacked servers did not yet have the vulnerability patched. In the Mexican case, Zimbra was the email platform, and audits had already warned the government about its cyber security vulnerabilities.
Unlike the Conti group attack, Guacamaya does not intrude on systems for a ransom. Their stated motivation is to shed light on abuses and rights violations so civil society can react and hold governments accountable. As Derechos Digitales’ Maria Paz Canales points out, such leaks are often the only meaningful source of information available to the public on arbitrary practices by armed forces and intelligence agencies in Latin America. Countries in the region generally lack robust legal frameworks and an effective oversight infrastructure to hold government surveillance and repressive powers accountable. On the other hand, leaks may expose sensitive information (e.g. the identity of persons internally pushing against abuses), demanding careful consideration from those releasing the data.
Media reports on the latest Guacamaya leak helped uncover different instances of repression and abusive surveillance. In Chile, reports highlighted that the Navy spent almost 700 million pesos in only six months to militarize the Biobío region during the state of emergency declared to stifle the conflict with indigenous Mapuche groups. The Chilean Armed Forces have also monitored civil society organizations and elected politicians through social media. Similarly, La Encerrona reports that the Peruvian Army’s documents about the monitoring of threats to the democratic State include activities of leftist parties and politicians. Civil society organizations, such as Amnesty International, working close to local communities in mining zones are also considered threats. In México, leaked documents unveil undue military influence seeking to hamper the investigation into the forced disappearance of 43 students in Ayotzinapa. And BBC pointed out that leaked files show military forces’ detailed monitoring of media outlets, journalists, activists, and human rights defenders. According to the BBC, there are lists of journalists classified as “for” and “against” the government.
The attention turned to Mexico’s SEDENA in the “Ejército Espía” investigation. In a joint effort, digital rights groups R3D, Article 19 México and Central America, SocialTIC, and Citizen Lab gathered evidence that at least two journalists and one human rights defender, working on issues related to Armed Forces’ human rights violations, suffered attacks from NSO Group’s Pegasus malicious software between 2019 and 2021. The evidence also supports claims that SEDENA purchased a remote monitoring system from a private vendor that is the exclusive Pegasus representative in México.
Such findings contradict President Obrador’s multiple promises that his government didn’t have contracts with malware companies and would not use spying systems against journalists and human rights defenders. The author organizations stress that the Army does not even have the legal power to intercept the private communications of civilians. In fact, Mexican law does not clearly and specifically regulate the use of malware, despite evidence of its recurrent use in the country.
Again and Again: The Spread of Government Hacking With No Safeguards
As we have pointed out, the widespread government use of malicious software without strict necessity and proportionality standards, strong due process safeguards, and effective controls have repeatedly shown dire consequences and led to a growing call for states to halt the use of malware in the absence of robust safeguards and mechanisms ensuring the protection of human rights. While regulatory initiatives currently in place in the region do not live up to this task, government use of malicious software continues to grow.
The digital rights group IP.rec underlined this trend in Brazil in a thorough investigation about the exploitation of vulnerabilities by the government hacking of digital devices. IP.rec’s report includes both remote-access software, like Pegasus, and mobile device forensic tools (MDFT), such as Cellebrite, which generally involves physical access to the device. The research found contracts for the acquisition of hacking tools with the Ministry of Defense and the Ministry of Justice, at the federal level, and with law enforcement bodies in all Brazilian states. Verint Systems figures in as the main provider of remote-access tools. The Israeli company or its subsidiaries have contracts with Brazil’s Ministry of Defense and government entities in states like São Paulo, Alagoas, and Pará. The report highlights that Pará’s governor, Helder Barbalho, used the Verint tool the Civil Police acquired to spy on those investigating a corruption scheme in purchases of respirators during the Covid-19 pandemic.
IP.rec’s report raises concerns on the analogue application of other legal surveillance measures, such as search and seizure and telephone interception, to the use of government hacking tools. Since Brazilian law doesn’t have a specific regulation on the issue, law enforcement relies on broad interpretations of current law to employ hacking tools. However, requirements and safeguards of former surveillance measures don’t properly reflect the intrusiveness of the tools at stake. An ongoing legislative discussion to modify Brazil’s Criminal Procedure Code allegedly aims to bridge this gap. Versions of the bill sought to authorize law enforcement access to electronic evidence through forced access and remote collection. EFF worked closely with Brazil’s coalition of digital rights organizations, Coalizão Direitos na Rede, to stress the flaws of the bill. The bill’s current text dropped the provision authorizing remote collection of data, but the rule on forced access still remains and lacks robust safeguards.
Tackling Vulnerabilities While Ensuring Expression, Privacy and Security
The security vulnerabilities of electronic systems and devices open a dangerous backdoor to our daily communications, movements, and lives, as well as to governments’ and companies’ critical systems and databases. Government cybersecurity concerns should translate into incentives and actions to fix security vulnerabilities, instead of exploiting and perpetuating them. They should translate into the adoption and support of strong encryption in systems and devices, instead of repeated attempts to undermine the foundations of encryption. Government cybersecurity concerns should also entail the protection of security researchers and developers of secure software, instead of persecuting them based on vague cybercrime laws or problematic interpretations of cybercrime provisions. Finally, they should not result in policies that oppose privacy and security, but in measures that recognize both rights are intrinsically related.
Arbitrary government surveillance practices endanger people’s security and well-being. The application of human rights standards to government surveillance is a persistent challenge in the region. A case brought before the Inter-American Court of Human Rights (IA Court) this year, where EFF and partner orgs filed an amicus, provides a crucial opportunity for the IA Court to ensure inter-American human rights standards serve as a check on unparalleled surveillance powers in the digital age. EFF will keep monitoring developments and advocating that privacy, expression, security, and the protection of human rights always go hand in hand.