PIEN HUANG, HOST:
This week, lawmakers in Mexico said they would launch a federal commission to look into potential human rights abuses by the country's military. Specifically, they want to look into whether the government and military were using cellphone-based spyware to spy on human rights activists and journalists. This inquiry was set off by a report from two digital rights groups, R3D, based in Mexico, and Citizen Lab at the University of Toronto. These groups work to protect privacy and human rights in the digital space. Dina Temple-Raston is host of "Click Here." That's a podcast that focuses on cybersecurity and intelligence. She's also a former NPR correspondent who's covered these topics. And she was part of a group of journalists who got an early look at the report. And she's with us now. Welcome, Dina.
DINA TEMPLE-RASTON: Thank you.
HUANG: So, Dina, let's start with the powerful spyware that's at the heart of the story. It's called Pegasus. Remind us what exactly it is, and how does it work?
TEMPLE-RASTON: It's something called zero-click malware, so you don't have to open anything or click anything. Instead, what it does is it targets vulnerabilities in your phone's operating system. And then once it's infected your phone, it basically has carte blanche. It can read your texts. It can hear your calls. It can even take over your camera. So it essentially becomes like a spy in your pocket. And it's made by an Israeli company called NSO Group. Back in November, the Biden administration blacklisted the company, saying it knowingly supplied spyware that had been used by foreign governments to maliciously target the phones of dissidents, human rights activists and journalists. And this latest news from Mexico, in which a human rights activist named Raymundo Ramos was targeted, that's just the latest iteration of all of this.
HUANG: So, Raymundo Ramos, tell us a little bit about him and why they put Pegasus on his phone.
TEMPLE-RASTON: So he's a local human rights activist, and he was investigating a 2020 shooting in the border town of Nuevo Laredo. That's right across from the Rio Grande from Laredo, Texas. And the shooting happened at the hands of the army. And after it happened, the army came out and claimed it shot and killed a dozen cartel members. And then this video comes out. It's a kind of body cam video that was leaked. And it seemed to fly directly in the face of what the military said happened. And in this video, no one is shooting back at the military. People appear to have their hands bound behind their backs. And it had all the hallmarks of a extrajudicial killing. And right around that time that the video was released, it turns out that Ramos's phone was infected with Pegasus spyware. And he knows this because Citizen Lab, this digital rights group at the University of Toronto, ran these diagnostics on his phone, and they found all the hallmarks of Pegasus there.
HUANG: OK. So then Citizen Lab worked with a local digital rights group to dig into this more. And what did they find?
TEMPLE-RASTON: Well, the local digital rights group is called R3D, and they've been publishing reports on spyware in Mexico for years. And they'd had a lot of circumstantial evidence that spyware was being used there, but they didn't have a smoking gun. And, you know, as you know, journalists love paper because it's contemporaneous evidence that something has happened. And R3D got some leaked documents that included contracts, communications and emails that made it incredibly clear that not only was the army using Pegasus, but they were specifically using it against Ramos and anybody else who was looking into that controversial 2020 shooting. We have some tape from Luis Fernando Garcia, who's the executive director of R3D, and he talks about what they found.
LUIS FERNANDO GARCIA: We have the number of the contract with dated of the contract, the amounts paid for the contract. So that solidified our belief that the army was not only spying on human rights defenders or journalists, but they were actively trying to hide the information related to this and lying to different authorities.
TEMPLE-RASTON: You know, they even found some evidence of a secret military unit called CMI, and it was in charge of using these high-tech spying techniques to vacuum up communications. The CMI memo that they found even had a logo, the names of officers who were part of it, and in the document that the thing that they were most worried about when it came to CMI was anybody finding out that that agency existed.
HUANG: Before we let you go, Dina, I know that you've been spending a lot of time reporting this story, thinking about it. What are some of the consequences of the Mexican government spying on its citizens? Like, are there broader implications to the story?
TEMPLE-RASTON: Yes, there are. I mean, the context here is really important. The army in Mexico isn't just about national defense. It controls the ports. It builds roads and airports. It owns banks. When you have this kind of concentrated power, there needs to be some sort of accountability. And R3D, that digital rights group based in Mexico, confirmed that this was not legally sanctioned surveillance that they discovered. And the broader point is that it isn't just Mexico. The spyware industry is global now. And we've done lots of stories about this, about authoritarians who can now target dissidents halfway across the world with Pegasus. And they don't have to physically send anyone, which is quite expensive. All they have to do is buy a license from Pegasus and target a phone. And we're clearly seeing that it's not just dissidents and activists. U.S. State Department employees have been targeted. People who happen to be in the orbit of someone somebody wants to target have been in the crosshairs of this. And John Scott-Railton, the researcher from Citizen Lab we heard from before, he talked a little bit about this.
JOHN SCOTT-RAILTON: It's not just the highest-profile people that were targeted with Pegasus. It's their friends, their lovers, their softball coach. People around them who might have access to them were targeted as well.
TEMPLE-RASTON: And history has shown that spyware goes far beyond dissidents and activists. Anybody, anybody at all could be targeted.
HUANG: That was Dina Temple-Raston of "Click Here." That's a podcast that focuses on cybersecurity and intelligence issues. Dina Temple-Raston, thanks for sharing your reporting with us.
TEMPLE-RASTON: You're welcome. Transcript provided by NPR, Copyright NPR.