Mexico: Access to databases of personal information by police or a third party, including who has access; recent data breaches; use of spyware; state's response (2017–July 2021)
1. Plataforma México
1.1 Overview
In an October 2018 budgetary program report, Mexico's Ministry of the Interior (Secretaría de Gobernación, SEGOB) states that Plataforma México is a system of information designed [translation] "to support the performance of the country's public security institutions" (Mexico Oct. 2018, 3). The same source notes that as of September 2018, the platform contained over 100 databases, 793 million records, and 60 information systems, as well as 900 connected government agencies, 13,254 active users, and 203.5 million searches across the three levels of government (Mexico Oct. 2018, 3–4).
A December 2018 article in Capital México, a daily newspaper based in Mexico, indicates that should an individual be detained, for example for a traffic violation, [translation] "Plataforma México can find out if they are accused of any crime in the country, if they've been arrested, if they have any pending [court injunctions] or any other criminal history" (Capital México 8 Dec. 2018). According to the General Organization Manual of the Secretariat of Security and Citizen Protection (Manual de Organización General de la Secretaría De Seguridad y Protección Ciudadana) published in Mexico's Official Journal of the Federation (Diario Oficial de la Federación, DOF) in December 2020, the Subsecretary of Public Safety (Subsecretaría de Seguridad Pública, SSC), is responsible for developing the interconnectivity of Plataforma México (Mexico 4 Dec. 2020, 25).
1.2 Integration of Public Security Databases
According to the website of the Government of the state of San Luis Potosí, the databases found in Plataforma México include the following:
[translation]
- Certified Police Reports (Informe Policial Homologado),
- Driver's License Registry (Registro de Licencias de Conducir),
- National Registry of Arms and Equipment (Registro Nacional de Armamento y Equipo),
- National Registry of Penitentiary Information (Registro Nacional de Información Penitenciaria),
- National Registry of Public Security Personnel (Registro Nacional de Personal de Seguridad Pública),
- Stolen and Recovered Vehicles (Vehículos Robados y Recuperados),
- Automated Fingerprint Identification System (Sistema Automatizado de Identifi cación Dactilar),
- Automated Voice Identification System (Sistema Automatizado de Identificación de Voz), and
- DNA (ADN) (San Luis Potosí n.d.).
According to Mexico's report on its National Public Security Strategy, the Vehicle Monitoring System (Puntos de Monitoreo Vehicular, PMV), a tool [translation] "to identify stolen vehicles," had 80 percent of its vehicle monitoring devices "operational and interconnected with Plataforma México" (Mexico Apr. 2021, 147). The same source states that since 2005, the Public Vehicle Registry has accumulated the registration of over 56 million vehicles (Mexico Apr. 2021, 147).
Mexico's report on its National Public Security Strategy indicates that the National Registry of Public Security Personnel comprises 2,286,274 registrations of public security personnel, including those employed by private security firms, 38.6 percent of which are active personnel (Mexico Apr. 2021, 146–147). According to the website of the Government of the state of San Luis Potosí, the voice identification database includes the samples of all public and private security personnel and applicants alike, as well as accused, sentenced, and/or indicted individuals (San Luis Potosí n.d.).
1.3 Authorized Access
A 2007 bulletin published on the SEGOB website indicates that Plataforma México was established to provide public security agencies from all three levels of government with the needed information (Mexico 29 March 2007). The website of the Government of the state of San Luis Potosí further states that the scope of application of Plataforma México includes the following agencies:
[translation]
Public Security Agencies and Institutions in the three levels of government.
Federal and State Attorney General's Offices.
Federal, State and Municipal Detention Centers.
Certification, Accreditation and Confidence Control Centers or homologous.
State Public Security Councils.
Academies and Institutes of Public Security and Justice Procurement.
Federal Government agencies and institutions that require permission to access the tools and/or applications of Plataforma México. (San Luis Potosí n.d.)
An October 2017 article published by Abogacia.mx, an online reference portal for accessing legal services in eight countries including Mexico (Abogacia.mx n.d.), indicates that government institutions are the only entities that have access to Plataforma México (Abogacia.mx 2 Oct. 2017). The same source, citing the Mexican government, notes that the platform, [translation] "is designed so that no one has access to all the data" (Abogacia.mx 2 Oct. 2017). Corroborating information could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.
In its report on the National Public Security Strategy, the Secretariat of Security and Citizen Protection (Secretaría De Seguridad y Protección Ciudadana, SSPC) states that as of March 2021, the systems of the Police and the Prosecutor's office are interconnected with the National Register of Detention (Registro Nacional de Detenciones) and that 522,045 accounts have been granted access (Mexico Apr. 2021, 142–143). The same source also states that the National Register of Detention [translation] "allows the public to know, at the national level, the status of any person detained for the alleged commission of common law crimes" and is "publicly accessible online" (Mexico Apr. 2021, 143, 146). Similarly, Milenio, a Mexico-based daily newspaper, reports that the National Register of Detention has two portals connected to Plataforma México, one that is exclusive to police and public ministries across Mexico, and another for free public access, [translation] "where any citizen can find out if a person was detained and verify the public security or law enforcement institution involved, as well as the exact place where the person is located" (Milenio 30 Nov. 2019). According to the official website of the SSPC's National Register of Detention, the information required to look up an individual in the registry includes their first and last name(s) (Mexico [2021]).
1.4 Unauthorized Access
Information on unauthorized access to Plataforma México, including by third parties, could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.
2. Data Breaches
Information on public security data breaches, including Plataforma México and other integrated databases and systems, could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.
According to the Network for the Defense of Digital Rights (Red en Defensa de los Derechos Digitales, R3D), a Mexican organization that advocates for human rights in the digital sphere (R3D n.d.), a database from the Mexican Institute of Social Security (Instituto Mexicano del Seguro Social, IMSS) with 42 million records containing data such as name, [Unique Population Registration Code (Clave Única de Registro de Población, CURP)], and base salary, as well as employer name and address were posted for sale on 22 January 2021 in an online forum (R3D 26 Jan. 2021). The same source notes that, on 25 January 2021, another seller on a forum was selling the databases of organizations such as the Federal Electricity Commission (Comisión Federal de Electricidad), the National Election Institute (Instituto Nacional Electoral, INE), the Institute of Security and Social Services of the State Workers (Instituto de Seguridad y Servicios Sociales de los Trabajadores del Estado), and the Institute of the National Housing Fund for Workers (Instituto del Fondo Nacional de la Vivienda para los Trabajadores) (R3D 26 Jan. 2021). Without providing further details, a February 2021 update to the same R3D article indicates that the 25 January posted sales of the databases were removed (R3D 26 Jan. 2021). Corroborating information could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.
3. Use of Spyware
According to a communiqué published on the Mexican government's website, the Secretary of the SSPC gave a press conference on espionage activities from 2012 to 2018 carried out by the previous Mexican administrations using the software Pegasus belonging to a company called NSO Group (Mexico 28 July 2021). According to the Secretary of the SSPC, [translation] "[t]he privacy of journalists, politicians, social activists, businessmen, rights defenders, public servants and legislators was violated" (Mexico 28 July 2021). According to a July 2021 investigative report published by the Washington Post, based on a collective investigative project called the Pegasus Project [1], carried out by the media consortium Forbidden Stories in partnership with multiple media organizations and with technical analysis from Amnesty International, the NSO Group is "an Israeli firm that is a worldwide leader in cybersurveillance" who has licensed the Pegasus software to multiple "intelligence, military and law enforcement agencies in 40 countries," including in Mexico (The Washington Post 18 July 2021). The secretary of the SSPC indicated in their press conference that agencies of the previous Mexican administrations had "31 contracts" with companies directly or allegedly associated with NSO Group, including the federal police, the attorney general's office and the Center for Investigation and National Security (Centro Nacional de Inteligencia, CISEN) (Mexico 28 July 2021). Similarly, an investigation conducted by Mexico-based online news media platforms Proceso and Aristegui Noticias as part of the Pegasus Project, reported that other entities linked to the purchase of Pegasus spyware in Mexico include the National Water Commission (Comisión Nacional del Agua, Conagua), the Federal Protection Service (Servicio de la Protección Federal, Seprofe), the Federal Police, the National Migration Institute (Instituto Nacional de Migración), the Ministry of Communications and Transport (Secretaría de Comunicaciones y Transportes, SCT), as well as the Secretariats of the Navy and Army (Secretarías de Marina-Armada de México, Semar), and National Defense (Defensa Nacional, Sedena) (Proceso 21 July 2021).
The Washington Post indicates that more than 15,000 phone numbers in Mexico, namely of political figures, union representatives, journalists, and government critics, appeared on a list of phone numbers infected by the software (The Washington Post 18 July 2021). According to Al Jazeera, President Andrés Manuel López Obrador was also targeted by the spyware when they were a presidential candidate between 2016 and 2017, as well as 50 people close to them including his spouse, children, drivers, and cardiologist (Al Jazeera 29 July 2021).
The Washington Post reports that a former head of the CISEN (2006 to 2011) called the software "'very useful for combatting organized crime'," but noted "'the total lack of checks and balances [in Mexican agencies] means it easily ends up in private hands and is used for political and personal gain'" (The Washington Post 18 July 2021). An investigation on the use of spyware against Mexican journalists by Forbidden Stories quotes a "senior [US Drug Enforcement Administration (DEA)] official," stating that "police with access to cyber surveillance technology sell it to cartels" (Forbidden Stories n.d.a). According to Proceso and Aristegui Noticiasas part of the Pegasus Project, the Attorney General's Office (Fiscalía General de la República, FGR) reported that there was also evidence showing the use of the Pegasus spyware in private offices (Proceso 21 July 2021).
4. State Response
4.1 Data Protection
Sources report that the data protection authority in Mexico is the Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales, INAI), which at once oversees access to public information on government affairs and ensures compliance with citizens' rights to privacy and data protection (CMS 19 Feb. 2021, 3; CREEL [2017]; HRW 28 Jan. 2021). Milenio reports that between October 2018 and November 2019, "at least 30" lawsuits have been launched against the INAI by President López Obrador's administration to prevent information from being released by entities such as the Federal Attorney General's Office and National Defence, following INAI's resolutions (Milenio 11 Mar. 2020).
According to CMS, an international law firm that provides services to organizations and businesses (CMS n.d.), the existing data protection legislation in Mexico requires government entities, but not private parties, to advise the INAI of data breaches (CMS 19 Feb. 2021, 7). The same source notes that private parties must, however, notify subjects of any personal data breach (CMS 19 Feb. 2021, 7).
4.2 Spyware
According to the Associated Press (AP), since taking office in 2018, President López Obrador has vowed to discontinue the use of spyware, and according to the head of Mexico's Financial Intelligence Unit, no transactions [for the acquisition of spyware] have been detected in the current administration (AP 28 July 2021). According to the SSPC's communiqué, the current government holds as its [translation] "fundamental premise" the values of freedom and transparency and asserts that the days of targeting political opponents and conducting espionage activities have ended (Mexico 28 July 2021). An article by Reuters indicates that state prosecutors leading the investigation into the use of the Pegasus spyware have still not identified the parties responsible, and "the office leading the probe was one of the entities that first bought the military-grade Israeli spyware" (Reuters 9 Aug. 2021). The same source states that to date, no one has been arrested or dismissed over the use of the spyware, and further quotes a digital rights activist involved in the lawsuit stating that "in four years, the investigation has not produced any type of meaningful results" (Reuters 9 Aug. 2021). According to a cybersecurity expert interviewed by Al Jazeera, regulation and legislation for the oversight of spyware use by private parties, are few or inexistant, "and virtually anyone is at risk" (Al Jazeera 29 July 2021). The same source quotes a security expert saying that "there has not been any punishment or clear legislation or regulation that could in some way hold those responsible – even less so when the government is the one doing it" (Al Jazeera 29 July 2021).
This Response was prepared after researching publicly accessible information currently available to the Research Directorate within time constraints. This Response is not, and does not purport to be, conclusive as to the merit of any particular claim for refugee protection. Please find below the list of sources consulted in researching this Information Request.
Note
[1] The Pegasus Project is a coordinated investigative project undertaken by Forbidden Stories, a media consortium in partnership with a collective of 17 media organizations, including the Guardian, the Washington Post and Proseco (Forbidden Stories n.d.b). The project also had technical support provided by Amnesty International's Security Lab (Forbidden Stories n.d.b). Forbidden Stories is a "global network of investigative journalists whose mission is to continue the work of reporters who are threatened, censored or killed" (The Guardian 7 Dec. 2020). The project began when Forbidden Stories got access to a leak of over 50,000 phone numbers in over 50 countries, including Mexico (Forbidden Stories n.d.b).
References
Abogacia.mx. 2 October 2017. "¿Qué es Plataforma México?" [Accessed 25 Aug. 2021]
Abogacia.mx. N.d. "Quiénes Somos." [Accessed 31 Aug. 2021]
Al Jazeera. 29 July 2021. Jihan Abdalla. "Rights Group Calls for Moratorium on the Use of Spyware in Mexico." [Accessed 17 Aug. 2021]
Associated Press (AP). 28 July 2021. "Mexico Says Officials Spent $61 Million on Pegasus Spyware." [Accessed 17 Aug. 2021]
Capital México. 8 December 2018. "Para qué sirve la Plataforma México." [Accessed 17 Aug. 2021]
CMS. 19 February 2021. Cesar Armando Lechuga Perezanta. Data Protection and Cybersecurity Laws in Mexico. [Accessed 4 Aug. 2021]
CMS. N.d. "About Us." [Accessed 31 Aug. 2021]
CREEL. [2017]. "General Law for the Protection of Personal Data." [Accessed 26 Aug. 2021]
Forbidden Stories. N.d.a. "Spying on Mexican Journalists: Investigating the Lucrative Market of Cyber-Surveillance" [Accessed 10 Sept. 2021]
Forbidden Stories. N.d.b. "About the Pegasus Project." [Accessed 2 Sept. 2021]
The Guardian. 7 December 2020. Nina Lakhani and Cecil Schillis-Gallego. "'It's a Free-for-All': How Hi-Tech Spyware Ends up in the Hands of Mexico's Cartels." [Accessed 2 Sept. 2021]
Human Rights Watch (HRW). 28 January 2021. "Mexico: Public Accountability, Privacy Under Threat." [Accessed 24 Aug. 2021]
Mexico. 28 July 2021. Secretaría de Seguridad y Protección Ciudadana (SSPC). "Contrator de software espía afectaron al erario por mil 970 mdp, además de 61.3 mdd." [Accessed 12 Aug. 2021]
Mexico. April 2021. Secretaría de Seguridad y Protección Ciudadana (SSPC). Estrategia Nacional de Seguridad Pública. Segundo Informe Anual. [Accessed 11 Aug. 2021]
Mexico. [2021]. Secretaría de Seguridad y Protección Ciudadana (SSPC). "Consulta detenciones." [Accessed 13 Sept. 2021]
Mexico. 4 December 2020. Manual de Organización General de la Secretaría de Seguridad y Protección Ciudadana. [Accessed 11 Aug. 2021]
Mexico. October 2018. Secretaría de Gobernación (SEGOB), Comisionado Nacional de Seguridad (CNS). Libro Blanco del Programa Presupuestario R903 "Plataforma México." [Accessed 9 Aug. 2021]
Milenio. 11 March 2020. Rafael Montes. "Al menos 30 amparos 'frenan' resoluciones del INAI durante ultimo año." [Accessed 24 Aug. 2021]
Milenio. 30 November 2019. Verónica Díaz. "Registro Nacional de Detenciones tiene 413 altas a una semana de lanzamiento." [Accessed 24 Aug. 2021]
Proceso. 21 July 2021. Carmen Aristegui, Juan Omar Fierro, and Sebastián Barragán. "Pegasus Project: la red de empresas que vendió Pegasus al gobierno de Peña Nieto." [Accessed 24 Aug. 2021]
Red en Defensa de los Derechos Digitales (R3D). 26 January 2021. "A la venta, bases de datos de BBVA, Santander e IMSS con millones de registros." [Accessed 24 Aug. 2021]
Red en Defensa de los Derechos Digitales (R3D). N.d. "Quiénes Somos." [Accessed 31 Aug. 2021]
Reuters. 9 August 2021. Avi Asher-Schapiro and Christine Murray. "INSIGHT-Pegasus Spyware Scandal: Years of Questions, no Answers for Mexico Victims." [Accessed 30 Aug. 2021]
San Luis Potosí. N.d. Secretariado Ejecutivo del Consejo Estatal de Seguridad Pública del Estado de San Luis Potosí. "Plataforma México." [Accessed 8 Sept. 2021]
The Washington Post. 28 July 2021. Leo Schwartz. "Mexico's Shockingly Broad Use of Spyware Is a Revelation. Nothing Will Change." [Accessed 24 Aug. 2021]
The Washington Post. 18 July 2021. Dana Priest, Craig Timberg, and Souad Mekhennet. Private Israeli Spyware Used to Hack Cellphones of Journalists, Activists Worldwide. [Accessed 10 Aug. 2021]
Additional Sources Consulted
Oral sources: Adjunct professor at an American university whose research focuses on, among other topics, democratic governance and human rights in Latin America, as well as police reform in Mexico; assistant professor at an American university whose research includes access to information institutions in Mexico; associate professor of political science at an American university whose research has included publications on access to information and data in Mexico; International Crisis Group; Mexico-based law firm.
Internet sites, including: Amnesty International; Committee to Protect Journalists; Council on Foreign Relations; ecoi.net; El Universal; Factiva; Freedom House; The Guardian; Justice in Mexico; La Jornada; The Law Reviews; Mexico – Dirección General de Transparencia y Archivos, Fiscalía General de la República, Instituto Nacional de Acceso a la Información y Protección de Datos Personales, Policía Federal, Secretaría de la Función Pública; National Security Archive; NewTechMag.net; The New York Times; Organisation for Economic Co-operation and Development; Privacy International; Scientific American; SDP Noticias; Time; UN – Office on Drugs and Crime, Refworld.