Next Score View the next score

    Restricted spyware used to harass advocates of Mexico’s soda tax

    SAN FRANCISCO — Last summer, the phone of Dr. Simón Barquera, director of nutrition policy at Mexico’s National Institute of Public Health, started buzzing with a series of disturbing text messages from unknown numbers.

    One said his daughter had been in a serious accident. Another claimed to be from a friend whose father had died — with a link to funeral details. Yet another message informed him that a Mexican news outlet had accused him of negligence, again with a link.

    In more menacing messages, someone claimed to be sleeping with Barquera’s wife. That included a link to what the sender claimed was photo evidence of their affair.


    That same week, Luis Manuel Encarnación, then director at Fundación Mídete, a foundation in Mexico City that battles obesity, also started receiving strange messages with links. When he clicked, Encarnación was ominously redirected to Gayosso, Mexico’s largest funeral service.

    Get Ground Game in your inbox:
    Daily updates and analysis on national politics from James Pindell.
    Thank you for signing up! Sign up for more newsletters here

    The messages Encarnación received were identical to texts sent to Alejandro Calvillo, founder of El Poder del Consumidor, yet another Mexico City organization that has been at the forefront of battling childhood obesity in the country.

    What the men had in common was this: All were vocal proponents of Mexico’s 2014 soda tax, the first national soda tax of its kind. It is aimed at reducing consumption of sugary drinks in Mexico, where weight-related diseases kill more people every year than violent crime.

    The links sent to the men were laced with an invasive form of spyware developed by NSO Group, an Israeli cyberarms dealer that sells its digital spy tools exclusively to governments and that has contracts with multiple agencies inside Mexico, according to company e-mails leaked to The New York Times last year.

    NSO Group and the dozens of other commercial spyware outfits that have cropped up around the globe over the past decade operate in a largely unregulated market. Spyware makers like NSO Group, Hacking Team in Italy, and Gamma Group in Britain insist they sell tools only to governments for criminal and terrorism investigations.


    But it is left to government agents to decide whom they will and will not hack with spying tools that can trace a target’s every phone call, text message, e-mail, keystroke, location, sound, and sight.

    The discovery of NSO’s spyware on the phones of Mexican nutrition policymakers, activists, and even government employees, like Barquera, raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.

    The soda industry has poured over $67 million into defeating state and local efforts to regulate soft drink sales in the United States since 2009, according to the Center for Science in the Public Interest. But the tax in Mexico — Coca-Cola’s biggest consumer market by per capita consumption — posed an exceptional threat.

    After the tax passed in 2014, Coca-Cola pledged $8.2 billion worth of investments in Mexico through 2020. And soda makers have lobbied against the tax through industry groups, like ConMéxico, which represents Coca-Cola and PepsiCo.

    Lorena Cerdán, director of ConMéxico, said the group had no knowledge of, or part in, the mobile hacking.


    The timing of the hacking coincided with a planned effort by advocacy organizations and health researchers — including Barquera, Calvillo, and Encarnación — to coordinate a mass media campaign to build support for doubling the soda tax, an effort that stalled in Mexico’s Congress in November.

    The texts included an invasive form of spyware developed by a cyberarms dealer that sells its digital spy tools exclusively to governments.

    “This is proof that surveillance in Mexico is out of control,” said Luis Fernando García, director of the Red en Defensa de los Derechos Digitales, a Mexican digital rights nonprofit.

    NSO Group’s spyware is increasingly turning up on the phones of journalists, dissidents, and human rights activists. The spyware was discovered on the phone of a human-rights activist in the United Arab Emirates and a prominent Mexican journalist in August.

    In interviews and statements, NSO Groupclaims to sell its spyware only to law enforcement agencies to track terrorists, criminals, and drug lords. NSO executives point to technical safeguards that prevent clients from sharing its spy tools.

    An NSO spokesman said the company had no knowledge of the tracking of health researchers and advocates inside Mexico.