Privacy International 46 Bedford Row London WC1R 4LR United Kingdom Tel: +44 (0) 20 7242 2836 Email:

info@privacy.org

Federal Institute for Access to Public Information and Data Protection Av. Insurgentes Sur #3211 Col. Insurgentes Cuicuilco Delegacin Coyoacn C.P. 04530 Distrito Federal Mexico Via email: atencion@ifai.org.mx

London, 3 July 2013 Re: Citizen Lab evidence in verification requests IFAI/SPDP/DGV/544/2013 and IFAI/SPDP/DGV/545/2013 with numbers

Dear Sirs, We write to you in relation to verification requests IFAI/SPDP/DGV/544/2013 and IFAI/SPDP/DGV/545/2013 that were filed on 21 June 2013 by among others Propuesta Civica A.C., A Consumidor and Contingente MX. In these requests, reference was made to recent publications of Citizen Lab. Privacy International works closely with Citizen Lab to investigate the use of intrusive surveillance technology for a wide range of human rights abuses. Privacy International Privacy International is a UK-registered charity that works to defend and promote the right to privacy. Privacy International is a leading expert on the right to privacy at an international level. As such it is frequently called upon to give expert testimony to parliamentary and governmental committees around the world. It has advised and reported to international organisations such as the Council of Europe, the European Parliament, the Organization for Economic Cooperation and Development and the United Nations. We campaign for a world in which privacy is protected by governments, and where technological developments strengthen rather than undermine the right to privacy. As such, we run a project that specifically focuses on the international trade in surveillance equipment and technology. We are concerned that this equipment and technology is being exported to countries around the world where

it is used for a wide range of abuses, including not only serious breaches of the right to privacy but also breaches of the right to free association and free expression. Citizen Lab The verification requests that were filed on 21 June 2013 refer to recent publications of Citizen Lab. The Citizen Lab is an interdisciplinary research centre based at the Munk School of Global Affairs at the University of Toronto, Canada. It is independent of governments and does not have any corporate interests. With a focus on advanced research and development at the intersection of digital media, global security, and human rights, its mission is to undertake advanced research and engage in development that monitors, analyses, and impacts the exercise of political power in cyberspace. In order to pursue this mission, Citizen Lab researchers work with leading edge research centers, organizations, and individuals around the world, combining technical analysis with intensive field research, qualitative social science, and legal and policy analysis methods undertaken by subject matter experts. Their research is supported by solid data and undergoes a rigorous review process before it is published. It is considered authoritative and is often referred to by media outlets. Citizen Lab has carried out extensive research into human rights violations in a digital environment, including censorship, surveillance tools and malicious attacks on individual computers and other devices. In a series of reports on this topic, Citizen Lab has convincingly demonstrated how the computers and phones of pro democracy activists and political opposition members across the world have been targeted using malicious software produced by a British company called Gamma International. The reports describe how Gamma Internationals main product FinFisher works to covertly install software onto a targets computer or mobile phone without their knowledge. This is accomplished by tricking the user into opening attachments or downloading fake updates from what appear to be legitimate sources such as BlackBerry, iTunes or Adobe Flash. Once the user opens the attachment or accepts the updates, the computer or phone becomes infected, enabling a third party who has infected the device to gain full access to any information it holds or obtains in the future, the third party can view all of the users emails, social messaging and Skype calls once the computer is infected. FinFisher also enables the third party to remotely switch on microphones and cameras on a computer or mobile phone, turning the devices into bugs. Once it has infected an electronic device, FinFisher cannot be detected by anti virus or anti spyware software. Citizen Labs reports are in line with our findings. Over the past few years, Privacy International has carried out an extensive investigation into the sale of surveillance technology. We have obtained a large amount of Gamma Internationals company materials such as brochures and presentations at international surveillance trade shows. These materials demonstrate in detail that FinFisher is a particularly dangerous surveillance system, the use of which is very worrying from a human rights perspective.

Two of the Citizen Lab reports mention that Command & Control servers of FinFisher have been found in Mexico. Although the mere presence of a FinFisher Command & Control server in a country does not necessarily imply that this product is being used by Mexican intelligence or law enforcement authorities, Gamma has on multiple occasions commented that it only sells its technology to governments.1 Please do not hesitate to contact us should you have any questions. Kind regards,

Eric King Head of Research Privacy International

See for instance the Initial Assessment of the UK National Contact Point of the OECD in relation to a complaint Privacy International (para 8), which is available online at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/2 08112/bis-13-947-complaint-from-privacy-international-and-others-againstgamma-international-uk-ltd.pdf