Mexico is by far the biggest paying client of Hacking Team, the Italian cyber-surveillance firm now at the center of a massive hack of its internal data, documents show.
The country has paid more than $6.3 million to help it spy on its targets, topping the nearest state client Italy by $1.9 million. A graph leaked online and linked to the firm shows Mexico, Italy, and Morocco are the highest paying clients of Hacking Team, followed by Saudi Arabia, Chile, and Hungary.
At least 14 Mexican states and government agencies have hired the company's services since 2010, with Mexico's interior ministry being the most recurrent client.
A day after the documents began circulating, Mexico's interior minister Miguel Angel Osorio Chong acknowledged the government had hired Hacking Team's services, but that it occurred during the administration of the previous president, Felipe Calderon.
Osorio Chong, pictured above, denied the existence of any spying software purchases by the current government of President Enrique Peña Nieto.
However, leaked documents tell a different story, with CISEN, Mexico's civil national-security intelligence service, listed as one of Hacking Team's active clients — and one that pays a lot.
The agency has a registered purchase of surveillance software for $224,000, which was paid just this April.
Hacking Team sells surveillance software such as Galileo that permits clients to tap into smartphones and remotely activate recorders and microphones. The company was hacked on Sunday, and digital-rights advocates have since been poring over the dumped data to find relevant information.
The dump on Hacking Team has already revealed that the US Drug Enforcement Administration is tracking Internet traffic in Colombia.
The Mexican government's surveillance on citizens is not a new issue. In 2014, a civil organization called ContingenciaMX denounced the government's use of the hacking software FinFisher, as well as the lack of transparency on the handling of personal data and citizens' privacy.
The Mexican federal police, navy, attorney general's office, and army are among those agencies listed on the leaked accounts, but many are marked under an "expired" or "inactive" status. Several Mexican states also purchased surveillance products from the firm, including Queretaro, Puebla, Campeche, Yucatan, Durango, Jalisco, Tamaulipas, and the State of Mexico.
Regions represented by these states are suffering soaring drug-related violence and allegations of corruption among government officials or extrajudicial massacres of civilians at the hands of the armed forces.
Reached by VICE News, federal public affairs officials declined to comment or elaborate on Osorio Chong's statements.
Mexican observers expressed worry that most of the Hacking Team client agencies in Mexico are not legally entitled to carry out surveillance operations.
Luis Fernando Garcia, director of digital-rights advocacy group R3D in Mexico, told VICE News in an interview that the hacked data raises alarming questions about what exactly these Mexican agencies are doing with the tools sold by Hacking Team, or if espionage products have fallen into the hands of powerful organized-crime groups.
"According to Article 16 of the [Mexican] constitution, only prosecutors and federal agencies such as CISEN are permitted to spy under the law, not the military, and not any state-level governments, for starters," Garcia said. "And those who can must justify the necessity to use these tools, and it all has to be regulated in very specific channels."
That doesn't appear to be happening, Garcia added, as the leaked info preliminarily suggests Mexican agencies are using third parties to purchase Hacking Team's surveillance products, "in an effort to mask" the spying.
"We know that this isn't the only company that sells these products to Mexico," he said. "The espionage could be much more generalized, so it's very worrying, much more worrying than what we imagined before the leak."
Follow @VICENews on Twitter for updates on the drug war in Mexico.