Can there be a balance between security and freedom? To what extent is government and private surveillance valid under the pretext of safeguarding freedom? Does security sometimes restrict individual liberties? To address the above questions, it will be necessary to discuss the Mexican case regarding espionage that took place during the war against drug trafficking led by President Felipe Calderon, a civil conflict whose consequences are still ongoing.
In 2011, the Mexican government acquired a software called Pegasus from a company called NSO Group, an Israeli company dedicated exclusively to the development of intelligence software specialized in preventing terrorism, arms smuggling, car bombs, and suicide bombers that could infiltrate auditoriums, theaters, concerts, and other events. In addition to this, they boast that their applications can disrupt networks of pedophiles, drug trafficking, or human trafficking. This company also emphasizes the rigorous ethics that underpin their developments. Under this statute, it is necessary to raise questions: What ethical principles do they base their philosophy and business policy on? Despite being marketed as software to safeguard national security by preventing and combating terrorism and other crimes of this nature, their most well-known program is one that has the ability to spy on smartphones.
Within political philosophy, security and freedom are not opposing values, and one should not counteract the other. After the September 11 attacks and with the proliferation of the internet, a constant state of paranoia has been created regarding terrorism, leading states to allocate more resources to strengthen their security by intensifying surveillance in a field that has not been fully legislated: the internet.
In Mexico, for example, as of the time of writing (2023), the country is experiencing a civil conflict between the state forces and the large and growing drug trafficking cells that move their products across the national territory. Drug trafficking has gained significant power and influence, both in terms of arms and in the political and social spheres. The Pegasus software began operating in Mexico under the control of the Mexican armed forces, with the main objective of spying on members of large and emerging cartels, hoping that intercepting communications would provide key information or movements that would allow them to dismantle these groups in the least violent way possible for the state. In this case, despite the evident violation of privacy, surveillance was carried out for a greater good—to put an end to the cells that have pushed the country to the brink of becoming a failed state. From this perspective, espionage could be easily justified: the cartels maintain a state of terror in the population, so surveillance is seen as a coercive method to enforce more restrictive rules in the name of security.
Freedom has the capacity to limit itself because, despite being able to exercise this faculty, others also have the right to do so, but it is limited when it can cause harm to others. Security, on the other hand, aims to protect society as a whole through sanctions or regulations that safeguard the development of freedom, assuming that individual freedom is not above society. Therefore, once security is violated, it becomes easier for society to normalize surveillance over freedom, especially in a situation as distressing as the violence caused by drug cartels and the corruption that permeates political spheres on a daily basis.
Pegasus was not only used to monitor people within the cartels. The independent organization ARTICLE 19 MX-CA, which defends the right to freedom of expression, has documented 157 journalists killed from 2000 to the present, while also highlighting the regions where practicing this profession is most dangerous. But it’s not just journalists who have been murdered. In 2022 alone, 72 activists in Mexico were abducted by the police and later found dead. The most recent case is that of journalist Juan Arjón López, who disappeared on August 9, 2022, and was found dead a few days later on August 16. Regarding activists, the RDT Network published a document titled ‘Seeds of Dignity and Struggle: Situation of Defenders in Mexico,’ listing all the activists who were killed between 2019 and 2020
Pegasus was used to spy on figures in the journalistic field, activism, and human rights defenders in the country over three presidential terms, with President Enrique Peña Nieto’s term being the most active in the use of the software. Pegasus is a powerful tool that allows complete access to the information on a mobile phone, leaving no traces of intrusion. It can access all the data within the device, including passwords and conversations. This should not be taken lightly, considering that a third party is eavesdropping on communications. Coincidentally, the most active years of the program were the ones that recorded more kidnappings, disappearances, and attacks on journalists and activists.
The French platform Forbidden Stories counted 15,000 devices intervened in Mexico. At this point, the software that was acquired to combat drug trafficking became a tool of terror for all those with interests divergent from those of the government.
There is no direct relationship between hacking, hacktivism, and this spying situation. What connects digital protest practices is the search for vulnerabilities in computer systems and the fact that a government used elite software to spy on both drug traffickers and activists, as well as political rivals.
Today, it is impossible to imagine a world without internet connectivity. Living without hyperconnectivity is simply impossible. Banking, socialization, and education have all been brought into this realm, with the great advantage that we can carry out banking transactions at any time of the day, interact with friends who are miles away from us, and even study at universities we never imagined we could reach. However, this exposes our personal data on a network that is increasingly less private and demands a greater understanding from those who use the services. This is closely linked to the fact that there is no system that is free from vulnerabilities, which creates both fascination and fear around the image of hackers.
Popular culture has given us an image of hackers as solitary individuals who spend 24/7 inside the computer and with just one command, they have access to the most valuable documents of public or private institutions. At first glance, this may seem like a fantasy, as hackers operate within large communities, sharing knowledge of backdoors and exploits they have discovered through years of trial and error. Their goal is to expand their knowledge base. It is important to clarify that many times these hackers are not necessarily IT professionals. Many of them learned hacking out of pure curiosity and by immersing themselves in the knowledge of the community. This knowledge is mostly open and can be accessed by any curious individual who understands the subject matter or wishes to comprehend its functioning.
A glimpse of the extensive history of hacking
The practice of hacking emerged in the 1960s with a group of MIT students who were using the newly acquired PDP-1 computer, one of the early models in this series. The computer took too long to start up, so this group of students spent their time in the university’s artificial intelligence department, playing practical jokes on each other. These pranks were called “hacks“, a term that referred to cutting something carelessly with a hatchet. Additionally, according to information from the BBC, there is an anecdote that goes as follows: “In one of the most extravagant examples, a replica of a police car that patrolled the university was placed on top of the MIT’s Great Dome.” With the introduction of computers into universities, the programming scene flourished, attracting individuals interested in understanding their functioning.
It is necessary to consider that, in addition to the required programming knowledge, creativity and curiosity are key elements. It is these traits that lead individuals to push software to its limits and seek ways to exploit its vulnerabilities. For years, discovering, exploring, and developing programs to patch errors or gain access through backdoors was seen as a great feat within the programming community, a term used to refer to computer enthusiasts.
As technology advances and becomes accessible to average households, the number of enthusiasts with different perspectives on hacking practices has exponentially increased. Communication among them has become more common through tools like Internet Relay Chat (IRC), an instant messaging system that allows written communication with people outside one’s geographical area. Moreover, IRC’s strength lies in its anonymity and the capacity to host channels on various topics. It was within these servers that hackers found a way to stay in touch, share knowledge, and provide feedback.
At this point, ideological and ethical differences began to emerge within the community, leading to the classification of hackers into different groups, as we know it today. In 1986, the United States Congress passed the Computer Fraud and Abuse Act, which criminalized computer-related offenses in an effort to reduce the piracy of sensitive information stored in institutions.
At this stage, hacking was no longer just a practice that tested the knowledge, curiosity, and creativity of those involved. As large companies began to establish their presence on the internet and became targets of attacks, a debate arose regarding hacker ethics. Many hackers disagreed with exploiting systems for profit or intentionally causing harm to network services.
What should a programmer do when they discover an open backdoor? Here, the ideals of these groups diverge. Is it always necessary to act maliciously? The answer they found was: NO.
From this premise, White Hat hackers emerge. Nowadays, any company that provides internet services has a cybersecurity department responsible for independently identifying vulnerabilities in their systems in order to patch the gaps that compromise security and strengthen it. It is important to clarify that White Hat hackers seek permission to conduct tests and practices to exploit systems.
They refer to themselves as ethical hackers because they adhere to an unwritten rule that does not require them to carry out potentially dangerous attacks. On the contrary, if they come across serious security issues, they will notify the respective institution so that they can correct the errors. They review their findings and provide detailed explanations of how they conducted the attack and how it can be prevented, while also developing security tools. All of their actions are within the legal framework, aligned with the group’s values and the practitioner’s moral compass. Their work is authorized by the institutions they assist, and they have no problem disclosing errors and assisting with their correction.
Gray Hat hackers are those who navigate between their own ideals, economic interests, and the ethics of White Hat hacking. They may take the liberty to illegally compromise systems of interest. At this point, they may adopt different stances, such as discovering a vulnerability and requesting payment to fix it, selling solutions to those affected, or sharing the information with the community. They can support both charitable institutions and illegal or dangerous cells, depending entirely on the moral compass of the individual bearing the name Gray Hat.
These hackers are the most interesting because they are not solely bound by hacking norms. They act based on the benefits they receive, whether financial or recognition from the community. They can navigate between ethical and moral aspects and have no qualms about committing illegal acts, despite the obvious consequences, to strengthen the cybersecurity of the institutions they target. In many cases, they end up working for those institutions, as was the case with the San Bernardino massacre. The FBI obtained an iPhone 5c from the perpetrator of the shooting and asked Apple to unlock the device for information. When Apple refused, the FBI had to turn to the services of Gray Hat hackers to access the terrorist’s device. They succeeded through an exploit that attempted different combinations of the phone’s four-digit PIN. This example gives us a clear idea of the current reach of hacking practices, where even agencies like the FBI often require their “services”.
Lastly, Black Hat hackers are recognized as renowned cybercriminals. Not only because their practices fall outside the legal framework regarding the theft of personal or corporate information, money, email accounts, and other types of crimes. The most well-known criminal activity within this realm is carding, which involves stealing credit card and bank account data for personal use or selling the cards on the black market. On the Onion network, there are a couple of sites dedicated to the sale of such data.
Despite being considered criminals, hackers of this nature have managed to organize malicious hacking conventions. DEF CON is one of the oldest conventions for black hat hackers, lasting three days and held in Las Vegas. What draws the most attention is that their website’s advertising mocks United States security institutions. These cyber-olympics showcase the genuine interest and allure of what is prohibited.
From the political animal, ethics, and its interaction with technologies
It is well known and cliché that Aristotle referred to humans as political animals (Zoon Politikón). Every expression of human knowledge is inherently political, considering that our activities are always influenced by our culture, knowledge, and ideology. Hacking cannot be and was not an exception. By simplifying the concept of politics, we can understand it as the activities that are part of social organization, along with ideological conflicts, aiming to foster coexistence while contrasting the differences of ideas among individuals in a geographical area. Humans are social beings bound to political coexistence, which is why every human expression carries political undertones.
Hacking, as a human activity within technological realms, was destined to become a sociopolitical tool. As mentioned earlier, life is digitized, almost literally, and political antagonisms are now manifested in digital spaces, where communication is immediate, and we all believe to have a correct and precise opinion on any topic that arises. This turns platforms into bulletin boards for propaganda, making the internet another domain to express and expose our ideas and ideals.
In 1989, a computer at NASA, the VMS computer, was infected by a computer worm named WANK. This is one of the most well-known breaches and perhaps the one that laid the foundations for hacktivism. Once the worm executed on the system, it displayed an anti-nuclear message as part of the protests against the use of plutonium in the space shuttle tasked with carrying the Galileo robotic spacecraft into space. The population of Florida was concerned about the explosion of the Challenger, which had occurred only three years earlier, and the debate centered around whether this shuttle had the same fate as the Challenger. A significant portion of that territory would be contaminated with radioactive material from plutonium.
This is how hackers used their knowledge to support a social cause. Even though the term was still far from being coined at that time, the internet was already seen as a danger that could spill beyond its boundaries. In the late 1980s and mid-1990s, the Electronic Frontier Foundation (EFF) was born—a nonprofit organization advocating for freedom of expression, civil liberties, and people’s rights within the realm of the internet. They support social movements and strongly emphasize privacy in the digital era.
Hacktivism resides in a gray area of legislation since it is understood as a non-violent practice that seeks to advocate for both real-world and digital social struggles. It goes hand in hand with hacking practices that can fall into the category of black hat activities, as they search for vulnerabilities illegally and exploit them. However, unlike gray hat hackers or cybercriminals, their primary focus is not personal or financial gain; they aim to deliver a message.
Some of the most common attacks carried out by hacktivists include Distributed Denial of Service (DDoS), which involves flooding a server with rapid and repeated requests to overload the service and cause it to crash, thereby taking a website offline for hours. Defacement is another type of attack, where once access to a website is gained, its appearance is altered to display a message related to the cause being supported at that time. Doxing is also a common practice, involving the acquisition of personal information about targeted individuals and the subsequent publication of these data on the internet for anyone to access.
Executing these attacks requires precise organization, leading to the formation of hacktivist groups. Anonymous is one of the largest and most well-known groups in this field. Discussing Anonymous and other groups could easily merit their own article, so this text will only delve into topics relevant to the present discussion. Anonymous is a decentralized group that votes on the actions to be carried out, always upholding support for societies struggling against their governments or private institutions, advocating for freedom of expression. This leads us to an ethical dilemma since, although they support social movements seeking the common good, freedom of expression, and the exposure of malicious practices by companies and governments, they must exploit backdoors using malicious software and operate from the shadows. Undeniably, these are illegal practices, but they aim to expose what is wrong in pursuit of a greater good.
Lulzsec is another well-known hacktivist group, considered to be directly associated with black hat activities. They took action during the Arab Spring, launching attacks on the websites of the governments of Tunisia and Egypt. They also targeted Sony by publicly disclosing users’ account information and infiltrated a server at the United States Senate, stating: “because we don’t like the US.”
It is precisely through these types of actions that the fascination with hacktivist groups arises. Through their actions, they show us that large companies and public institutions are not impenetrable. Even with their human and financial resources, they have vulnerabilities and make mistakes, demystifying the popular image held of these entities. The message extracted from this is of special interest as it humanizes large companies and governments while providing hope that citizens have support in the face of injustices committed by institutions, at least in virtual environments. This is not surprising, considering that in the age of hyperconnectivity, every step we take in virtual environments carries almost equivalent weight in real life.
The practice of hacking exists in an ethical gray area as it can help strengthen systems, as we see reflected in our environment. The systems we use on our devices are constantly updated with security patches, either because employees themselves discover these vulnerabilities or because hackers of any color find them and eventually these issues are resolved. However they are found, this carries both risks and benefits for end users. The ongoing battle between hackers and entities will continue as long as technological systems remain in place. With hacktivism in the picture, we realize that the digital life can no longer be taken lightly, and it is necessary to have knowledge and foster a technological culture where we are aware of our rights and strive to maintain privacy on the internet as much as possible.
With all of the above in mind, it is necessary to raise a couple of questions again: Who bears the responsibility for the use of such software, for those who develop a tool with “national security purposes” but which can be used for spying on and tracking non-criminal individuals? Or, should governments be held accountable for using it unethically, gathering information on activists and opposing politicians? We can assert that under no circumstances is spying on journalists and activists justifiable. However, there will always be a debate between security and freedom because, although these tools are developed under the pretext of safeguarding national security and states have no reservations about using them, when social activists are harassed or disappear, the use of such surveillance becomes unethical and dangerous. These are weighty reasons to educate people within this new paradigm called the internet.
Victor Barba is a philosopher, captivated by politics, language, photography, and literature, but primarily by writing. A self-proclaimed outcast on YouTube, who, despite his pronounced misanthropy, has a weakness for all forms of artistic expression. Here, we share some of his social media profiles
Translated by Chatgpt. Corrections by Muta Magazine.