The presence of vulnerabilities in devices and information systems is something extremely prevalent in daily life, even though for most of the population, it is invisible or unknown. These flaws create gaps that allow attackers to access information that should be protected by layers of digital security. Sometimes, the exploitation of these vulnerabilities occurs through state power, whether for intelligence or investigative purposes, a practice known as governmental hacking.

The discovery and exploitation of vulnerabilities by the state can be carried out through its own intelligence power or can be outsourced to companies specialized in surveillance. This creates a market with companies that foster cybersecurity insecurity for the sale of exploits to governments and companies that develop intrusion tools for information systems.

What has been observed in this context is the rise in reports involving human rights abuses and violations resulting from the use of tools for accessing and extracting data from mobile devices. Among a range of solutions, the Pegasus spyware, developed by the Israeli company NSO Group, stood out on the international stage. Capable of infecting devices and accessing all information without the target’s knowledge, its use was observed against activists, journalists, and political dissidents in countries such as Mexico, Spain, India, Bahrain, among others.

Given this context, this technical note aims to provide input for the development of potential public policies on mobile device data access and extraction technologies. We will seek to present the relevance of this issue in the current landscape, the various types of tools used, the regulatory context, best practices, and the challenges in the field.

Institucional