Even as WhatsApp celebrated a major legal victory in December against NSO Group, the Israeli maker of one of the world’s most powerful cyberweapons, a new threat was detected, this time involving another Israel-based company that has previously agreed contracts with democratic governments around the world – including the US.Late in January, WhatsApp claimed that 90 of its users, including some journalists and members of civil society, were targeted last year by spyware made by a company called Paragon Solutions. The allegation is raising urgent questions about how Paragon’s government clients are using the powerful hacking tool.Three people – an Italian journalist named Francesco Cancellato; the high-profile Italian founder of an NGO that aids immigrants named Luca Casarini; and a Libyan activist based in Sweden named Husam El Gomati – announced they were among the 90 people whose mobile phones had probably been compromised last year.More is likely to be known soon, when researchers at the Citizen Lab at the University of Toronto, which investigates digital threats against civil society and has worked closely with WhatsApp, is expected to release a new technical report on the breach.Like NSO Group, Paragon licenses its spyware, which is called Graphite, to government agencies. If it is deployed successfully, it can hack any phone without a mobile phone user’s knowledge, giving the operator of the spyware the ability to intercept phone calls, access photographs, and read encrypted messages. Its purpose, Paragon said, was in line with US policy, which calls for such spyware to only be used to assist governments in “national security missions, including counterterrorism, counter-narcotics, and counter-intelligence”.In a statement to the Guardian, a Paragon representative said the company had “a zero-tolerance policy for violations of our terms of service”. “We require all users of our technology to adhere to terms and conditions that preclude the illicit targeting of journalists and other civil society leaders,” the representative said.The company does appear to have acted swiftly in response to the cases that have emerged so far. The Guardian reported last week that Paragon had terminated its contract with Italy for violating the terms of its contract with the group. Italy had – hours before the Guardian’s story broke – denied any knowledge of or involvement in the targeting of the journalist and activists, and said it would investigate the matter.David Kaye, who previously served from 2014 to 2020 as a special rapporteur on freedom of expression and opinion said the marketing of military-grade surveillance products, such as the kind made by Paragon, comes with “extraordinary risks of abuse”.“Like the NSO Group’s Pegasus spyware, it is easy for governments easily to avoid basic principles of rule of law. Though not all the details are known, we are seeing the likelihood of scandalous abuse in the case of Italy, just as we have seen that in other contexts across Europe, Mexico and elsewhere,” Kaye said.The issue seems particularly relevant in the US. In 2019, during the first Donald Trump administration, the FBI acquired a limited license to test NSO Group’s Pegasus. The FBI said the spyware was never used in a domestic investigation and there is no evidence that either the Trump or Joe Biden administrations used spyware domestically.In the face of increasing reports of abuse, including use of NSO’s spyware against American diplomats abroad, the Biden administration put NSO on a blacklist in 2021, saying the company’s tools had enabled foreign governments to conduct transnational repression and represented a threat to national security.Biden also signed an executive order in 2023 that discouraged the use of spyware by the federal government and allowed it to be used in limited circumstances.It was therefore a surprise when it was reported by Wired last year that the US Immigration and Customs Enforcement (Ice) agency had – under the Biden administration – signed a $2m one-year contract with Paragon. The contract was reportedly paused after the news became public and its current status is unclear. Ice did not respond to a request for comment.A Paragon representative said the company was “deeply committed to following all US laws and regulations” and that it was fully compliant with the 2023 executive order signed by Biden. The person also pointed out that Paragon was now a US-owned company, following its takeover by AE Industrial Partners. It also has a US subsidiary based in Virginia, which is headed by John Fleming, a longtime veteran of the CIA who serves as executive chair.Unlike its predecessor, however, the new US administration has publicly stated that it will seek to use the levers of government against Trump’s perceived political enemies. Trump has repeatedly said he would try to use the military to take on “the enemy from within”. He has also singled out career prosecutors who have investigated him, members of the military, members of Congress, intelligence agents and former officials who have been critical of him, for potential prosecution. He has never explicitly stated that he would use spyware against these perceived rivals.Researchers like those at Citizen Lab and Amnesty Tech are considered the leading experts in detecting illegitimate surveillance against members of civil society, which have occurred in a number of democracies, including India, Mexico and Hungary. More
