In 2023, a significant breach involving Paragon Solutions' spyware impacted 90 WhatsApp users, including journalists and civil society members. Paragon Solutions, known for licensing its powerful surveillance tool, Graphite, to government agencies, finds itself at the center of a controversy. The company, which maintains a zero-tolerance policy for violations of its terms of service, now faces scrutiny over how its technology is being used. With its US subsidiary based in Virginia, led by former CIA veteran John Fleming, the company was acquired by AE Industrial Partners, making it a US-owned entity. The breach has intensified the debate on the ethical use of military-grade surveillance tools.
Paragon Solutions holds a contract with the US Immigration and Customs Enforcement (ICE) agency, signed under the Biden administration for $2 million over one year. This agreement highlights the complexities surrounding government use of private spyware solutions. While the company's spyware is marketed for national security missions such as counterterrorism and counter-narcotics, questions remain about the potential for misuse. Paragon asserts compliance with the 2023 executive order signed by President Biden, discouraging federal government use of spyware.
"We require all users of our technology to adhere to terms and conditions that preclude the illicit targeting of journalists and other civil society leaders." – Paragon representative
Despite these assurances, Paragon's contractual termination with Italy over terms violation raises concerns about enforcement and oversight. The similarities between Paragon's Graphite and the notorious Pegasus spyware from NSO Group add another layer of complexity. Pegasus has been implicated in unauthorized surveillance activities, raising fears about potential abuses.
"Like the NSO Group’s Pegasus spyware, it is easy for governments easily to avoid basic principles of rule of law." – David Kaye
David Kaye, a former special rapporteur on freedom of expression, warns of the extraordinary risks associated with marketing military-grade surveillance products. His comments underscore the challenges in ensuring that such tools are not misused against journalists or civil society figures. The risk of abuse becomes particularly salient as researchers at the Citizen Lab at the University of Toronto prepare to release a new technical report on the WhatsApp breach.
The FBI's limited license acquisition to test NSO Group's Pegasus spyware in 2019 during the Trump administration adds historical context to current discussions. The continued interest in these technologies by federal agencies illustrates ongoing tensions between surveillance capabilities and privacy rights.
Paragon Solutions' acquisition by AE Industrial Partners positions it within a broader network of defense and aerospace interests. As a US-owned company, its operations come under increased scrutiny, especially with its US subsidiary's strategic location in Virginia. The leadership by John Fleming, with his extensive intelligence background, further emphasizes the company's deep connections to national security sectors.
The terminated contract with Italy signals Paragon's commitment to enforcing compliance, yet it simultaneously raises alarms about potential lapses in oversight across other jurisdictions. This incident shines a light on the critical need for stringent monitoring mechanisms.