John Z Black

John Z Black Apr 7, 2026 Policy, Law & Governance #ice #paragon #spyware #graphite #surveillance #congress #civil-liberties

ICE has a $2 million contract for Paragon’s Graphite spyware. It’s Israeli-made, can compromise phones with zero-click exploits, and pulls data from encrypted apps like WhatsApp and iMessage without the target doing anything. Three House Democrats now want to know exactly who ICE is pointing it at.

The contract was paused under Biden, then reactivated by the Trump administration in 2025. Acting ICE Director Todd Lyons defended “cutting-edge technological tools” for fighting fentanyl trafficking. He did not name Paragon by name. He certified compliance with Biden’s 2023 spyware executive order. He did not answer whether American citizens have been targeted.

Here’s where it gets interesting. A US private equity firm acquired Paragon in 2024 for up to $900 million. That makes Paragon the first major commercial spyware vendor under American ownership. When Pegasus was the controversy, the US could point fingers at an Israeli company. Now the spyware is American-owned, American-contracted, and deployed on American soil. The finger-pointing gets harder.

The oversight gap is structural. Agencies can buy these capabilities without congressional approval or judicial review. Compliance is self-certified. There’s no independent verification. An EFF researcher noted the vague safeguards language leaves the door open for ICE to use administrative subpoenas, issued internally with no judge required, to authorize spyware deployment.

The same class of tools used to surveil journalists and activists overseas is now deployed domestically. The question isn’t whether the technology works. It’s whether anyone is watching the watchers.

Read the full story on ICE, Paragon, and the oversight gap that makes it all possible