In September, the Department of Homeland Security (D.H.S.) signed a two-million-dollar contract with Paragon, an Israeli firm whose spyware product Graphite focusses on breaching encrypted-messaging applications such as Telegram and Signal. Wired first reported that the technology was acquired by Immigration and Customs Enforcement (ICE)βan agency within D.H.S. that will soon be involved in executing the Trump Administrationβs promises of mass deportations and crackdowns on border crossings. A source at Paragon told me that the deal followed a vetting process, during which the company was able to demonstrate that it had robust tools to prevent other countries that purchase its spyware from hacking Americansβbut that wouldnβt limit the U.S. governmentβs ability to target its own citizens. The technology is part of a booming multibillion-dollar market for intrusive phone-hacking software that is making government surveillance increasingly cheap and accessible. In recent years, a number of Western democracies have been roiled by controversies in which spyware has been used, apparently by defense and intelligence agencies, to target opposition politicians, journalists, and apolitical civilians caught up in Orwellian surveillance dragnets. Now Donald Trump and incoming members of his Administration will decide whether to curtail or expand the U.S. governmentβs use of this kind of technology. Privacy advocates have been in a state of high alarm about the colliding political and technological trend lines. βItβs just so evidentβthe impending disaster,β Emily Tucker, the executive director at the Center on Privacy and Technology at Georgetown Law, told me. βYou may believe yourself not to be in one of the vulnerable categories, but you wonβt know if youβve ended up on a list for some reason or your loved ones have. Every single person should be worried.β
The scandals catalyzed by the use of this surveillance technology in other democracies demonstrate the temptations of its misuse, and the elusiveness of accountability. This August, a prosecutor in Greece declined to hold government officials there responsible for a sprawling phone-hacking campaign that targeted opposition politicians and journalists. The countryβs Supreme Court, in a report that was kept sealed but reported on by Politico, rubber-stamped the hacking as incidental to legitimate state operations. The victimsβ phones had been infected with Predator, spyware from Cytrox, a North Macedonian firm founded by Israeli nationals, which can hijack a phone to undetectably access its camera, microphone, and all of its data, including messages and photos. The hacking attempt was discovered on a phone owned by Nikos Androulakisβwho leads one of Greeceβs major political partiesβafter he sent his device for testing by a lab run by the European Parliament. The Greek Supreme Court reviewed a hundred and sixteen cases of alleged state surveillance, and found that Thanasis Koukakis, an investigative journalist who has reported on Greeceβs banks, had been targeted. (The countryβs Prime Minister has claimed that he was unaware of the hacking, though he ostensibly oversees the countryβs intelligence operations.)
Polandβs Prime Minister, earlier this year, confirmed allegations that a prior government there had deployed another potent spyware technology, Pegasus, made by the Israeli firm NSO Group, to hack opposition politicians in a surveillance dragnet, which a special committee of the countryβs Senate has deemed a breach of constitutional standards. (A former Prime Minister defended the surveillance to a parliamentary committee earlier this year, arguing that it was predominantly βused against criminals.β) Spain, as I reported in this magazine in 2022, appears to have carried out a massive campaign of hacking against civil society and politicians linked to the separatist movement in the autonomous region of Catalonia, in concert with violent police crackdowns and arrests. (Spainβs former intelligence chief later admitted to the espionage, saying that it was carried out with the approval of the countryβs judiciary.) βThe system of checks and balances we have come to take for granted in the West has unravelled before our eyes,β Artemis Seaford, a Greek and U.S. dual national and a technology executive, whose phone was hacked in the Greek surveillance effort, told me. βIf it can happen in Greece, a modern Western democracy, why could it not also happen in the United States?β
In the U.S., Trump has repeatedly promised to execute the βlargest deportation program in American historyβ upon taking office, arguing, often with little basis in reality, that cities and towns have been βinvadedβ and βconqueredβ by βcriminals.β He has selected as his national-security adviser Michael Waltz, who, as a congressman, successfully advocated for the expansion of the Foreign Intelligence Surveillance Act, rooting his arguments in a desire to deport undocumented immigrants for the sake of national security. (βThe fastest growing group entering through our southern border is now from China, our number one adversary,β Waltz told the House at the time.) Within hours of Trumpβs election to a second term, ICEβwhich is still under the authority of President Biden, but which has often seemed sympathetic to Trumpβs anti-immigrant rhetoricβput out a new call for private companies to submit plans for augmenting the agencyβs surveillance infrastructure, including ankle monitors, and software and hardware used for tracking targetsβ biometrics. Human Rights Watch, responding to ICEβs deal with Paragon in October, warned that expanding the agencyβs surveillance infrastructure would exacerbate βconcerns about ICE abusing people trying to cross the US-Mexico border, surveilling border communities, and surveilling, harassing, interrogating, detaining, and blocking journalists, lawyers, and activists working on or near the border.β Immigration lawyers told me that such an expansion would create a frightening digital panopticon, not just for the 3.7 million people awaiting immigration hearings and the millions more who have managed to avoid immigration enforcement measures but for the wider population. βThe fact that itβs the Department of Homeland Security, in particular, that has the technology means it may not be used exclusively for immigration and deportation,β Tucker, of the Georgetown Center on Privacy and Technology, told me. βD.H.S. is often the chosen agency to acquire technologies that are legally questionable because they are, in practice, subject to less oversight than basically all the other federal agencies.β
Already, the United States has struggled with transparency and restraint. In 2019, the F.B.I. secretly purchased Pegasus through a government contractor. (The F.B.I. director, Christopher Wray, told Congress that the spyware had been acquired for limited testing purposes, but internal documents obtained through a Freedom of Information Act lawsuit by the New York Times show that the agency seriously considered deploying it operationally, and even drew up guidelines for prosecutors navigating disclosures about its use.) In 2021, the same F.B.I. contractor purchased another NSO Group technology, a phone-tracking solution called Landmark. The same year, the Commerce Department added NSO Group and other spyware-makers to a list of entities blocked from doing business with American companies. The Biden Administration later issued an executive order, plans for which were first disclosed in this magazine, banning the βoperational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses.β These measures were limited and already left ample loopholes. In an interview for a new documentary, βSurveilled,β that followed my reporting on the subject, Nathaniel C. Fick, the Biden Administrationβs Ambassador-at-Large for Cyberspace and Digital Policy, defended the βlegitimate law enforcement and national security uses of these technologies,β and declined to answer my questions about specific measures for such use. Few legal experts I spoke with expected the Trump Administration to continue even such halting efforts to self-police government surveillanceβnor did they expect that a potential Justice Department under Matt Gaetz would aggressively champion the already porous protections afforded by case law interpreting the Fourth Amendment in the context of personal data privacy. Tucker added, βWith Trump making it clear that he envisions executive authority as being subject to no legal restraints, with the kind of appointments heβs made, and with the composition of Congress, they believe they can essentially do whatever they want with this technologyβto immigrant communities, to activists.β
Decisions by the White House and by Republican lawmakers about spyware will have implications across a variety of policy areas that Trump and his associates are upending and that reach far beyond Washington. In recent years, an array of states, including Texas, Florida, and California have reportedly purchased spyware and other surveillance technologies; legislators and regulators will dictate whether that trend continues. Since the fall of Roe v. Wade, at least two states have already used private personal data to prosecute people for getting abortions. That practice could expand with more widespread and affordable access to this technology.
Trump has threatened his political enemies, reposting comments calling for a military tribunal for Liz Cheney and observing that General Mark Milleyβs behavior would have once been punishable by βDEATH!β He has also demonized the free press, suggesting, for example, that he wouldnβt mind if people were to βshoot through the fake newsβ and that journalists who protect sources should be imprisoned. These comments target the populations that have been most vulnerable to overzealous spyware campaigns in other Western democracies. βWhen this happens in an authoritarian system, it is horrific but unsurprising,β Seaford, the technology executive who was hacked during Greeceβs spyware campaign, told me. βWhen it happens in a democracy, however, it creates a sense of disorientation: βCould this happen to me? Here? Really?!β And yet it can, and it does.βΒ β¦