World
ICE Runs Spyware That Reads Phones It Has Never Seized
ICE's $2 million contract with an Israeli spyware firm reads encrypted messages on phones no agent has ever touched. The capability straddles two warrant regimes simultaneously, and courts have been asked to rule on neither.
ICE acting director Todd Lyons confirmed in an April 1 letter to Congress that the agency deployed Paragon Solutions' Graphite spyware inside the United States. The contract is valued at $2 million; procurement documents describe the capability only as "a fully configured proprietary solution including license, hardware, warranty, maintenance, and training."
Paragon is an Israeli company built by former intelligence officers. Its principal founder is Ehud Schneorson, former commander of IDF Unit 8200, Israel's signals intelligence directorate.
AE Industrial Partners, a U.S. private equity firm, acquired Paragon in December 2024 for up to $900 million. The acquisition folded Paragon into REDLattice, a defense integrator that works for the Pentagon.
Lyons named fentanyl trafficking and "foreign terrorist organizations' exploitation of encrypted communication platforms" as ICE's use cases. Neither phrase appears in any procurement document ICE has released. The fentanyl framing is congressional testimony, not a specification.
Before Graphite, ICE relied on Cellebrite UFED and Magnet Forensics' GrayKey for encrypted-messaging access. Both require physical custody of a seized device and extract stored messages after the phone is in hand. Graphite installs remotely with no click from the target, reading Signal, WhatsApp, Facebook Messenger, and Gmail at the point the device decrypts them.
Federal wiretapping law sorts into two regimes. Title III governs live interception in transit. It requires the government to compel a provider to assist, a path that CALEA codified for telecom carriers and that end-to-end encryption has largely closed.
Rule 41 governs physical device searches, treating device access as analogous to seizing a filing cabinet. Graphite captures messages at the moment of decryption, making each intercept simultaneously a live wire and a device search. No court has been asked which standard governs when the two collapse into the same operation.
The Pause, the Privacy Officers, and the Silence
The Paragon contract first surfaced in October 2024. ICE issued a stop-work order within days, citing compliance with Executive Order 14093, which prohibits commercial spyware posing significant counterintelligence or improper-use risks. ICE lifted the stop-work order on August 30, 2025, without publishing a compliance determination.
Citizen Lab and Access Now had documented Graphite's use against journalists and migrant-rescue workers in Italy. A migrant rights campaigner in Libya was also targeted.
DHS filed 24 Privacy Impact Assessments in 2024, 8 in 2025, and zero so far in 2026. A March 21, 2025 reduction in force dissolved the DHS Privacy Office, the body that would have assessed Graphite's compliance posture. ICE reactivated its Paragon contract on August 30, 2025.
Capturing messages at the moment of decryption closes off any clean statutory fit: Title III wants a provider in the loop; Rule 41 wants the device in hand. Graphite needs neither, and prosecutors fill the gap themselves.
The 404 Media FOIA lawsuit, filed September 22, 2025, is the only pending mechanism to force that determination. The EO standard asks whether Graphite poses "significant counterintelligence or improper-use risks."
The only public comparison set is Citizen Lab's Italian documentation. CVE-2025-43200, a zero-click iMessage exploit, was deployed by a single unidentified Paragon operator against two journalists at the same newsroom. Their phones showed no sign of infection.