What is Paragon spyware and who makes it?

Paragon is a sophisticated spyware tool developed by the Israeli firm Candiru. It is designed to secretly infect mobile phones and computers, giving an attacker complete access to the device's data, camera, and microphone without the user's knowledge.

Why is it controversial for ICE to use this specific spyware?

The controversy is that Candiru, the maker of Paragon, was placed on the U.S. Commerce Department's "Entity List" in 2021 for engaging in malicious cyber activities. This means one branch of the U.S. government blacklisted the company for security reasons while another branch (ICE) became its customer, creating a major policy contradiction.

What is the Commerce Department's 'Entity List'?

The Entity List is a trade restriction list maintained by the U.S. Department of Commerce. Companies on this list are considered to be involved in activities contrary to the national security or foreign policy interests of the United States, and U.S. entities are restricted from exporting technology to them.

Can I protect my phone from spyware like Paragon?

Protecting against the 'zero-click' exploits used by Paragon is extremely difficult. However, best practices like immediately installing software updates and using multi-factor authentication help. For high-risk individuals, features like Apple's Lockdown Mode can offer an additional layer of protection by reducing the device's potential attack surface.

ICE's use of blacklisted Paragon spyware sparks congressional condemnation

An unsettling contradiction in U.S. policy

A significant controversy is unfolding within the U.S. government after Immigration and Customs Enforcement (ICE) confirmed its use of a powerful spyware tool named Paragon. The confirmation, which came after persistent inquiries from House Democrats, is particularly alarming because Paragon’s developer, the Israeli firm Candiru, was added to the U.S. Commerce Department's Entity List in 2021 for engaging in “malicious cyber activities.”

This situation presents a stark contradiction: one arm of the U.S. government is actively purchasing and deploying technology from a company that another arm has officially blacklisted as a threat to national security and foreign policy interests. The revelation has ignited sharp criticism from lawmakers and civil liberties advocates, raising profound questions about government oversight, policy coherence, and the ethical boundaries of domestic surveillance.

The issue came to a head following an August 1, 2023, confirmation from ICE to Congress, as first reported by CyberScoop. In response, Representatives Jerry Nadler (D-NY), Zoe Lofgren (D-CA), and Pramila Jayapal (D-WA) publicly decried the agency’s actions, stating they were deeply dissatisfied with the answers provided. Their scrutiny began with a letter in May 2023 questioning ICE's surveillance practices, highlighting the broader concern over federal agencies procuring tools from vendors known to facilitate human rights abuses abroad.

This development directly challenges the Biden administration's stated policy against the proliferation of commercial spyware. In March 2023, President Biden issued an Executive Order aimed at curbing the U.S. government's use of such tools when they pose a security risk or have been misused by foreign actors. ICE’s use of Paragon appears to fly in the face of the spirit, if not the letter, of this directive.

Technical details: A look inside Paragon

Paragon is not an ordinary piece of software; it is a highly sophisticated piece of “offensive cyber” technology. Developed by Candiru (which has operated under various names, including Saito Tech), it is in the same class as NSO Group’s infamous Pegasus spyware. These tools are designed to provide their operators with complete, covert access to a target's digital life.

The primary infection vectors for spyware like Paragon are often “zero-click” exploits. This means the spyware can be installed on a target device—be it an iPhone or an Android—without any interaction from the user. The target doesn't have to click a malicious link, download a file, or answer a call. The exploit leverages undiscovered vulnerabilities (known as “zero-days”) in operating systems or popular applications like messaging clients to silently compromise the device.

Once installed, Paragon grants its operator near-total control. Its capabilities typically include:

Complete Data Exfiltration: Accessing and copying emails, text messages (including those on encrypted apps), photos, videos, contacts, and call logs.
Live Surveillance: Covertly activating the device's microphone and camera to eavesdrop on conversations and capture video of the target's surroundings.
Location Tracking: Monitoring the device's real-time and historical GPS data.
Stealth Operation: Operating with a minimal footprint on the device to evade detection by the user or conventional antivirus software.

The technical sophistication and secrecy of these tools are their main selling points. The specific vulnerabilities they exploit are closely guarded secrets, and the spyware's code is constantly updated to avoid detection. This makes it an incredibly powerful weapon for intelligence and law enforcement agencies, but also an exceptionally dangerous one if misused.

Impact assessment: Policy chaos and civil liberties at risk

The impact of ICE's use of Paragon spyware is multifaceted, extending from internal government policy to the fundamental rights of individuals.

First, it exposes a glaring policy incoherence within the U.S. government. The Commerce Department blacklisted Candiru because its tools were “used to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers” globally. For a domestic agency under the Department of Homeland Security to then procure and use that same technology undermines the U.S.'s credibility as it attempts to lead international efforts to regulate the commercial spyware market. It sends a message that such tools are unacceptable for others to use, but permissible for U.S. agencies, weakening the nation's moral and diplomatic standing.

Second, there are significant national security concerns. Using software from a company designated as a security risk introduces potential vulnerabilities into U.S. government systems. There is no guarantee that the spyware itself is free from backdoors or flaws that could be exploited by other adversaries.

Most importantly, the use of such an intrusive tool by ICE raises severe civil liberties concerns. While the agency’s specific targets have not been disclosed, its mandate involves vulnerable populations, including asylum seekers, migrants, and their families. Deploying military-grade spyware in an immigration enforcement context creates a high risk of abuse, potentially chilling free speech and association among immigrant communities and the advocates, lawyers, and journalists who work with them. Without transparent warrants and rigorous oversight, there is little to prevent such powerful capabilities from being used for purposes far beyond their intended legal scope.

How to protect yourself from sophisticated threats

Defending against zero-click exploits used by state-level actors is exceptionally difficult for the average person. By their nature, they exploit unknown flaws for which no patch exists. However, individuals, especially those who may be at higher risk such as journalists, activists, and lawyers, can take steps to harden their digital defenses.

Update Everything, Immediately: The moment a software update is available for your phone's operating system or your apps, install it. These updates frequently contain patches for security vulnerabilities that could be exploited.
Enable Lockdown Mode (for Apple users): Apple introduced Lockdown Mode in iOS 16. It is an extreme protection feature that severely restricts device functionality to reduce the potential attack surface. It limits message attachments, disables certain web technologies, and blocks incoming FaceTime calls from unknown numbers, which can help thwart some sophisticated spyware delivery mechanisms.
Use Encrypted Communication: Rely on end-to-end encrypted messaging apps like Signal for sensitive conversations. While Paragon can read messages once a device is compromised, using encrypted channels protects your data in transit.
Reboot Your Device Regularly: Some forms of spyware are not fully “persistent,” meaning a reboot can temporarily remove them. While advanced tools like Paragon often have persistence mechanisms, a daily reboot can disrupt less sophisticated threats and is a simple, low-cost defensive measure.
Practice Vigilance: Be wary of unsolicited links and attachments, even if they appear to come from known contacts, as spear-phishing remains a viable attack vector. Using a VPN service can help protect your internet traffic from network-level snooping, though it cannot prevent a direct compromise of your device itself.

Ultimately, individual protection has its limits. The core of the problem lies in the unchecked proliferation of these tools and the lack of transparency and oversight governing their use by government agencies. The condemnation from Congress is a critical first step, but it must be followed by robust legislative action to establish clear guardrails and ensure that the rights of all individuals are protected from invasive digital surveillance.