Commercial Spyware Returns to US Agencies as Policy Guardrails Fade

In April 2026, U.S. Immigration and Customs Enforcement confirmed something privacy researchers had long suspected: the agency had purchased and deployed commercial spyware. The admission came in a letter from ICE's acting director to lawmakers, TechCrunch reported, and it named the vendor: Paragon Solutions, an Israeli firm whose software can extract the full contents of a target's phone without the owner ever knowing. The disclosure was remarkable not for revealing a secret, but for making one official. Federal agencies had been circling the spyware market for years; now one had signed a receipt.

The Paragon purchase landed inside a broader reversal that Texas Public Radio detailed in May. Across multiple agencies, the Trump administration has been dismantling the restrictions that, just two years earlier, had made the United States an unlikely leader in the global push to stigmatize commercial spyware. A Biden-era executive order had declared the proliferation of such tools a national emergency, and a subsequent sanctions regime had targeted vendors and individuals tied to surveillance operations against journalists, dissidents, and American officials. Now, critics say, that stigma is being methodically erased.

The framework the Biden administration constructed began with Executive Order 14093, signed in March 2023, which prohibited U.S. government agencies from using commercial spyware that posed counterintelligence or human-rights risks and directed the State Department to build a sanctions framework around the misuse of surveillance technology. The order was explicit, and it was the most aggressive policy stance any major government had taken against an industry that by then had been implicated in the surveillance of journalists, lawyers, and civil society across dozens of countries. The Pegasus Project, a consortium of media organizations led by Forbidden Stories and Amnesty International, had documented how NSO Group's flagship spyware was used to hack the phones of heads of state, opposition politicians, and human-rights defenders.

The first visible crack in that framework appeared in January 2026, when the Treasury Department lifted sanctions on three individuals tied to the Intellexa consortium, The Register reported via MSN. Intellexa produces Predator, a rival to NSO Group's better-known Pegasus, and had been sanctioned under the Biden administration for enabling surveillance operations that targeted American officials and European politicians. The sanctions relief was not accompanied by a public explanation of what had changed about the individuals' conduct; it arrived as a regulatory action, quiet and unremarked outside the narrow circle of researchers who track spyware proliferation.

Months before the Intellexa delisting, another signal reached the industry. In November 2025, NSO Group named a former Trump administration official as its new chief executive, Gizmodo reported, a rehabilitation gambit that would have been unthinkable during the years when the company was blacklisted by the U.S. Commerce Department and fighting sanctions in multiple jurisdictions. NSO had spent years trying to shed its pariah status, hiring lobbyists in Washington and Brussels, and the executive appointment suggested the company saw a political window opening.

The use of Paragon spyware is necessary to counter terrorists' thriving exploitation of encrypted communications platforms., Acting Director of U.S. Immigration and Customs Enforcement, in a letter to lawmakers, as reported by TechCrunch

What makes commercial spyware distinct from traditional government surveillance is the chain of custody, and the vanishingly small barrier to entry once a license is purchased. A single deployment of Pegasus can cost a government agency millions of dollars and, once activated, requires no cooperation from telecom carriers, no warrant presented to a platform, and no notification to the target. The software exploits zero-day vulnerabilities, flaws in Android and iOS that the phone's manufacturer does not yet know exist, to install itself silently. Once embedded, it can activate the microphone, copy messages from encrypted apps before they are encrypted, and scrape location history, all while the phone appears to be asleep on a nightstand.

The architecture of commercial spyware is a systems problem, not merely a procurement one. Vendors like NSO Group, Intellexa, and Paragon do not simply sell code; they sell access, and they sell deniability. The government that deploys the spyware can claim it is targeting criminals. The vendor can claim it only sells to vetted governments. The telecom whose network carries the infection traffic can claim it had no visibility. And the platform whose operating system was compromised can claim it patches vulnerabilities as soon as they are discovered. At each step in this chain, no single actor bears the full cost of the intrusion, and no single regulator has clear jurisdiction over the entire data flow.

The question of whose body produces the data, and whose business buys it, cuts to the core of the spyware debate. The phone in a journalist's pocket is not merely a communications device; it is a sensor array that generates metadata about location, associations, sleep patterns, and political activity. When ICE purchases a Paragon license to pursue drug trafficking cases, the same tool can be pointed at immigration lawyers, journalists covering the border, or activists organizing in detention centers. The technology does not discriminate by target, and the oversight mechanisms that might catch mission creep are the very policies now being rolled back.

Consent, in the commercial spyware stack, is a legal fiction. The target never sees a terms-of-service pop-up, never clicks I agree, never has the opportunity to opt out. In some deployments, even the purchasing government's own oversight bodies are not fully briefed on how the tools are used. Dark Reading noted in March that despite a recent historic legal victory, a lawsuit brought by WhatsApp against NSO Group that resulted in a landmark ruling, the overall fight against spyware may be trending in the wrong direction as governments normalize its use and the policy architecture that constrained it begins to erode.

The WhatsApp case represents one of the few moments of accountability the industry has faced. A federal judge found NSO Group liable for exploiting WhatsApp's infrastructure to deliver spyware to approximately 1,400 targets, a decision that privacy advocates hailed as a turning point for corporate accountability in the surveillance sector. But legal victories move slowly, and spyware deployments move fast. By the time a court rules on one vendor's conduct, three others have emerged with newer, harder-to-detect products, and the government agencies that might have been deterred by the litigation have already moved on to different suppliers.

The international landscape offers little reassurance. In April 2026, the United Kingdom's cybersecurity chief warned that approximately 100 countries now possess some form of commercial spyware capability, TechCrunch reported. The genie is not merely out of the bottle; it has been franchised. Governments that once lacked the technical capacity to conduct digital surveillance can now purchase it off the shelf, complete with maintenance contracts and customer support portals.

What the U.S. government does with spyware remains partially opaque, and that opacity is itself part of the problem. Texas Public Radio's investigation noted that multiple agencies have declined to disclose the full scope of their spyware use, the number of devices targeted, or the legal standards applied before a deployment. The Freedom of Information requests filed by researchers and journalists often return heavily redacted documents, or no documents at all. The public is left to infer the scale of surveillance from the occasional letter to Congress or leaked contract, a transparency gap that makes meaningful oversight nearly impossible.

Civil liberties organizations have responded with a mix of litigation and policy advocacy. The Electronic Frontier Foundation, Access Now, and European digital-rights groups like NOYB and EDRi have filed complaints with regulators, published technical analyses of spyware samples found on activists' phones, and pushed for an international moratorium on the sale of intrusion tools. Their central argument is that spyware cannot be regulated through the normal export-control frameworks that govern weapons sales, because the harm is not confined to the country where the tool is deployed. A phone hacked in Warsaw can belong to a dissident whose data is routed through servers in three countries before it reaches the purchasing government's intelligence agency, a jurisdictional tangle that existing law is poorly equipped to address.

Three vendors dominate the current U.S. conversation. NSO Group, the most famous, produces Pegasus, which researchers at Amnesty International's Security Lab have documented targeting human-rights defenders across the Middle East, South Asia, and Latin America. Intellexa, a more diffuse consortium of companies registered in multiple jurisdictions, produces Predator, which has been linked to surveillance of European politicians and American diplomats. Paragon Solutions, the newest of the three to attract U.S. government attention, markets itself as a more responsible alternative with stronger compliance frameworks, but its software ultimately performs the same core function: remote, zero-click extraction of a phone's entire digital life, including messages, photos, passwords, and real-time location.

The gaps in public knowledge are structural, not accidental. No U.S. law requires agencies to publish an annual report on spyware use. No oversight board has a clear mandate to audit deployments in real time. The Privacy and Civil Liberties Oversight Board has acknowledged the issue but lacks the investigative resources to conduct a thorough review of every agency that might be purchasing intrusion tools. Researchers at the University of Toronto's Citizen Lab, which has been at the forefront of spyware detection for over a decade, can only find infections after the fact, by examining the logs and traces that spyware leaves behind on compromised devices. The work is forensic, retrospective, and perpetually underfunded.

What happens next depends on whether Congress decides that spyware is a technology requiring legislative guardrails, rather than a market that can be managed through executive orders that change with each administration. Privacy advocates have called for an annual public report on government spyware use, a licensing regime for captured data, and mandatory notification rules that would require agencies to disclose deployments to an independent oversight body. None of those measures have passed, and the current trajectory suggests they will not be taken up soon. In the meantime, the agencies keep buying, the vendors keep selling, and the phones in millions of pockets keep broadcasting their owners' secrets to whoever holds the license key.