Associated Incidents
An analysis of the Paragon case in light of previous episodes of AI usage for surveillance purposes and of the Italian and European legislation on data protection.
The Paragon case
On 31 January 2025, WhatsApp sent a notification to at least 90 people amidst activists, journalists, and political opponents across the European Union, informing them that they were being targeted by Graphite, a spyware produced by the Israeli tech company Paragon Solutions Ltd. According to the firm, this military-grade hacking software has only been provided to democratic governments. The case soon broke out in Italy: among the seven victims who have so far reported that they had been targeted by the spyware are multiple workers of the NGO Mediterranea Saving Humans, such as its founder Francesco Cancellato, one of its shipowners Beppe Caccia, and one of its Chaplains Mattia Ferrari. As David Yambio -- a campaigner for Libyan migrants' rights and a critic of the policies adopted by the Italian government under Giorgia Meloni's rule -- was also informed of an attempt to compromise his phone, newspapers even ventured to guess that there may be an underlying link between the Paragon case and the unlawful release of Libyan SDF/RADA commander Osama Almasri Njeem.
Ever since the Italian government failed to further report publicly on the Paragon issue to Parliament, speculation has run rampant on the case. Meanwhile, the Canadian-based Citizen Lab was charged to investigate the privacy breaches triggered on the victims of Graphite. This analysis does not aim to further fuel conjectures and allegations. Rather, this piece will explore the concept of spyware and the functioning of this specific type of software. It will also draw upon similar cases to the issue at hand to highlight recommendations to safeguard citizens' privacy and personal data.
Spyware: what it is and how it works
The American governmental agency Federal Trade Commission, established through the Federal Trade Commission Act in 1914, defines spyware as follows: "Spyware is one type of malware that can control or monitor your computer use. It may be used to send consumers pop-up ads, redirect their computers to unwanted websites, monitor their Internet surfing, or record their keystrokes, which, in turn, could lead to identity theft."
Specifically, Graphite -- the spyware branded by Paragon Solutions Ltd. -- exploits so-called 'zero days' (that is, security vulnerabilities or flaws within an IT system) through 'zero clicks' (that is, without any prior user interaction with sent links or attachments of any kind) due to the automatic processing which takes place once the device receives new data from a sender. Similarly, Graphite managed to target mobile phones, act as an invisible spy, listen in private conversations and steal secret information without the victims noticing at all. In this way, the spyware provides an unobtrusive and suitable solution for governmental entities and intelligence agencies to carry out surveillance and tracking operations, usually on suspects threatening national or international security, terrorists, and criminals. Though it did not directly comment on the scandal, Paragon Solutions Ltd. was confirmed to have terminated its contract with Italy due to Italy's own unethical usage of the malware.
Similar cases
In 2021, an investigation led by sixteen international newspapers revealed that fifty thousand phone numbers had been collected from 2016 onwards through the Pegasus malware, put on the market by the Israeli surveillance company NSO Group. Even though NSO Group clarified that its software was intended as a means to combat crime and terrorism, the independent investigation showed that the personal data of at least 65 business executives, 85 human rights activists, 189 journalists, and over 600 politicians had been collected as well. Besides, Pegasus was also sold to various autocratic regimes: for instance, Citizen Lab demonstrated that this spyware had been used to track and monitor Saudi journalist Jamal Khashoggi's movements before his assassination on 2 October 2018 in the Saudi consulate in Istanbul (Turkey).
As one of the most technologically advanced countries in the world, Israel has been heavily investing on higher education, research, and start-ups, particularly if these can provide new high tech or AI-powered solutions for the military to deploy against neighbouring opposing armed groups (such as Hamas in the Gaza Strip and Hezbollah in Lebanon) or to identify, control, and track local Palestinians in order to ensure the safety of Israeli settlers in the West Bank and Jerusalem. Such innovations are also exported abroad -- and they rarely only end up in the hands of democratic regimes (which, as shown by the latest events, are also bound to misuse these technologies). For instance, Israel was ranked among the ten largest arms exporters in the world (with a 2.3% share) in the years from 2018 to 2022. Not to mention that Azerbaijan, Bahrain, India, the Philippines, and the United Arab Emirates (UAE) figure as its biggest buyers -- and all of them clearly constitute authoritarian regimes.
As AI takes over every domain of our lives and little to no regulation is provided on the matter, democracies are expected to wrestle with new challenges to find a satisfactory compromise between ensuring on-site and online security and respecting citizens' privacy and personal data. For instance, France was commended for the outstanding level of security achieved at the 2024 Paris Olympic Games, only few months after the nefarious ISKP-claimed Crocus City Hall attack near Moscow (Russia). This objective was amply attained thanks to Cityvision, the AI surveillance camera software developed by the French tech company Wintics, deployed in Paris since 2020, which has been ensuringmobility flow management, potential risk zone detection, and the ability to filter data from the city and from public transportation through selected criteria.
While it is undeniable that Wintics' Cityvision has starkly enhanced French national security, preventive measures such as algorithmic video surveillance may potentially lead to biometric mass surveillance, threaten the right to privacy and data protection, and violate international human rights law. This was argued in a public letter signed by civil society organisations from all around Europe, but France decided not to address their concerns publicly on the occasion of Paris 2024.
Recommendations
There is one common factor to the various episodes explored in this analysis -- the Paragon case, the Pegasus case, the broader Israeli high-tech market, and the French AI-powered security landscape at Paris 2024: AI is not subject to actual binding national or international legislation. This makes it even harder to find common ground on which countries should benefit from the immense potential of AI and which price they should pay in case violations and abuse come to light. Oftentimes, this leaves businesses in charge of dictating the conditions -- or not dictating any at all, based upon their ethical standpoint on the matter. In turn, this leaves governments and intelligence agencies virtually unpunished in case of misuse or downright abuse and violations.
As for the Paragon case, the Italian Data Protection Authority reiterated the right to confidentiality in communications under article 15, enshrined in the Italian Constitution, as well as the European legislation on the matter. Indeed, the General Data Protection Regulation (GDPR) defines 'personal data' as any information by which an individual may be identified, including metadata collected by spyware (article 4). Furthermore, if without consent, data may only be lawfully processed due to public interests (article 6). Finally, more severe restrictions are applied in case of data disclosing sensitive information such as political opinions, ethnicity, health, and sexual orientation (article 9).