The Technology the Trump Administration Could Use to Hack Your Phone

notion image
In September, the Department of Homeland Security (D.H.S.) signed a two-million-dollar contract with Paragon, an Israeli firm whose spyware product Graphite focusses on breaching encrypted-messaging applications such as Telegram and Signal. Wired first reported that the technology was acquired by Immigration and Customs Enforcement (ICE)—an agency within D.H.S. that will soon be involved in executing the Trump Administration’s promises of mass deportations and crackdowns on border crossings. A source at Paragon told me that the deal followed a vetting process, during which the company was able to demonstrate that it had robust tools to prevent other countries that purchase its spyware from hacking Americans—but that wouldn’t limit the U.S. government’s ability to target its own citizens. The technology is part of a booming multibillion-dollar market for intrusive phone-hacking software that is making government surveillance increasingly cheap and accessible. In recent years, a number of Western democracies have been roiled by controversies in which spyware has been used, apparently by defense and intelligence agencies, to target opposition politicians, journalists, and apolitical civilians caught up in Orwellian surveillance dragnets. Now Donald Trump and incoming members of his Administration will decide whether to curtail or expand the U.S. government’s use of this kind of technology. Privacy advocates have been in a state of high alarm about the colliding political and technological trend lines. “It’s just so evident—the impending disaster,” Emily Tucker, the executive director at the Center on Privacy and Technology at Georgetown Law, told me. “You may believe yourself not to be in one of the vulnerable categories, but you won’t know if you’ve ended up on a list for some reason or your loved ones have. Every single person should be worried.”
The scandals catalyzed by the use of this surveillance technology in other democracies demonstrate the temptations of its misuse, and the elusiveness of accountability. This August, a prosecutor in Greece declined to hold government officials there responsible for a sprawling phone-hacking campaign that targeted opposition politicians and journalists. The country’s Supreme Court, in a report that was kept sealed but reported on by Politico, rubber-stamped the hacking as incidental to legitimate state operations. The victims’ phones had been infected with Predator, spyware from Cytrox, a North Macedonian firm founded by Israeli nationals, which can hijack a phone to undetectably access its camera, microphone, and all of its data, including messages and photos. The hacking attempt was discovered on a phone owned by Nikos Androulakis—who leads one of Greece’s major political parties—after he sent his device for testing by a lab run by the European Parliament. The Greek Supreme Court reviewed a hundred and sixteen cases of alleged state surveillance, and found that Thanasis Koukakis, an investigative journalist who has reported on Greece’s banks, had been targeted. (The country’s Prime Minister has claimed that he was unaware of the hacking, though he ostensibly oversees the country’s intelligence operations.)
Poland’s Prime Minister, earlier this year, confirmed allegations that a prior government there had deployed another potent spyware technology, Pegasus, made by the Israeli firm NSO Group, to hack opposition politicians in a surveillance dragnet, which a special committee of the country’s Senate has deemed a breach of constitutional standards. (A former Prime Minister defended the surveillance to a parliamentary committee earlier this year, arguing that it was predominantly “used against criminals.”) Spain, as I reported in this magazine in 2022, appears to have carried out a massive campaign of hacking against civil society and politicians linked to the separatist movement in the autonomous region of Catalonia, in concert with violent police crackdowns and arrests. (Spain’s former intelligence chief later admitted to the espionage, saying that it was carried out with the approval of the country’s judiciary.) “The system of checks and balances we have come to take for granted in the West has unravelled before our eyes,” Artemis Seaford, a Greek and U.S. dual national and a technology executive, whose phone was hacked in the Greek surveillance effort, told me. “If it can happen in Greece, a modern Western democracy, why could it not also happen in the United States?”
In the U.S., Trump has repeatedly promised to execute the “largest deportation program in American history” upon taking office, arguing, often with little basis in reality, that cities and towns have been “invaded” and “conquered” by “criminals.” He has selected as his national-security adviser Michael Waltz, who, as a congressman, successfully advocated for the expansion of the Foreign Intelligence Surveillance Act, rooting his arguments in a desire to deport undocumented immigrants for the sake of national security. (“The fastest growing group entering through our southern border is now from China, our number one adversary,” Waltz told the House at the time.) Within hours of Trump’s election to a second term, ICE—which is still under the authority of President Biden, but which has often seemed sympathetic to Trump’s anti-immigrant rhetoric—put out a new call for private companies to submit plans for augmenting the agency’s surveillance infrastructure, including ankle monitors, and software and hardware used for tracking targets’ biometrics. Human Rights Watch, responding to ICE’s deal with Paragon in October, warned that expanding the agency’s surveillance infrastructure would exacerbate “concerns about ICE abusing people trying to cross the US-Mexico border, surveilling border communities, and surveilling, harassing, interrogating, detaining, and blocking journalists, lawyers, and activists working on or near the border.” Immigration lawyers told me that such an expansion would create a frightening digital panopticon, not just for the 3.7 million people awaiting immigration hearings and the millions more who have managed to avoid immigration enforcement measures but for the wider population. “The fact that it’s the Department of Homeland Security, in particular, that has the technology means it may not be used exclusively for immigration and deportation,” Tucker, of the Georgetown Center on Privacy and Technology, told me. “D.H.S. is often the chosen agency to acquire technologies that are legally questionable because they are, in practice, subject to less oversight than basically all the other federal agencies.”
Already, the United States has struggled with transparency and restraint. In 2019, the F.B.I. secretly purchased Pegasus through a government contractor. (The F.B.I. director, Christopher Wray, told Congress that the spyware had been acquired for limited testing purposes, but internal documents obtained through a Freedom of Information Act lawsuit by the New York Times show that the agency seriously considered deploying it operationally, and even drew up guidelines for prosecutors navigating disclosures about its use.) In 2021, the same F.B.I. contractor purchased another NSO Group technology, a phone-tracking solution called Landmark. The same year, the Commerce Department added NSO Group and other spyware-makers to a list of entities blocked from doing business with American companies. The Biden Administration later issued an executive order, plans for which were first disclosed in this magazine, banning the “operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses.” These measures were limited and already left ample loopholes. In an interview for a new documentary, “Surveilled,” that followed my reporting on the subject, Nathaniel C. Fick, the Biden Administration’s Ambassador-at-Large for Cyberspace and Digital Policy, defended the “legitimate law enforcement and national security uses of these technologies,” and declined to answer my questions about specific measures for such use. Few legal experts I spoke with expected the Trump Administration to continue even such halting efforts to self-police government surveillance—nor did they expect that a potential Justice Department under Matt Gaetz would aggressively champion the already porous protections afforded by case law interpreting the Fourth Amendment in the context of personal data privacy. Tucker added, “With Trump making it clear that he envisions executive authority as being subject to no legal restraints, with the kind of appointments he’s made, and with the composition of Congress, they believe they can essentially do whatever they want with this technology—to immigrant communities, to activists.”
Decisions by the White House and by Republican lawmakers about spyware will have implications across a variety of policy areas that Trump and his associates are upending and that reach far beyond Washington. In recent years, an array of states, including Texas, Florida, and California have reportedly purchased spyware and other surveillance technologies; legislators and regulators will dictate whether that trend continues. Since the fall of Roe v. Wade, at least two states have already used private personal data to prosecute people for getting abortions. That practice could expand with more widespread and affordable access to this technology.
Trump has threatened his political enemies, reposting comments calling for a military tribunal for Liz Cheney and observing that General Mark Milley’s behavior would have once been punishable by “DEATH!” He has also demonized the free press, suggesting, for example, that he wouldn’t mind if people were to “shoot through the fake news” and that journalists who protect sources should be imprisoned. These comments target the populations that have been most vulnerable to overzealous spyware campaigns in other Western democracies. “When this happens in an authoritarian system, it is horrific but unsurprising,” Seaford, the technology executive who was hacked during Greece’s spyware campaign, told me. “When it happens in a democracy, however, it creates a sense of disorientation: ‘Could this happen to me? Here? Really?!’ And yet it can, and it does.” ♦