Paragon must answer for spyware use against civil society and journalists

Michael Greene, Co-CEO
David Rowe, Co-CEO
Tess Sprechman, Investor Relations
AE Industrial Partners, LP

John Fleming, CEO
Catherine Gray, Director of Operations
Paragon Solutions US, Inc.

Re: Recent findings of Paragon spyware targeting civil society and journalists

We, the undersigned human rights and press freedom organizations and experts, write in light of the newly released findings by the Citizen Lab, which confirms the use of Paragon Solutions’ Graphite spyware against journalists, adding to the previous findings revealing the company’s tech was used to target civil society actors in Italy, including humanitarian workers. These disclosures, coupled with the Italian Parliamentary Committee for the Security of the Republic (COPASIR) report and prior disclosures by Meta, raise urgent concerns regarding Paragon’s due diligence practices, post-sale oversight mechanisms, and provision of access to remedy for affected individuals.

The current situation illustrates that Paragon’s strategy of selling exclusively to democratic governments as a risk mitigation measure does not inherently offer sufficient protections against the misuse of surveillance technologies. Italy, a European Union member state, a signatory to the Pall Mall Code of Practice for States, and subject to the European Media Freedom Act, nonetheless deployed spyware against individuals engaged in humanitarian work and hasn’t provided satisfactory answers regarding the targeting of journalists in Italy. These developments underscore that voluntary frameworks that primarily rely on viewing spyware end users as responsible vs irresponsible actors are inadequate without strong safeguards, oversight, and enforcement mechanisms.

Among the latest targets of Paragon spyware, forensically confirmed by the Citizen Lab, are journalist Ciro Pellegrino and an anonymous prominent European journalist. Also targeted and confirmed are Luca Casarini and Giuseppe Caccia, individuals involved in search and rescue operations in the Mediterranean. Their surveillance raises significant questions about the deployment of spyware under vague or overbroad national security justifications, as referenced in the COPASIR report with respect to Casarini, Caccia, and other Italian victims.

In the case of journalist Francesco Cancellato, Meta had notified Cancellato that his device was targeted with Graphite spyware. To date, no information has been provided on which government deployed the spyware, and Francesco Cancellato remains without answers or remedy. Meanwhile, Paragon claimed it offered the Italian government a technical means of verification, and that it “stands ready to assist in any investigation, should an official request be made by the Italian authorities.”

While the contract with Italy has been reportedly terminated, this does not absolve Paragon of responsibility for the harms already caused. Reactive contract suspension following public exposure is not a substitute for proactive oversight, transparency, or accountability. The apparently absent victim notification process, a remedy framework, or a public reporting of clients’ abuses strongly indicates a systemic failure to manage the risks associated with surveillance technology.

Paragon situates itself as a more ethical alternative to other spyware vendors, like NSO Group. However, the ongoing revelations regarding Italy’s use of Paragon’s technology against civil society and journalists raise serious doubts about the company’s compliance with international human rights norms or the expectations outlined in the UN Guiding Principles on Business and Human Rights (UNGPs). This includes the duty to provide remedy where harm has occurred, and to take meaningful steps to prevent future misuse. 

Failure to comply with such norms can also have substantial legal and financial repercussions for Paragon, as well as its corporate investors. For example, since revelations about NSO Group’s Pegasus first emerged in 2016, the company has been dogged by government sanctions, failed acquisitions, and several legal cases, most recently culminating in a California jury finding that NSO Group liable for $447,719 in compensatory damages and a staggering $167,254,000 in punitive damages for targeting WhatsApp’s infrastructure with Pegasus spyware. In 2021, as investigative reporting drew further scrutiny of the company’s operations, the fund through which NSO Group had been acquired two years prior was liquidated. Novalpina Capital Partners, the private equity firm that had led the fund, itself initiated liquidation proceedings in 2023.

In this context, and in light of the confirmed cases of surveillance, we respectfully request a response to the following inquiries:

• Following the cancellation of the contract with Italy, what exact actions will the company take to end this relationship?
  • What processes and mechanisms are put in place to ensure the government is no longer able to use Paragon’s Graphite spyware after the contract is cancelled?
• What technical and legal processes and safeguards have been put in place to ensure Paragon is able to detect, monitor, and report on abuses as they happen?
  • Will Paragon commit to independent audits of its logs and other pertinent information in cases of suspected misuse of its technology? 
  • What protocols does the company have to investigate potential misuse of its products flagged either internally or externally by civil society organizations?
• What data is extracted and stored from an individual’s device once they are targeted by Paragon’s spyware? In and through which jurisdictions? How and where is it retained? Who oversees access privileges?
• What steps are being taken to remediate the harms to the recently identified victims in Italy?
  • How and when will Paragon provide for or cooperate in the remediation for victims of surveillance who have already been impacted by the documented abuse of its technology?
    • Which stakeholders will the company consult in designing and implementing a process for remediation?
    • Will the company create a grievance mechanism to monitor ongoing adverse impacts on communities and individuals?
  • Will Paragon provide confirmed targets of its spyware, all the necessary information for them to seek remedy, especially in Francesco Cancellato’s case?
• Will AE Industrial publish a human rights policy addressing spyware use and liabilities, approved by the Board and senior-level officers at the company? 
• What human rights due diligence (HRDD) program and relevant policies are currently in place at Paragon and Red Lattice?
  • Will Paragon publish a detailed list of its current client base, as well as the list of any clients, besides Italy, that Paragon has ended contracts with due to non-compliance with human rights standards? 
  • What criteria are used to determine whether a country or regime is eligible to use your technology? 
  • How often do you reassess whether countries are still eligible?
  • What mechanisms are in place to respond to changes in country contexts, such as new government leadership?
  • Has such a review been conducted since the Italian disclosures?
  • How is the HRDD program designed to effectively identify, prevent, mitigate, and account for emerging risks and client misuse of your products?
  • Does the company have periodic independent third-party audits of the human rights due diligence program to verify its effectiveness? 
• Does the company have an employee whistleblowing system under which it is prohibited from any retaliation against whistleblowers and protects their confidentiality? 

The individuals and communities targeted in this case were exercising fundamental rights and carrying out work that contributes to upholding fundamental rights and the pillars of democracy. 

We urge Paragon and AE Industrial Partners to take this opportunity to demonstrate a meaningful commitment to international human rights standards by engaging transparently, providing remedy where warranted, and implementing  robust safeguards to prevent recurrence.

We look forward to hearing from you and request a response by July 3, 2025.

Signatories

Organizations:

• Access Now
• Amnesty International
• Centre for Democracy and Technology Europe (CDT Europe)
• Data Rights
• Digital Rights Foundation
• Reporters Without Borders (RSF)
• Electronic Privacy Information Center (EPIC)
• Electronic Frontier Foundation (EFF)
• Fundación Acceso
• Heartland Initiative
• MEDITERRANEA Saving Humans
• Media Diversity Institute – Armenia
• RESIDENT.NGO
• Belgrade Centre for Security Policy (BCSP), Belgrade, Serbia
• Osservatorio Balcani Caucaso Transeuropa (OBCT)

Individuals

• Ron Deibert (O.C., O.Ont.), Professor and Director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy
• Hinako Sugiyama, Senior Counsel and Digital Rights Fellow at the International Justice Clinic of the University of California, Irvine School of Law