Efforts to establish clear policy guardrails around commercial surveillance tools are facing new complexities. Over the past several years, vendors of these tools encountered economic sanctions, legal proceedings, and government restrictions. These actions provided security researchers and digital rights advocates with indicators that the industry was facing necessary structural limits. Unregulated surveillance tools pose direct risks to targeted groups, including journalists, human rights advocates, and government officials—and weaken broader cybersecurity. The zero-day vulnerabilities discovered by these vendors are often utilized by other threat actors to enable widespread unauthorized access.
A notable milestone in holding the industry accountable occurred last month with the conviction of four individuals in Greece, including Tal Dilian, founder of the surveillance firm Intellexa. A Greek court found Dilian and three others guilty of criminal charges related to the deployment of Predator surveillance software against political candidates and journalists, activity initially identified in 2022.
Recent developments in the US, however, indicate a potential shift in federal posture. In September, reports indicated that US Immigration and Customs Enforcement (ICE) reactivated a contract with Paragon Solutions, an Israeli company recognized for its "Graphite" Android surveillance tool. ICE originally signed the contract in 2024, but the agreement was paused following concerns that it conflicted with a 2023 executive order prohibiting federal agencies from using commercial surveillance technology that poses security risks.
The reactivation of the Paragon contract generated concern among technology and civil society organizations, including the Electronic Frontier Foundation (EFF) and Access Now. EFF senior staff technologist Cooper Quintin described the move as "extremely troubling," noting that Graphite had previously been identified in unauthorized access incidents involving Italian journalists and political advocates.
"Without strong legal guardrails, there is a risk that the malware will be misused in a similar manner by the US government," Quintin stated.
Rebecca White, a researcher with Amnesty International's Security Lab, observed the broader trend: "I don't want to sound too negative because this is certainly something to build on. But it's pretty grim right now."
Further complicating the policy situation, the US Treasury Department's Office of Foreign Assets Control (OFAC) unexpectedly lifted sanctions in late December against three Intellexa executives: Sara Hamou, Merom Hapraz, and Andrea Gambazzi. The individuals and associated corporate entities were originally sanctioned earlier in 2024.
Michael De Dora, US policy manager at Access Now, noted these sanctions were a significant measure because they included visa restrictions. Advocacy organizations had spent years advising lawmakers on the systemic risks of commercial surveillance and the complex corporate structures vendors use to obscure operations. "We were all shocked when they were removed," De Dora says. "and the US government, I'm in the camp of very concerned right now, though we're not at a place yet where everything is getting rolled back."
The reversal surprised policy experts, particularly given that Hamou was convicted in the Greek court proceedings just weeks after her US sanctions were removed. Maria Villegas Bravo, counsel at the Electronic Privacy Information Center (EPIC), questioned the evidentiary basis for the policy change, asking what data the US government relied on given the overlapping criminal proceedings. Additionally, De Dora observed that federal agencies currently have fewer technology-focused staff equipped to evaluate commercial surveillance risks.
Changes in corporate ownership represent another structural shift. Two primary surveillance vendors, both founded by former Israeli military and intelligence personnel, recently transferred ownership to US investors. In 2024, AE Industrial Partners, a Florida-based private equity firm, acquired Paragon for approximately $500 million. In October, a US investor group led by Robert Simonds purchased NSO Group for an undisclosed amount.
NSO Group is widely known for its Pegasus software, which was linked to the surveillance of Jamal Khashoggi in 2018. Meta also successfully sued the company over unauthorized access to WhatsApp infrastructure to distribute Pegasus, resulting in a $4 million damages award (reduced from an initial $167 million).
Given the legal and regulatory constraints facing these companies, the acquisitions suggest a strategic effort to navigate federal policy. Villegas Bravo noted that NSO Group observed the reactivation of Paragon's US contract following its sale to AE Industrial Partners, indicating a potential path to regulatory acceptance. Following its acquisition, NSO Group appointed David Friedman. Former US ambassador to Israel—as chairman and published a transparency report in January promising "a renewed focus on accountability."
Policy advocates remain cautious about whether these internal changes will translate to verifiable security improvements. Meanwhile, technical telemetry continues to show high activity levels; a recent Google report indicated that commercial surveillance vendors utilized the highest number of zero-day vulnerabilities globally in 2025.
For organizations and individuals evaluating their threat models against commercial surveillance tools, foundational security practices provide substantial defense. Advanced surveillance software typically requires expensive zero-day vulnerabilities to bypass current operating systems. Ensuring devices receive the latest security updates, enabling specialized configurations like Lockdown Mode (iOS) or Advanced Protection Mode (Android), and utilizing ephemeral messaging can significantly reduce the likelihood and impact of unauthorized access.