DHS Said on May 22 That ICE Has 'No Relationship' With Paragon Solutions—But the Agency Refused to Say Whether It Switched to a Different Spyware Vendor, and ICE's Outgoing Director Already Confirmed Homeland Security Investigations Is Using Commercial Spyware

Key Takeaways

• DHS told NPR on May 22, 2026 that Immigration and Customs Enforcement has "no current contract or relationship" with Paragon Solutions.
• Paragon's Graphite spyware can remotely infiltrate a target's phone and read encrypted messages without the target clicking anything—a zero click capability previously associated mainly with NSO Group's Pegasus.
• On April 1, 2026, acting ICE director Todd Lyons confirmed in a letter that Homeland Security Investigations had been approved to use commercial spyware—without naming the tool.
• DHS declined to answer whether ICE is now using a different spyware vendor, leaving open the possibility that the agency switched suppliers rather than discontinued the capability.
• The Trump administration reinstated the ICE Paragon contract in August 2025 after a previous stop work order, and Executive Order 14093 from 2023 still nominally restricts US government use of commercial spyware that has been abused against Americans or dissidents abroad.

What Did DHS Actually Say on May 22?

NPR's Jenna McLaughlin reported that the Department of Homeland Security responded to repeated questions about ICE's relationship with Paragon by stating the agency has "no current contract or relationship" with the company. The phrasing matters. "No current contract" leaves room for past contracts, future contracts, contracts held by a parent or subsidiary entity, and contracts with a different commercial spyware vendor in the same space.

When NPR pressed DHS on whether ICE was using spyware from another vendor, the agency declined to answer. Civil liberties advocates including the ACLU and Access Now called that refusal the actual story. The denial does not establish that the agency is not running zero click intrusion tools against phones inside the United States. It establishes that the agency does not want to confirm or deny it.

Paragon Solutions is one of three vendors that dominate the commercial zero click spyware market alongside NSO Group's Pegasus and Intellexa's Predator. All three tools are documented to have been used against journalists, activists, lawyers, and political opposition figures, often by governments that originally bought them for narrower counterterrorism use cases.

What Did the April 1 Letter Say?

In response to Congressional oversight inquiries, acting ICE director Todd Lyons wrote a letter on April 1, 2026 confirming that Homeland Security Investigations had been approved to deploy commercial spyware. The letter did not name the tool. It did not specify whether the spyware was being used domestically, against US citizens, or against non citizens. It did not list the case types in which spyware was being authorized.

The Lyons letter is the closest the executive branch has come to a written acknowledgment that ICE—an agency conducting most of its operations inside the United States against people who frequently are legally present—has the capability to remotely take over a phone, read every message that has ever been sent on it, exfiltrate stored files, and turn on the microphone or camera.

Lyons left the position shortly after the letter. His replacement has not addressed the spyware question publicly. The Lyons letter remains the only formal acknowledgment.

What Is Executive Order 14093?

In March 2023, the Biden White House issued Executive Order 14093 restricting US government use of commercial spyware. The order does not ban federal acquisition outright. It conditions acquisition on a determination that the specific tool has not been used by foreign governments to target US citizens, US government personnel, journalists, dissidents, or political opposition figures abroad. The order requires interagency review and reporting before any acquisition.

Paragon's Graphite has surfaced in multiple reports of abuse against journalists and civil society, most prominently in Italy's Paragon scandal where the company refused to help investigate when journalists' phones got hacked. Whether those reports would have disqualified Paragon under EO 14093 was an open legal question when the Trump administration reinstated the ICE contract in August 2025 and lifted the prior stop work order.

The May 22 denial sits inside this larger legal frame. If ICE has truly cut Paragon, the question is what triggered the change—an EO 14093 determination, political pressure, a switch to a vendor that has fewer documented abuses, or simply a public messaging strategy designed to deflect oversight.

How Does Zero Click Spyware Actually Work?

A zero click intrusion delivers the malicious payload through a protocol the phone is required to process automatically. The historic delivery vector for Pegasus and Predator was iMessage—the phone receives a specially crafted message, the OS attempts to parse it before showing it to the user, and a vulnerability in the parser is exploited to run attacker code. Push notifications, voicemail metadata, and call setup signals have all been used as alternative delivery channels in documented cases.

Once the payload runs, the spyware has the same privileges as the operating system. It can read every message in iMessage, WhatsApp, Signal, Telegram, and Gmail. It can exfiltrate stored photos and documents. It can activate the microphone and camera. It can record keystrokes and screen captures. The encryption protecting the messages in transit is not bypassed—it is rendered irrelevant because the malware is reading the messages after the legitimate client has decrypted them locally.

There is no consumer defense against a successfully delivered zero click. Apple's Lockdown Mode reduces the attack surface enough to have repeatedly blocked Pegasus delivery in the field. Keeping iOS and Android current does the same. Beyond that, the only protection is the discipline of vendors not to sell to actors who will abuse the tool, which has not held up well historically.

What Does This Mean for Email Privacy?

Spyware on a target's phone reads email the same way the legitimate mail client reads it—after decryption, in the clear, alongside everything else the OS has access to. End to end encryption does not help. Encrypted email providers like ProtonMail and Tuta cannot defend against an endpoint that is owned at the OS level.

For most people, this is not the relevant threat model. ICE's spyware capability, if it exists, is targeted, expensive, and used in a small number of cases per year. The much larger threat to most inboxes is the same one we have written about repeatedly—commercial tracking pixels and link redirects that turn every marketing email into a behavioral data feed sent to dozens of third parties. That data is sitting in databases that government agencies do not need spyware to reach. They send legal process to the data broker, and the data broker hands it over.

The defensive answer is the same it has always been. For most people, the right priority is to stop loading the trackers that put your inbox behavior into commercial databases in the first place. For high threat individuals—journalists, activists, dissidents, lawyers handling sensitive client work—the right priority is Lockdown Mode, current OS, narrow contact lists, and assume that any communication channel running on a phone you also use for daily life is potentially compromised at the endpoint. See also our coverage of the IFJ's global mapping of how governments spy on journalists for context on the broader threat landscape.