The Italian Privacy Authority has launched significant actions against spyware use, particularly targeting Graphite developed by Paragon Solutions, following widespread reports of its misuse.
On February 12, 2025, the Garante per la protezione dei dati personali issued warnings concerning the indiscriminate use of spyware, particularly its Graphite software, which is produced by the Israeli firm Paragon Solutions. This official communication highlighted the serious legal ramifications associated with the unauthorized use of such software, which can lead to administrative fines potentially reaching €20 million or 4% of the company’s turnover.
This intervention came on the heels of alarming media reports and citizen complaints about the growing prevalence of digital surveillance tools. It has been reported extensively how Graphite could infiltrate devices through PDF files sent via WhatsApp, allowing attackers to access user data without their interaction.
The authority underscored the necessity of adhering to legal boundaries when employing electronic communication surveillance. The Garante stated, "The interception of electronic communications must be strictly related to national security objectives, crime prevention, investigation, and prosecution. Any other usage constitutes a severe violation of data protection regulations." This warning serves as a reminder of the fundamental rights at stake.
The Garante plans to continue monitoring the situation closely and is prepared to take additional measures to identify those responsible for the illicit use of surveillance tools. This is not the first time such spyware has come under scrutiny. The infamous Pegasus spyware from NSO Group has previously sparked intense debates worldwide about the dangers posed by unchecked digital surveillance.
Adding complexity to the situation, Paragon Solutions decided to sever its ties to Italy after allegations surfaced about its spyware being employed for espionage via WhatsApp. Reports from outlets such as Haaretz and The Guardian have raised serious questions surrounding the potential misuse of Graphite, which was originally intended for official government operations targeting severe threats, including drug trafficking and terrorism.
Despite these intentions, it appears Graphite has also been used to surveil journalists and human rights activists. Among those reportedly targeted were Francesco Cancellato, editor of the news site Fanpage; Luca Casarini from the NGO Mediterranea; and David Yambio, a South Sudanese activist and president of the organization Refugees in Libya. Yambio was previously victimized under distressing conditions during his detention by the Libyan general Almasri.
Paragon Solutions has expressed concerns claiming the Italian authorities may have breached the contractual terms governing Graphite's use, leading to their decision to block access to the software within Italy. Meanwhile, the Italian government, through statements issued from Palazzo Chigi on February 5, denied any involvement by national intelligence services, asserting the number of compromised accounts was minimal.
To mitigate concerns, the government activated the national cybersecurity agency and requested investigative measures from the Copasir committee. Concurrently, researchers at the Citizen Lab from the University of Toronto are engaged in analyzing compromised devices, including Casarini’s, to determine the origin and extent of privacy violations.
The situation has sparked immense scrutiny over the actions of technology companies selling surveillance software to both government and private entities, often without adequate legal oversight. The Garante’s stance seeks to solidify frameworks ensuring the legitimate and controlled use of such tools. The balance between security and privacy is increasingly becoming a focal point for regulators worldwide.
With the surveillance debate intensifying, authorities across Europe are reassessing the dynamics of privacy regulations and technological accountability. The Garante's proactive engagement indicates its commitment to protecting citizens’ rights amid technological advancements encroaching upon personal privacy.