Spyware, Surveillance, and Broken Source Protection

For a growing number of journalists, the most dangerous place in a newsroom is the phone in their pocket. Commercial spyware such as Pegasus, Predator, and Graphite has turned everyday devices into remote listening posts that can be activated without a click, a tap, or any visible sign that anything is wrong. In the past few years, forensic teams and platform disclosures have tied these tools to operations against reporters in Europe, the Middle East, and beyond, sometimes tracing infections back to governments that publicly claim to defend press freedom. A single zero-click exploit can now grant an operator live access to encrypted apps, contacts, location histories, and draft files, eroding the distinction between “digital risk” and the basic ability to communicate with a source in confidence.

A journalist can take every physical precaution and still lose the story through a compromised phone. Modern commercial spyware has turned devices into liabilities that can inadvertently expose confidential sources, drafts, location histories, and entire contact networks. Paragon Solutions’ Graphite, an Israeli-made product licensed for export by Israel’s defense authorities, demonstrated the extent of this in 2025. Forensic work by Citizen Lab and subsequent reporting revealed that Graphite had been deployed against European journalists through zero-click exploits. Targets did not have to tap a link or open a file. The spyware could silently infect iPhones and Android devices, infiltrate encrypted apps such as WhatsApp and Signal, and provide operators with a real-time window into messages, calls, and contacts that were assumed to be protected. Editors at an Italian investigative outlet were among those hit, and WhatsApp later disclosed that dozens of journalists and civil society figures across roughly two dozen countries were swept up in the same campaign.

Graphite is part of a broader Israeli-centered industry. NSO Group’s Pegasus remains the most prominent example, also licensed by Israel’s Ministry of Defense. In 2024 and 2025, investigations traced Pegasus infections to exiled reporters from Russia, Belarus, and Latvia living in the European Union, and to journalists, lawyers, and activists in Jordan and the Balkans. In Serbia, rights groups described a “digital prison” in which police and security services installed spyware on phones during interrogations and detentions, then uploaded screenshots and contact lists to state servers. Past technical work has also documented Pegasus infections on the devices of Palestinian activists and media workers, signaling to both Palestinian and Israeli journalists that their communications may be captured along with those of their sources. In a landscape already shaped by military censorship and intensive signals intelligence, digital surveillance of phones compounds the risk that any conversation with a reporter inside Israel or the occupied territories will leave a trail that authorities can follow.

European institutions now regard spyware as a central issue for press freedom. The Council of Europe’s platform on the safety of journalists lists Pegasus, Predator, Graphite, and similar tools as among the most serious threats to media freedom on the continent. The European Media Freedom Act includes safeguards intended to restrict arbitrary surveillance of journalists and to raise the threshold for invoking national security. Press freedom and digital rights groups point out that enforcement is uneven and that broad security exemptions still grant governments significant latitude to monitor journalists and their networks, particularly those covering organized crime, corruption, and security services.

The United States occupies a distinct position, both as a venue for accountability and as a jurisdiction with extensive surveillance powers of its own. A federal jury ordered NSO Group to pay substantial damages for hacking WhatsApp users, including journalists and activists. The U.S. government has placed several spyware vendors on a trade blacklist and issued directives restricting federal agencies from purchasing their products. At the same time, U.S. reporters operate in an environment where leak investigations, secret subpoenas for phone and email records, and broad foreign-intelligence collection authorities have already swept up journalistic communications. Border agents can search and image devices, local police departments use forensic tools to extract data from seized phones, and reporters covering national security, immigration, and protests know that an arrest or secondary screening can expose entire contact lists and message histories. Even without Pegasus on a U.S. agency’s procurement list, the practical risk to confidential conversations remains real.

The damage extends far beyond the individual journalist whose phone is compromised. These tools collect precisely the information that enables reporting. One successful infection can reveal a reporter’s complete list of sources, patterns of contact, travel routes, off-the-record conversations, and the identities of whistleblowers who believed they were speaking from the shadows. Exiled journalists who thought distance would finally give their sources some protection discover that their devices can pull those sources back within reach of the governments they fled. Once word spreads that authorities, whether in Europe, Israel, or the United States, are hacking phones or extracting data at borders and police stations, potential sources draw the obvious conclusion. They stop calling. They avoid encrypted apps they once trusted. They decide that silence is safer than seeing their names appear in a seized device log. Courts and censors need not intervene. Surveillance fills the gap and performs the work of censorship while the public record thins out.

The result is a form of censorship that rarely announces itself. When spyware and device searches can silently expose every call, contact, and encrypted chat, the cost of speaking to a reporter becomes unpredictable, especially for whistleblowers, dissidents, and people living under hostile governments. Each new revelation about Pegasus on an exiled journalist’s phone, Graphite on an editor’s device, or bulk data pulled at a border checkpoint teaches the same lesson to potential sources: any conversation may be replayed in a security service office later. Faced with that knowledge, many choose not to send the message, make the call, or meet at all. The story does not die because a censor’s pen strikes it out. It dies because the people who could tell it decide that the safest version of the truth is the one that never leaves their own heads.