Honored to be invited to share my views on the podcast. You are a gentleman and a scholar. Thank you for having me

The internet needs YOU to stand up against surveillance abuses & mercenary spyware. Thank you for your attention to this matter.

NEW: foreign mercenary spyware is coming to the US. ICE just quietly unsuspended contract with spyware maker #Paragon. They got caught this year being used to hack journalists. Friend, let me me bring you up to speed on why this is bad on multiple fronts. YOUR BACKGROUND BRIEF: #Paragon was co-founded in Israel in 2019 by ex head of Israel's NSA equivalent (Unit 8200) w/ major backing from former Israeli PM Ehud Barak. Pitched themselves as stealthy & abuse-proof alternative to NSO Group's Pegasus. The company has been trying to get into the US market for years. For a long time all we knew about Paragon was their performance as a 'virtuous' spyware company with values. All that came to a crashing halt in 2025 when they got very caught, helping customers hack targets across #WhatsApp. WhatsApp did the right thing & notified users. Almost immediately after the WhatsApp notifications, we started learning about the targets. They weren't the supposed serious criminals... They were Journalists... human rights defenders...groups working on sea rescues.. etc In other words, a very NSO-like scandal. Ultimately Paragon & its Italian customer had a massive spyware scandal on their hands. WhatsApp wasn't the only player tracking paragon & doing user notifications. Apple got in on the game. Ultimately, we at the Citizen Lab had forensically analyzed cases from each notification round. We testified to Italy's parliamentary intelligence oversight committee about our findings. The conclusion? Deeply unsatisfactory. Italy admitted hacking some targets, but denied hacking journalists. Tons of loose ends with Paragon. And they haven't been honest about who used their tech to hack journalists in Europe. BIG PICTURE: After 14 years investigating countless spyware companies, I tell you with confidence: Mercenary spyware is a power abuse machine incompatible with American constitutional rights and freedoms. Our legal system isn't designed for it, oversight mechanisms are woefully inadequate to protect our rights... Here's the thing. You probably know that mercenary spyware like #Pegasus gets sold to dictators. Who, predictably, abuse it. But We have a growing pile of cases where spyware is sold to democracies... and then gets abused. HISTORY LESSONS History shows: secret surveillance usually winds up abused. The history of the US is littered with surveillance abuses. Thing is, our phones offer an unprecedented window into our lives. Making zero-click mercenary spyware an especially grave risk to all our freedoms. If the government has wants access to your accounts for law enforcement...they have to prepare a judicially authorized request and send it to the company, which reviews it. Mercenary spyware bypasses any external review. And the whole industry behind it seeks maximum obscurity. COUNTERINTELLIGENCE THREATS? YEAH THAT TOO I'm concerned about the impact on our rights an dour privacy. But there's something else that should worry everybody about the choice to work with the company: Paragon poses a potentially grave counterintelligence threat to the US. Let me explain. When you use an integrated spyware package to conduct sensitive law enforcement / intelligence business, you have to place a lot of trust in them... If the developers originate from a foreign intelligence service that aggressively collects against the US government, that should be a huge red flag. America (or any country) should be maximally wary about using foreign-developed surveillance tech for the same reason that America shouldn't operate a Chinese-made stealth fighter. So, have Paragon's spyware, people & ops been aggressively vetted for technical and human counterintelligence risks? MERCENARY SPYWARE = FATE SHARING Paragon's #Graphite mercenary spyware shares the same downsides as other products in their class: ❌They keep getting caught We researchers aren't the only ones that have found techniques for tracking and identifying Paragon spyware... I'm sure hostile govs have too. ❌Customers fate share. Since all customers roll the same tech, when one gets caught it impacts & potentially exposes everyones' activities. Now, that fate sharing will include US law enforcement activity. WHAT CAN YOU DO? What can you do? Take 5 minutes and call your member of Congress. Ask them to request a briefing on Paragon. They should ask whether the company was properly vetted & reviewed. What is the oversight mechanism for this maximally invasive technology? What are the guardrails? How would abuses be handled? Etc. PERSONAL SECURITY? Paragon & this category of spyware is fiendishly hard to track & defend against. And on a personal level? Apple's Lockdown Mode & Android Advanced Protection both offer some serious security benefits but neither is a silver bullet.. Unfortunately, as of right now I am pretty confident that no publicly available / commercially developed third party tool can reliably detect Paragon spyware either in realtime. Or retrospectively. Beware a false sense of security. If you got this far & found this post useful, let me know! Drop a comment. SELECTED READING LIST Exclusive: ICE reactivated its $2 million contract with Israeli spyware firm Paragon, following its acquisition by U.S. capital https://jackpoulson.substack.com/p/exclusive-ice-has-reactivated-its Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/ Graphite Caught First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

Voices of I, 2019 Kaori SOMEYA https://www.someyakaori.com/

GOOD MORNING: WhatsApp caught & fixed a sophisticated zero click attack... They just published an advisory about it. Say attackers combined the exploit with an Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody) That's a CROSS-APP exploit chain. Which is fancy. We'll discuss in a second. But wait, you say, haven't I heard of WhatsApp zero-click exploits not so long ago? You have. A big user base makes a platform big target for exploit development. Attacker's perspective = an exploit against a popular messenger gives you potential access to a lot of devices. The regular tempo of large platforms catching sophisticated exploits is a good sign. They're paying attention & devoting resources to a growing category: highly targeted, sophisticated attacks. But it's also a reminder of the magnitude of the threat. Here's the Apple CVE. Somewhere, earlier this summer, some people in a room probably had a bad day when this clever cross-app chain stopped working. The cross- app chain = probably also a sign of the increasing tech lift required to get to device compromise. Consequence of various mitigations. The cost-to-compromise is only going up. Which is arguably a sign that the increasing scrutiny + efforts by platforms & OS developers is having an impact. That said, the threat of this stuff is going nowhere because there's an infinite governmental appetite for compromise. Still, I'd argue that increasing costs of zero-clicks has the effect of pricing out a bunch of potential actors which slows the proliferation of this tech to *some* bad actors. WhatsApp Advisory: https://www.whatsapp.com/security/advisories/2025/ Apple Advisory: https://support.apple.com/en-us/124925

Friend, If scrolling leaves you feeling hollowed... If anger is frictionless and thinking feels like fighting the current, You're not swimming, you're being swept in an algorithmic rip tide. And your mental clarity is the target. So, take a beat and step out Put the thing down. Connect with your own thoughts. It's what the designers of these algorithms fear most.

NEW: Analysis finds UK's age verification rollout is producing exactly the opposite of the desired effect: Driving traffic non-compliant adult sites. Which punishes compliant ones. Entirely predictable. The more the government squeezes, the more they reward the very sites that scoff at their rules. And then there's the matter of the UK government asking people to please stop using VPNs... It's a harmful embarrassment. The UK's age verification law forces law-abiding citizens to hand over personal data / scan their faces as they browse. Compelling folks to participate a massive clandestine census of browsing activity. As these troves of data grow, they expose everyone to the risk of new breaches. And worse. Read more: https://www.washingtonpost.com/technology/2025/08/31/age-verification-uk-porn-sites/