NSO Group’s and Paragon’s targeting of American markets warrant evaluation of spyware’s potential implications for domestic criminal justice.
.jpg?sfvrsn=8c32a88a_5 "Spyware-Based Searches for Domestic Criminal Law Enforcement")
This article is based partially on a law review article,“The Pegasus Era: Regulating a New Generation of Government Spyware,” published recently in the Georgetown Journal of International Law.
In the United States, NSO Group—the Israeli spyware firm infamous for numerous reported abuses of its product, Pegasus—has been under intense scrutiny in recent years. A series of reports revealed the extent to which NSO’s global clients have abused its spyware, infecting devices owned by journalists, political dissidents, political leaders, and civil rights activists around the world. Yet despite initial U.S. sanctions, in October 2025 NSO confirmed that an American investment group had acquired the company.
The legal discussion surrounding spyware such as Pegasus has often revolved around national security, foreign intelligence, and international law. However, the legal and theoretical frameworks governing such tools in the context of criminal justice and domestic law enforcement are different and underexplored. Here, I present an initial evaluation of how these tools could be legally approached when used in the domestic criminal justice sphere.
Following the Pegasus crisis, the U.S.—which reportedly originally purchased Pegasus itself, presumably for research and not for operational use—sanctioned NSO, among other firms, including by placing it on the Commerce Department’s Entity List. NSO remained active, though, and in October 2025, it confirmed that a U.S. investment group had acquired the company. Shortly thereafter, it was reported that NSO had also named a new chairman, David Friedman, the former U.S. ambassador to Israel. Israeli media has framed this move as part of NSO’s efforts to get off the U.S. blacklist.
Yet, NSO is not the only company interested in selling spyware solutions or digital forensics tools to American law enforcement. Just recently, it was reported that another Israeli spyware firm, Paragon, sold its Graphite spyware, allegedly for use by Immigration and Customs Enforcement (ICE).
These developments raise a pressing question: How should the American legal system treat commercial spyware? Shortcomings in oversight in other democracies that have employed Pegasus demonstrate the dangers of failing to establish clear frameworks: In Israel, for instance, a Ministry of Justice report and a recent State Comptroller report both found that the police used Pegasus in ways that were not compliant with Israeli criminal procedure. The European Parliament’s PEGA report, too, found abuses in certain member states. The U.S. must avoid similar instances of abuse and noncompliant use.
Spyware for Criminal Law Enforcement
As modern technology enables advanced encryption techniques, communications such as phone calls and text messages that were once relatively easy for law enforcement to intercept are now often much harder to obtain. This makes the gathering of evidence using traditional techniques of wiretapping and searching in the criminal context far more difficult. Spyware services could allow law enforcement to take advantage of vulnerabilities or flaws in other programs to infect devices used by suspects and gain access to information that would otherwise be inaccessible. If one believes that certain forms of traditional digital searches and wiretapping are legitimate, then spyware utilized for the same ends could be viewed as equally permissible.
However, different spyware tools may operate differently and with varying degrees of intrusiveness. Pegasus is instructive in this sense. We know that Pegasus has exploited vulnerabilities in widely used platforms and applications—including, for instance, Apple’s iOS and Meta’s WhatsApp—to take over devices held by targets. Earlier versions required some form of social engineering and were based on luring targets into clicking a malicious link or downloading an infected file, but more recent versions have relied on zero-click zero-day vulnerabilities—vulnerabilities previously unknown to the industry, which do not even require the target to make a mistake. Once a device is infected, Pegasus reportedly gains near-total control of it.
In summary, capabilities vary across spyware. As such, Pegasus and similar programs should not be viewed—or legally analyzed—as one unified tool. Rather, any legal analysis evaluating its legitimacy or lawful use within the American legal framework must acknowledge the different mechanisms at play.
Pegasus, it seems, has at least three categories of capabilities: first, the ability to surveil live communications once a device has been infected; second, the ability to search the contents saved on the device, including data created before the infection; and third, the ability to use the device’s hardware, including the microphone and the camera, to surveil the physical space in which the device is located.
Each of the categories should be governed by an entirely different set of rules and regulations, warranting distinct legal analyses. In a recent article, I aim to provide an analysis of each of these capabilities within the American statutory framework. As an initial step, this analysis requires making delicate interpretative determinations. As is often the case at the intersection of law and technology, the language of the law is never completely adequate, and it requires analogies and assumptions to be applicable. It requires, for example, understanding in which “bucket” of legal tools each application of spyware should be located.
Electronic Communications Privacy Act (ECPA) and Rule 41
With respect to what could be described as “natural communications” conducted using a phone, including phone calls, text messages, and similar exchanges, there is a strong argument that existing definitions of wire and electronic communications under the Wiretap Statute of the Electronic Communications Privacy Act (ECPA) apply.
Sections 2510 and 2516 allow law enforcement to intercept live content within the category of electronic communications. Other capabilities within this category may raise more complex problems. For example, questions arise as to whether live Google searches, saved drafts that have never been sent to another person, or conversations with artificial intelligence chatbots constitute communications that may be subject to interception as live communications under this framework.
The second category of spyware capabilities allows operators to search a target’s device for anything saved on it—even content created before the infection itself, including communications, as well as files, photos, notes, calendars, and similar materials. This category of capabilities, I argue, is much closer to traditional searches, rather than wiretapping or communications interception. Reading one’s notes and calendars, or going through photo albums, may occur remotely, without the need to physically enter one’s office or home. Regardless, such activity remains protected by the traditional legal safeguards governing searches.
A potentially applicable statutory framework in this regard is Rule 41 of the Federal Rules of Criminal Procedure, which governs the issuance of warrants, including who may issue them, what they must contain, the purposes for which they may be used, and the manner in which they must be executed and returned. For instance, if a court grants law enforcement a warrant authorizing the search of a photo album using spyware pursuant to Rule 41, the police—though technically capable of accessing other content as well—may not lawfully do so and may search only what has been explicitly permitted.
The third, and perhaps most intrusive, category of reported capabilities offered by Pegasus includes access to features that generate new content or data using the device itself, as opposed to content already saved on the device. This category may include generating maps using geolocation data, using the camera to film, or using the microphone to record. These capabilities are much closer to installing a tracker on a suspect’s car or a hidden camera in one’s office or home. Those leveraging these spyware capabilities are interested in the device as an independent tracker, camera, or microphone.
In some respects, this method may be less invasive than physically installing a camera in a particular location, for example, because no physical intrusion is necessary. However, any widespread use of this feature without meaningful limitations, such as restricting its use to a specific room in which the phone is located or to times when the phone is located in a public space, may fall outside existing legal frameworks or at least remain insufficiently addressed by them, leaving significant room for potentially disturbing abuse.
Admittedly, these arguments rely on analogies and interpretive efforts to fit spyware within existing legal frameworks and categories of investigative authorities. Each of these analogies is contestable and gives rise to counterarguments. Moreover, they raise broader and novel questions: whether warrants in their current form can meaningfully oversee and constrain the use of spyware; what potential liability may attach to both government actors and spyware vendors in cases of abuse; how contracts with such vendors should be structured; and what access vendors themselves may have to the data collected. These are unresolved questions in a rapidly developing space and warrant substantial future scholarly attention.
Spyware and the Fourth Amendment
A separate but related set of questions focuses on the intersection between spyware tools and the Fourth Amendment of the U.S. Constitution. Employing Pegasus, or any similar spyware, to infect a phone should certainly constitute a search. A less obvious question, though, is when that search begins and at what point law enforcement must be equipped with a warrant. This question can be analyzed through at least two doctrinal routes. The first is the more familiar route of the reasonable expectation of privacy doctrine, grounded in cases such as Katz v. United States, and Carpenter v. United States. Another approach could analyze the deployment of Pegasus-like spyware as a form of trespass, under doctrines such as those of United States v. Jones. Both routes lead to the conclusion that infecting a phone with spyware is indeed a search under the Fourth Amendment, but I argue that the latter approach may be preferable, as it grants broader protection and is analytically more accurate.
Indeed, modern Supreme Court jurisprudence has analyzed Fourth Amendment cases primarily through the lens of the reasonable expectation of privacy doctrine, broadly holding that an action constitutes a search if it violates one’s reasonable expectation of privacy. Individuals are generally protected from unwarranted searches when such an expectation exists. Searching someone’s WhatsApp messages using spyware quite obviously violates a reasonable expectation of privacy and therefore requires a warrant.
But consider a less obvious Pegasus-based search. Assume that the government infects a phone with spyware, and that the only information viewed through the infected device is the user’s public X profile. The operator infects the target’s phone, launches the X app, navigates directly to the public profile, reads it thoroughly, and then logs out. In theory, the information obtained through this procedure could have been obtained simply by viewing the user’s public X account from any computer, without any infection, without any warrant, and without violating any reasonable expectation of privacy. Does that mean that the entire infection was not a search? This does not seem right, as the spyware infection clearly breaches the integrity of the phone.
This is an extreme example, but one can imagine more practical scenarios that raise the same question. For instance, law enforcement might infect a phone and then launch the camera, only to discover that it has been covered by physical duct tape; or the police might use Pegasus to obtain a WhatsApp correspondence, only to find that the exact same correspondence had already been publicly posted by the target, thereby eliminating any reasonable expectation of privacy. I argue that these examples nonetheless constitute searches requiring a warrant, but they are more difficult to analyze using the reasonable expectation of privacy doctrine. The problem in these cases is not the information obtained or any reasonable expectation of privacy the user had in any data. Rather, it is the trespass into the target’s phone itself.
Personal “cyberspace” could be as private and sensitive as any physical space. Accordingly, intrusion into that space, I argue, constitutes a search based on a more literal reading of the Fourth Amendment, inspired by older cases such as Olmstead v. United States and, more recently, the aforementioned Jones. There, Justice Scalia focused on the physical aspect of the intrusion—in that case the use of a tracker to follow a person’s vehicle—noting that Katz’s reasonable expectation of privacy doctrine “established that ‘property rights are not the sole measure of Fourth Amendment violations,’ but did not ‘snuf[f ] out the previously recognized protection for property.’”
In this context, the Fourth Amendment test focusing on trespass into a space may be perceived as more conservative and, in many contexts, as potentially leading to weaker or narrower protections. However, in the examples discussed here, it perhaps somewhat counterintuitively imposes stricter Fourth Amendment constraints on the government. Under this approach, the very act of infecting a phone with spyware, regardless of whether private information is ultimately obtained, constitutes a search. This conclusion is uniquely important because it limits any law enforcement agency’s incentive to infect large numbers of phones before obtaining a specific warrant. It also requires law enforcement to secure a warrant and undergo judicial oversight before the infection is initiated, and even if the attempt ultimately fails, as the Israeli Ministry of Justice repeatedly found to be the case.
* * *
The U.S. may find itself following the path of fellow democratic nations that have used, and continue to use, spyware in law enforcement. While the use of spyware is not illegitimate per se (and may even be necessary to enable law enforcement to confront modern crime), any deployment of such tools must occur only after careful policy and legal evaluation. Based on what we know about Pegasus’s capabilities, spyware should not be viewed as a monolithic tool, but rather as a toolbox with distinct capabilities, grouped into three main categories: the ability to intercept live communications, the ability to search saved content, and the ability to surveil physical space using the infected device’s hardware. Each of these categories should be analyzed using different statutory frameworks.
– Yotam Berger is a J.S.D. candidate at Stanford Law School, where he is a Stanford Interdisciplinary Graduate Fellow and a Knight-Hennessy Scholar. He previously clerked at the Supreme Court of Israel, worked for Israel’s Deputy State Attorney, and served as Haaretz’s West Bank correspondent. His research examines cybersurveillance and the evolving relationship between law enforcement, Big Tech, and the commercial spyware industry. Published courtesy of Lawfare.
