Americans like to tell ourselves a comforting story about modern surveillance. If your message is encrypted, it is safe. If the government wants what is on your phone, it needs a warrant. If an agency crosses the line, the Constitution snaps back like a rubber band.
That story is getting harder to sustain.
Immigration and Customs Enforcement has now acknowledged that it is using a spyware tool called Graphite, a product associated with so-called “zero-click” phone hacking. In plain English, this is not the government asking WhatsApp for your chats. It is the government attempting to gain access to encrypted messages by compromising a targeted device.
Join the Discussion
What ICE admitted
In an April 1 letter, ICE Acting Director Todd Lyons confirmed that ICE’s Homeland Security Investigations unit is using advanced tools intended to counter transnational criminal organizations and foreign terrorist organizations, with a stated focus on fentanyl trafficking. Lyons wrote that, “in response to the unprecedented lethality of fentanyl and the exploitation of digital platforms by transnational criminal organizations,” he approved HSI’s “use of cutting-edge technological tools that address the specific challenges posed by the Foreign Terrorist Organizations’ thriving exploitation of encrypted communication platforms.”
This was also the first time ICE indicated it is using Graphite specifically. ICE initially signed a $2 million contract with Paragon Solutions for an unspecified software product near the end of the Biden administration. The contract was swiftly paused and later revived last fall under the Trump administration.
The policy debate is obvious. Fentanyl networks are real, and encrypted communications can be a real investigative barrier. But a constitutional system does not let the government solve hard problems with easy power.
Why “zero-click” matters
Graphite uses what is known as “zero-click” technology so it can gain access to encrypted messages on a targeted device even if the user never clicks on a link. That phrase sounds technical, but the civil liberties implications are simple: the user does not have to tap a malicious link or install a suspicious file. The intrusion can occur without the normal human mistakes we associate with hacking.
That changes the privacy calculus in two ways.
- It bypasses user choice. A person cannot protect themselves just by being careful or skeptical.
- It targets the device, not the network. Encryption protects messages in transit. It does not protect you if an attacker can read messages on the device after they arrive.
If encryption is the lock on the mailbox, device spyware is the compromise of the room where you keep the mail.
What we already know about Graphite
Graphite is not an abstract fear. WhatsApp disclosed in early 2025 that it discovered some 90 journalists and members of civil society in various countries were targeted with Graphite. Researchers at The Citizen Lab later identified specific journalists and humanitarian aid providers in Italy whose devices were infected with Graphite through WhatsApp messages. Paragon ended its contract with Italian government agencies in 2025.
That history is why civil liberties advocates hear “zero-click spyware” and do not just think about a narrow, controlled tool. They think about how quickly a capability built for exceptional cases can become a normal instrument of state power.
Fourth Amendment basics
The Fourth Amendment does not ban searches. It regulates them. It demands reasonableness, and it prefers warrants issued by a neutral judge based on probable cause.
The Supreme Court has increasingly recognized that a smartphone is not just another container. It is a place where modern life accumulates: communications, photos, health data, financial records, location history, and the intimate map of who we are.
So the constitutional question Graphite raises is not whether ICE has a “good reason” to investigate. It is whether deploying a tool that can covertly access encrypted messages on a device is a search, and if so, what legal process must come first. And because on-device access can expose far more than a single message thread, the stakes are not limited to what a platform can hand over.
Warrants vs. paperwork
Here is where Americans tend to drift into a dangerous fog: we assume “law enforcement process” is basically the same thing as “a warrant.” It is not.
A warrant is approved by a judge and requires probable cause. An administrative subpoena can be issued by an agency under statutory authority with far less judicial involvement, and often with gag rules and limited adversarial testing.
Digital rights advocates worry that spyware like Graphite could be deployed with weaker process than the public assumes. Cooper Quintin of the Electronic Frontier Foundation warned, “The biggest concern now is that Lyons' response doesn't rule out ICE using an administrative subpoena to deploy this malware against people living in the United States as part of their ideological battle against constitutionally protected protest.”
That is the Fourth Amendment tension in a single sentence: a tool built for the most extreme investigative circumstances can become routine if the gatekeeping is weak.
What Lyons says about safeguards
Lyons stated that any use of the tool “will comply with constitutional requirements” and will be coordinated with ICE’s Office of the Principal Legal Advisor. He also wrote that, in accordance with a 2023 executive order signed by then-President Joe Biden, he had “certified that HSI's operational use of the specific tool does not pose significant security or counterintelligence risks, or significant risks of improper use by a foreign government or foreign person.”
Those are promises of internal compliance and certification. They are not the same thing as external checks, clear public rules, and meaningful remedies when the government gets it wrong.
Why this can spread beyond targets
The instinctive response is: if the tool is aimed at traffickers and terrorists, regular people have nothing to worry about. But surveillance systems rarely stay confined to their first justification.
There are at least three pathways from “narrow” to “everyone.”
1) Association becomes suspicion
If a tool can reach into a target’s encrypted messages, it inevitably pulls in the communications of other people. Friends, family, attorneys, journalists, sources, organizers, and bystanders do not stop existing because the government chose a primary target.
2) Mission creep is bureaucratically normal
Once an agency has invested in a capability, the institutional pressure is to use it. Tools become programs. Programs become budgets. Budgets become permanent.
3) Protests are protected, not surveillance-proof
Lyons’ confirmation that the agency is using spyware comes as ICE has ramped up its use of surveillance technologies to find people in the U.S. without authorization as part of the Trump administration’s mass deportation campaign. Those tools have also been used extensively on American citizens who have protested ICE’s activities. The First Amendment protects speech and assembly. It does not automatically prevent the government from watching, collecting, and storing information about speakers unless courts and legislators set limits that have teeth.
Encrypted messaging and the real “intercept”
When officials talk about encrypted messaging platforms, the public often hears a debate about whether companies should build “backdoors.” Graphite points to a different reality. You do not need a backdoor in the app if you can compromise the device.
That matters because the legal and cultural assumptions around encryption often focus on third parties: the company, the cloud provider, the platform. But device spyware pushes the action closer to the person, executed through the pocket computer that carries their daily life.
And the Constitution has always been most suspicious of general searches, the kind the Founders associated with British “writs of assistance.” If there is a through line from the Fourth Amendment’s origin story to the smartphone era, it is this: broad rummaging is the thing the Amendment was designed to stop.
What DHS says
After questions about Graphite and the concerns raised by advocates, a Department of Homeland Security official wrote: “DHS is a law enforcement agency. ICE is no different. Employing various forms of technology in support of investigations and law enforcement activities aids in the arrest of criminal gang members, child sex offenders, murderers, drug dealers, identity thieves and more, all while respecting civil liberties and privacy interests.”
That is the standard defense of powerful tools: they are aimed at the worst people. The constitutional question is whether the guardrails are strong enough to keep them there.
Oversight is not a press release
Maria Villegas Bravo of the Electronic Privacy Information Center put the larger point bluntly, saying the United States does not have sufficient regulations in place “to stop the U.S. government from abusing Constitutional and human rights in the process of using this technology.”
The constitutional system is built around friction: judges, warrants, particularity, notice, suppression remedies, and legislative oversight. When surveillance is invisible, the friction disappears unless we deliberately rebuild it.
Security cuts both ways
Government agencies often justify powerful surveillance by invoking national security. Here, critics argue the opposite: buying and deploying commercial spyware strengthens a market that can undermine security for everyone.
Villegas Bravo warned, “This is a grave national security risk because it weakens American critical infrastructure, including our telecommunications networks.” The theory is not complicated. If “zero-click” exploits exist and remain valuable, the incentive to discover and weaponize vulnerabilities persists. Those same vulnerabilities can be used by hostile actors.
Constitutional rights and national security are usually presented as rivals. In the digital age, they can overlap. A world where phones are easier to compromise is a world where Americans are less secure from all threats, not just government ones.
What to watch next
This story is not only about one tool. It is about the rules we insist on before the government can enter a device that contains the modern self.
- What process is required? A warrant based on probable cause, or something less?
- Who can be targeted? Only noncitizens? U.S. citizens? Journalists? Lawyers? Protest organizers?
- How specific must authorization be? The Fourth Amendment’s “particularity” requirement is supposed to prevent open-ended rummaging.
- Is there real accountability after? If you never learn you were hacked, you cannot challenge it in court.
The Constitution does not mention encryption. It does not mention malware. It does not mention “zero-click.”
But it does mention the right of the people to be secure against unreasonable searches and seizures. Whether that promise still has practical meaning depends on whether we treat invasive phone hacking as the digital equivalent of breaking into a home, or as just another line item in an investigative toolkit.
The Fourth Amendment question
The Fourth Amendment is often taught as a list of requirements: warrant, probable cause, oath, particularity. But underneath that list is a single civic question that every generation has to answer anew.
How much power are we willing to let the government exercise in secret?
Graphite is not just a technology story. It is a constitutional stress test. And the outcome will be measured not in press releases, but in the quiet boundary between a free citizen and a searchable device.