The Israeli spyware maker Paragon Solutions has been accused of selling its surveillance technology to at least six governments, including Australia, Canada, Cyprus, Denmark, Israel, and Singapore, according to a new report by the renowned digital security lab, Citizen Lab. This revelation contradicts Paragon's previous claims of only selling its technology to democratic regimes.

The report, published on Wednesday, identifies the six governments as "suspected Paragon deployments" and provides strong circumstantial evidence to support the link between Paragon and the infrastructure mapped out by Citizen Lab's researchers. The researchers were able to identify several IP addresses hosted at local telecom companies, which they believe are servers belonging to Paragon customers.

This scandal comes on the heels of a similar controversy in January, when WhatsApp notified around 90 users that they were targeted with Paragon spyware, prompting an outcry in Italy, where some of the targets reside. Paragon's executive chairman, John Fleming, had attempted to distance the company from its competitors, such as NSO Group, by claiming that Paragon only licenses its technology to a select group of global democracies, principally the United States and its allies.

However, Citizen Lab's report suggests that Paragon's claims may be nothing more than a PR exercise. The researchers were able to develop several fingerprints capable of identifying associated Paragon servers and digital certificates, which led them to a digital certificate registered to Graphite, Paragon's codename for its spyware tool. This operational mistake by Paragon provides strong evidence of its involvement with the identified governments.

Among the suspected customer countries, Citizen Lab singled out Canada's Ontario Provincial Police (OPP), which appears to be a Paragon customer given that one of the IP addresses for the suspected Canadian customer is linked directly to the OPP. TechCrunch reached out to spokespeople for the implicated governments, but none responded to requests for comment.

Paragon's Fleming responded to the report, stating that Citizen Lab had provided "a very limited amount of information, some of which appears to be inaccurate." However, he failed to specify what information was inaccurate and did not respond to questions about whether the identified countries are indeed Paragon customers.

The report also sheds light on the technical aspects of Paragon's Graphite spyware, which targets and compromises specific apps on the phone without needing any interaction from the target. This approach may make it harder for forensic investigators to find evidence of a hack, but it gives app makers more visibility into spyware operations. According to Bill Marczak, a senior researcher at Citizen Lab, "Paragon's spyware is trickier to spot than competitors like NSO Group's Pegasus, but, at the end of the day, there is no 'perfect' spyware attack."

Meta, the parent company of WhatsApp, has confirmed that the indicator referred to as BIGPRETZEL is associated with Paragon's spyware. In a statement, Meta expressed its commitment to protecting people's ability to communicate privately and holding companies like Paragon accountable for their actions.

The implications of this report are far-reaching, highlighting the need for greater transparency and accountability in the surveillance technology industry. As the use of commercial spyware continues to pose a threat to civil society, it is essential that companies like Paragon are held to account for their actions and that governments are transparent about their use of surveillance technology.