Digital Conflicts is a bi-weekly briefing on the intersections of digital culture, AI, cybersecurity, digital rights, data privacy, and tech policy with a European focus.

Brought to you with journalistic integrity by Guerre di Rete, and authored by Carola Frediani and Andrea Signorelli.

N.22 - 17 June 2025

“Any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable, if confirmed,” the European Union’s executive branch said in a statement Wednesday in response to questions from members of parliament. The European Commission “will use all the tools at its disposal to ensure the effective application of EU law.”
That was the message from the European Commission on June 11, 2025, responding to questions from EU Parliament members about Italy’s use of spyware.

“The Commission is aware of the recent reports on the use of Paragon,” said the executive vice-president and responsible for Democracy, Henna Virkkunen, who warned Italy that the new European Media Freedom Regulation (EMFA) will be applicable from August 8, 2025, and “the Commission will use all the tools at its disposal to ensure the effective application of EU law.
The regulation specifically bans authorities from using surveillance tools against journalists, except in rare cases of overriding public interest. Still, critics warn that the “national security” loophole could allow spyware to sneak onto journalists’ devices under the guise of security needs.

The Copasir Report: What We Know

The Commission’s intervention followed days of apparent silence, as if the Paragon case had faded away. But the story, like a persistent virus, keeps resurfacing. On June 4, the Italian parliamentary intelligence oversight committee (Copasir) confirmed that Israeli company Paragon did indeed sell its Graphite spyware to Italy’s intelligence agencies, AISI and AISE, starting in 2023. According to Copasir, the version of Graphite provided did not allow activation of microphones or cameras, but did let operators access encrypted communications on targeted devices.

Copasir wrote in its report: “Since January 2024, Graphite has been used to acquire dynamic data—ongoing communications through encrypted instant messaging systems—on a very limited number of users, always with authorization from the Chief Prosecutor at the Rome Court of Appeal, as well as to extract chat messages stored on targeted devices.”

Mediterranean Activists Targeted

The report also confirmed that Graphite exploited a WhatsApp vulnerability patched by Meta in December 2024, just a month before the spyware’s use became public. Most importantly, Copasir verified that both Luca Casarini and Giuseppe Caccia, leading figures in the NGO Mediterranea Saving Humans, were intercepted using Graphite. David Yambio, spokesperson for Refugees in Libya, was wiretapped by traditional means, while chaplain Don Mattia Ferrari was not directly targeted. These activists are known for their work rescuing migrants at sea.

Italian online news outlet Fanpage summarized Copasir’s findings: “Casarini was targeted in two separate operations, both authorized by then-Prime Minister Giuseppe Conte. The first lasted a few months between 2019 and 2020; the second, broader operation began on May 26, 2020, as a phone tap and ended in May 2024 under the Draghi and Meloni governments. Graphite was authorized for use on September 5, 2024, by Undersecretary Mantovano. Casarini, Caccia, and Yambio were all monitored, but Don Ferrari was not, although a phone registered to him but used by Yambio was tapped without Graphite. Copasir found that all operations were authorized and within legal limits”.

“Francesco Cancellato Was Not Monitored”

As for Fanpage’s editor-in-chief, Francesco Cancellato, Copasir categorically excluded any surveillance by intelligence agencies. The report stated: “Based on the evidence gathered and checks carried out, the Committee found that Cancellato was not subject to any surveillance by Italian intelligence using Paragon spyware. During inspections at AISI, AISE, and the Rome Court of Appeal, Committee members directly queried the Paragon system’s database and audit logs, using the journalist’s phone number, and found no evidence of interception via Graphite.”

Copasir also noted a key detail: “Following the media uproar, on February 14, 2025, Paragon, AISI, and AISE jointly agreed to suspend the use of Graphite on new targets.”

Alerts, Denials, and Contradictions

But before going on, let’s have a quick recap.

Late January: Meta/WhatsApp notifies dozens of European users, including Cancellato and several activists, that they were targeted by Paragon spyware.

Following initial institutional uncertainty, Copasir confirms the Italian intelligence services’ use of Paragon against activists, citing national security and proper procedures.

Copasir insists Graphite was not used against journalists or human rights activists, but only for activities potentially linked to irregular immigration.

Yet, politically, the question remains: is it justifiable to surveil, for years, activists who rescue migrants at sea? The issue seems to attract little attention from Italian politics or media.

Copasir’s report notes that the contract for Graphite prohibits targeting devices or individuals from certain countries and bans use against people based on religion, gender, ethnicity, nationality, or political affiliation. It also forbids targeting journalists or human rights activists. However, Copasir argues that Casarini and Caccia were not surveilled as activists, but for their alleged involvement in irregular immigration.

The Mystery of Cancellato’s Alert

Despite Copasir’s findings, the question remains: why did Cancellato receive a spyware alert from Meta/WhatsApp? Who was behind it? Copasir points out that Citizen Lab’s March 2025 report found no direct forensic evidence of infection on Cancellato’s phone, while confirming infections on Casarini and Caccia’s devices. The only indication of a possible breach was the WhatsApp notification itself, with no clear link to Graphite, says the Committee.

Paragon’s Response and the Breakdown

On June 9, Paragon announced it had terminated all contracts with Italian intelligence after Italy refused to participate in a technical procedure that would have clarified whether Graphite was used against Cancellato. Paragon said it had offered the government a way to determine this, but when authorities declined, it ended its business in Italy, according to Israeli daily Haaretz.

Previously, Paragon told Haaretz it had disconnected its systems from all Italian clients after learning a journalist had been targeted, pending the investigation’s outcome. This decision reportedly caused high-level tensions, with the Italian Prime Minister allegedly contacting Israel’s Benjamin Netanyahu for clarification, according to Haaretz.

Paragon’s statements appeared to contradict Copasir’s version of events.

Italian Agencies Push Back

On June 10, Copasir responded, strongly denying Paragon’s claims and offering to declassify the transcript of Paragon’s representatives’ hearing. The Italian security department (DIS) stated: “There was never any refusal or opposition from the government or intelligence agencies to cooperate. Copasir was able to check system logs, an unprecedented move, confirming the agencies’ statements.”
DIS clarified that Paragon’s proposed checks would have involved either using Paragon’s proprietary software or allowing Paragon staff direct access to Italian intelligence systems—both deemed unacceptable. Instead, Copasir was allowed to conduct its own checks.

The Pellegrino Case and Citizen Lab’s New Report

Meanwhile, in late April, Fanpage journalist Ciro Pellegrino received an Apple alert about government spyware. Pellegrino had his device analyzed by Citizen Lab, which, on June 12, reported with “high-confidence” and forensic evidence that both an unnamed major European journalist and Pellegrino had been targeted with Paragon’s Graphite spyware. Citizen Lab linked both cases to the same Paragon operator.

Citizen Lab also explained that it’s harder to find forensic traces on Android devices, like Cancellato’s, than on iPhones, like Pellegrino’s. The absence of evidence on Cancellato’s phone does not prove it wasn’t compromised—it may simply mean the relevant logs were not captured or were overwritten.

The Fanpage Cluster

Citizen Lab concluded: “Following Mr. Cancellato’s case, the identification of a second journalist at Fanpage.it targeted with Paragon suggests an effort to target this news organization This appears to be a distinct cluster of cases that warrants further scrutiny.”

The Puzzle Remains

To sum up: two journalists from the same outlet received spyware alerts—one from Meta, one from Apple. For one, forensic traces of infection were found; for the other, none, but it could also due to the fact that his Android was harder to analyze. Two major tech companies and an independent lab all say journalists were targeted with spyware. We also know that Italian intelligence was using Graphite, although they strongly deny targeting journalists. Moreover, Copasir’s checks found no evidence for Cancellato in the logs.

Could possibly be a mistake by Meta? And by Apple? And by Citizen Lab? Could possibly be a foreign state spying on Fanpage? The summer’s biggest mystery remains unsolved.