The Data Protection Authority has issued an official warning regarding the use of "Graphite" spy software, developed by the Israeli company Paragon Solutions Ltd. The software has recently come under scrutiny following reports that it is being used to intercept electronic communications in an unauthorised manner. The authority pointed out that the use of this type of software, outside the limits imposed by law, is a serious violation of the Privacy Code and could result in severe administrative penalties.

According to the information provided by the Guarantor, the software "Graphite" allows to access devices and collect data without the consent of the user. This tool, although designed primarily for security purposes, can be used for more invasive purposes, such as infiltrating the devices of uninformed users. The use of the software, which spreads via PDF files conveyed on messaging platforms such as WhatsApp, has raised concerns about privacy protection, especially for Italian users.

In response to these concerns, the Guarantor reiterated that the interception of electronic communications should be carried out only under certain circumstances, such as those provided for by law to ensure the security of the Republic or for prevention, Investigation and prosecution of crimes. The use of spy software such as "Graphite" which does not fall under these purposes constitutes a violation of privacy, and as such must be treated according to the regulations in force.

In particular, the Supervisor referred to Article 122 of the Privacy Code, which states that access to information stored on users' devices is only allowed if the user has expressed explicit consent, A condition that appears not to be fulfilled in the case of "Graphite". The use of spy software, therefore, can lead to heavy penalties, which can reach up to 20 million euros or 4% of turnover for the responsible companies.

This warning came after several reports from citizens concerned about the use of spyware, including journalists and news operators, reached the Guarantor. The issue has given rise to intense public debate, fuelled also by some press reports which have highlighted the possible use of these tools by private or criminal entities.

At the same time, the Presidency of the Council took a position on the matter, pointing out that, contrary to what is claimed by some press sources, the government did not authorize any kind of espionage activities against journalists. In an official note of 5 February 2025, the Presidency categorically excluded that subjects protected by the law on the security of the Republic have been subjected to controls by the intelligence services. In addition, the Presidency announced that the National Cyber Security Agency (NCA) is closely monitoring the case to ensure the privacy of the users involved is protected.

WhatsApp, which played a central role in the affair, has taken preventive measures to protect its users. The company has sent warnings to the people involved to inform them of the possible risk to their security, but without revealing users' identities for privacy reasons. So far, according to the Council Presidency, only seven Italian telephone numbers have been identified as recipients of spy software.

The use of spyware such as "Graphite" raises significant ethical and legal issues, not only in Italy but also at the European level. The European Commission and data protection authorities in several member states are closely monitoring developments, given the seriousness of potential breaches of privacy and digital security.

Finally, the Guarantor for the Protection of Personal Data has issued a clear warning: anyone who uses spy software such as "Graphite" or exploits the information collected by these tools is subject to severe sanctions. The message is strong and clear: protecting users' privacy is a priority, and violations of this must be treated with the utmost seriousness.