On May 6, 2026, Rep. Summer Lee (D-PA) sent a letter to Commerce Secretary Howard Lutnick demanding a briefing on what she called a three-pronged threat to the Biden-era blacklisting of NSO Group: an American firm's quiet acquisition of a controlling stake in the Israeli spyware maker, ICE's acknowledged use of a separate Israeli spyware product, and NSO's own court filings acknowledging that U.S. law enforcement use of Pegasus is "reasonably foreseeable." Taken together, the picture Lee describes is less a formal policy reversal and more a slow erosion — a factual record of adoption accumulating beneath the formal prohibition.
The Three Moves Lee Identified
In October 2025, a U.S. investor consortium led by Hollywood producer Robert Simonds acquired a controlling stake in NSO Group for an undisclosed sum described as "tens of millions of dollars." NSO's founders exited the company entirely. By November 2025, the firm had installed former Trump ambassador to Israel David Friedman as executive chairman — the same Friedman who once served as Trump's personal bankruptcy attorney. Friedman immediately signaled his agenda: "If the administration, as I expect they'll be, is receptive to considering any opportunity that might keep Americans safer, it will consider us," he told the Wall Street Journal. The message to Washington was unmistakable: this is now, in a meaningful sense, an American company, and its flagship product should be treated accordingly.
Meanwhile, a parallel process was already underway at the agency level. In September 2024, ICE signed a \$2 million contract with Paragon Solutions, another Israeli spyware vendor, for access to its Graphite tool — software capable of silently infiltrating encrypted messaging apps including WhatsApp and Signal. The Biden administration suspended the contract pending review. In August 2025, the Trump administration lifted the stop-work order. By April 2026, ICE Acting Director Todd Lyons confirmed in a letter that the agency was actively using Graphite to intercept encrypted communications in drug trafficking cases. The operational use of Israeli commercial spyware by a U.S. domestic enforcement agency was no longer theoretical.
What NSO's Own Filings Concede
The most striking element in Lee's letter is not what her office alleges — it is what NSO Group's own attorneys argued in the Ninth Circuit. In its appeal of the permanent injunction issued in the WhatsApp v. NSO Group litigation (Case No. 25-7380), NSO sought to carve U.S. law enforcement out of the court's order by arguing that "it is reasonably foreseeable that a law enforcement or intelligence agency of the United States will use Pegasus." The company further warned that the injunction, as written, would "prevent the FBI (or any other U.S. or state law enforcement or intelligence agency) from entering into another such license for any existing version of Pegasus."
This is significant because it marks NSO's formal, on-the-record acknowledgment that American agencies are potential or actual Pegasus customers — even while the company remains on the Commerce Department's Entity List under a presumption-of-denial license policy imposed in November 2021. The Entity List designation was premised on findings that NSO supplied spyware to governments that "maliciously targeted" journalists, activists, diplomats, and government officials. It bars U.S. companies from doing business with NSO without an export license that the Bureau of Industry and Security will presumptively refuse. But the courtroom argument suggests NSO is already anticipating a commercial relationship with U.S. agencies — which would require either a formal waiver, a de-listing, or a creative legal workaround.
It is worth engaging seriously with the other side of this argument. Law enforcement agencies face genuine operational challenges: end-to-end encrypted platforms are now the default medium for transnational criminal networks, including fentanyl distributors and child exploitation syndicates. The FBI's "going dark" problem is not a fictional talking point. If a tool exists that can lawfully penetrate encrypted channels under judicial authorization, there is a legitimate argument that American agencies should have access to it. The question is not whether spyware can serve legitimate law enforcement ends — it clearly can — but whether NSO Group specifically, with its documented history of enabling transnational repression, can be trusted as the vendor.
The Governance Gap Is the Real Problem
The Biden administration's Entity List designation was a meaningful policy act, but it was always incomplete. It imposed export controls, not a categorical ban on U.S. government use. No statute prohibits federal agencies from licensing foreign spyware tools. No public framework exists for evaluating when such tools may be deployed domestically, under what judicial authorization, with what oversight, and against whom. The Paragon-ICE experience illustrates the consequences: a \$2 million contract was signed, suspended, and reinstated with minimal congressional scrutiny and no published legal analysis of its compliance with the Fourth Amendment.
The proportionate response is not to entrench the Entity List designation as a permanent political symbol, nor to waive it entirely as a diplomatic favor. It is to build the governance architecture that currently does not exist: mandatory judicial authorization for domestic spyware deployment, congressional notification requirements before any federal agency signs a commercial spyware contract, published criteria for what conditions must be met before an Entity List designation can be lifted, and periodic declassified reporting on government use. The FBI's earlier Pegasus procurement — in which the bureau reportedly amassed roughly \$5 million in NSO fees for a tool it claims it never used operationally — demonstrates exactly what an accountability vacuum looks like.
Rep. Lee's letter is a legitimate congressional oversight action. But letters demanding briefings are not legislation. The gap she is probing — between a formal export-control designation and a de facto normalization of Israeli spyware in U.S. law enforcement — will not close until Congress actually legislates what agencies can and cannot do with commercial surveillance tools, and under what conditions. Until it does, the Entity List is increasingly a legal fiction.