Last year, the phone hacking tool maker Cellebrite announced it had suspended Serbian police as customers. This followed allegations from human rights researchers that local police and intelligence agencies used its tools to hack into the phones of a journalist and an activist to plant spyware. This suspension was a rare example of Cellebrite publicly cutting off a customer following documented allegations of abuse, citing a technical report from Amnesty International for its decision.
However, following recent similar accusations of abuse in Jordan and Kenya, the Israeli-headquartered company has responded by dismissing the allegations and declining to commit to investigating them. It is unclear why Cellebrite has changed its approach, which appears contrary to its previous actions.
This week, researchers at The University of Toronto’s Citizen Lab published a report alleging the Kenyan government used Cellebrite’s tools to unlock the phone of Boniface Mwangi, a local activist and politician, while he was in police custody. In another report from January, the Citizen Lab accused the Jordanian government of breaking into the phones of several local activists and protesters using Cellebrite’s tools.
In both investigations, the Citizen Lab based their conclusions on finding traces of a specific application linked to Cellebrite on the victims’ phones. The researchers stated that those traces are a high confidence signal that someone used Cellebrite’s unlocking tools on the phones in question, because the same application had been previously found on a malware repository and was signed with digital certificates owned by Cellebrite. Other researchers have also linked the same application to Cellebrite.
A spokesperson for Cellebrite, Victor Cooper, told TechCrunch that the company does not respond to speculation and encourages organizations with evidence-based concerns to share them directly. When asked why Cellebrite is acting differently from the Serbia case, Cooper said the two situations are incomparable, and that high confidence is not direct evidence. Cooper did not respond to multiple follow-up emails asking if Cellebrite would investigate the Citizen Lab’s latest report or clarify the differences with the Serbia case.
In both its Kenya and Jordan investigations, the Citizen Lab reached out to Cellebrite in advance of publishing the reports to provide the company with a right to respond. In response to the Jordan report, Cellebrite stated that any substantiated use of its tools in violation of human rights or local law will result in immediate disablement, but did not commit to investigating the case or disclose specific customer information. For the Kenya report, Cellebrite acknowledged receipt of the inquiry but did not comment.
One of the Citizen Lab researchers, John Scott-Railton, urged Cellebrite to release the specific criteria used to approve sales to Kenyan authorities and disclose how many licenses have been revoked in the past. He stated that if Cellebrite is serious about rigorous vetting, they should have no problem making it public.
Following previous reports of abuse, Cellebrite, which claims to have more than 7,000 law enforcement customers worldwide, cut off relationships with Bangladesh and Myanmar, as well as Russia and Belarus during 2021. The company previously said it stopped selling to Hong Kong and China following U.S. government regulations restricting the export of sensitive technologies. Local activists in Hong Kong had accused authorities of using Cellebrite to unlock protesters’ phones.