Last year, phone-hacking tools maker Cellebrite announced it had suspended Serbian police as a customer after human rights investigators alleged local police and intelligence services used its tools to hack the phones of a journalist and an activist and plant spyware.
This was a rare example of Cellebrite publicly cutting a customer after substantiated complaints of abuse, citing Amnesty International Technical Report for his decision.
However, following recent similar allegations of abuse in Jordan and Kenya, the Israel-based company responded by rejecting the allegations and refusing to commit to investigating them. It’s unclear why Cellebrite changed its approach, which seems contrary to its previous actions.
On Tuesday, researchers at The Citizen Lab at the University of Toronto published a report alleging that the Kenyan government used Cellebrite’s tools to unlock the phone of Boniface Mwangi, a local activist and politician, while he was in police custody. In another report Since January, The Citizen Lab has accused the Jordanian government of hacking the phones of several local activists and protesters using Cellebrite’s tools.
In both investigations, Citizen Lab, an organization that has investigated abuses of eavesdropping software and hacking technologies around the world, based its findings on finding traces of a specific app linked to Cellebrite on the victims’ phones.
The researchers said those traces are a “high confidence” signal that someone used Cellebrite’s unlocking tools on the phones in question because the same app was previously found on VirusTotal, a malware repository, and signed with digital certificates owned by Cellebrite.
Other researchers have too connected to the same application at Cellebrite.
“We don’t respond to speculation and encourage any organization with specific, evidence-based concerns to share them directly with us so we can act on them,” Victor Cooper, a spokesman for Cellebrite, told TechCrunch in an email.
When asked why Cellebrite is acting differently in the case of Serbia, Cooper said that “the two situations are incomparable” and that “high confidence is not direct evidence.”
Cooper did not respond to multiple emails asking whether Cellebrite would investigate The Citizen Lab’s latest report and what, if any, differences exist with its case in Serbia.
Contact us
Do you have more information about Cellebrite or other similar companies? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
In both its investigations in Kenya and Jordan, The Citizen Lab contacted Cellebrite before the reports were published to give the company the right to respond.
In response to the Jordan report, Cellebrite he said that “Any documented use of our tools in violation of human rights or local laws will result in immediate deactivation,” but it did not commit to investigating the case and declined to disclose specific information about customers.
For the Kenya report, however, Cellebrite acknowledged receiving The Citizen Lab’s survey but did not comment, according to John Scott-Railton, one of The Citizen Lab’s researchers who worked on the surveys for Cellebrite.
“We urge Cellebrite to make public the specific criteria it used to approve sales to Kenyan authorities and disclose how many licenses have been revoked in the past,” Scott-Railton told TechCrunch. “If Cellebrite is serious about their tight control, they will have no problem making it public.”
After previous reports of abuse, Cellebrite, which claims to have more than 7,000 law enforcement clients worldwide, cut ties with Bangladesh and Myanmaras well as Russia and Belarus by 2021. Cellebrite previously said so stopped selling to Hong Kong and China following US government regulations restricting exports of sensitive technology to the country. Local activists in Hong Kong had accused authorities using Cellebrite to unlock protestors’ phones.
