Phone hacking tool maker Cellebrite made headlines last year when it announced it had suspended Serbian police as customers due to allegations of abuse. The allegations, brought forward by human rights researchers, claimed that local police and intelligence agencies used Cellebrite’s tools to hack into the phones of a journalist and an activist, planting spyware in the process. This move by Cellebrite was seen as a rare example of a company publicly cutting ties with a customer following documented allegations of misuse, citing Amnesty International’s technical report as the basis for its decision.
However, in more recent cases of similar accusations in Jordan and Kenya, Cellebrite has taken a different stance. The Israeli-headquartered company has dismissed the allegations and declined to commit to investigating them, a departure from their previous actions. The Citizen Lab at The University of Toronto published reports alleging that the Kenyan government used Cellebrite’s tools to unlock the phone of a local activist and politician, Boniface Mwangi, while he was in police custody. Another report from The Citizen Lab accused the Jordanian government of breaking into the phones of local activists and protesters using Cellebrite’s tools.
The Citizen Lab based their conclusions on finding traces of a specific application linked to Cellebrite on the victims’ phones. These traces, according to the researchers, are a strong indicator that Cellebrite’s unlocking tools were used, as the application had previously been identified on VirusTotal, a malware repository, and was signed with digital certificates owned by Cellebrite. Other researchers have also connected the same application to Cellebrite’s tools.
When approached for comment, Victor Cooper, a spokesperson for Cellebrite, stated that the company does not respond to speculation and urged organizations with evidence-based concerns to share them directly. When questioned about the differing responses to the Serbia case, Cooper cited the incomparability of the situations and noted that “high confidence is not direct evidence.”
The Citizen Lab had provided Cellebrite with an opportunity to respond before publishing their reports on Jordan and Kenya. In response to the Jordan report, Cellebrite stated that any proven misuse of their tools would result in immediate action, but did not commit to investigating the case or disclose specific customer information. For the Kenya report, Cellebrite acknowledged receipt of the inquiry but did not provide a comment.
Following previous reports of abuse, Cellebrite has severed ties with several countries, including Bangladesh, Myanmar, Russia, Belarus, Hong Kong, and China. The company claims to have rigorous vetting processes in place for approving sales to authorities, but researchers have called for more transparency on their criteria and the number of licenses revoked in the past.
In conclusion, Cellebrite’s handling of abuse allegations in different countries has raised questions about their commitment to human rights and accountability. The company’s response to recent accusations in Jordan and Kenya contrasts with their actions in Serbia, leaving stakeholders and activists concerned about the potential misuse of their tools by governments and law enforcement agencies worldwide.
