In the previous year, Cellebrite, a maker of phone hacking tools, announced suspending Serbian police as customers after allegations emerged from human rights researchers. They claimed local police and intelligence agencies used these tools to hack phones belonging to a journalist and an activist and then installed spyware. This instance marked a rare occasion where Cellebrite publicly cut off a customer due to documented abuse allegations, referencing Amnesty International’s technical report in its decision.
However, after facing similar recent allegations of misuse in Jordan and Kenya, the Israeli-headquartered company responded by dismissing those claims and choosing not to investigate them. The reason for Cellebrite’s altered approach, seemingly in contrast to its past actions, remains unclear.
On Tuesday, researchers at The University of Toronto’s Citizen Lab released a report alleging that the Kenyan government employed Cellebrite’s tools to access the phone of Boniface Mwangi, a local activist and politician, while in police custody. Furthermore, a January report by the Citizen Lab accused the Jordanian government of using Cellebrite’s tools to access the phones of several local activists and protesters.
Citizen Lab, an organization known for investigating abuses of spyware and hacking technologies globally, based their findings on traces of a specific application linked to Cellebrite found on the victims’ phones. The researchers asserted this evidence as a “high confidence” sign of Cellebrite’s tool usage due to the application’s previous discovery on VirusTotal, a malware repository, where it was signed with digital certificates owned by Cellebrite.
Other researchers have also connected the same application to Cellebrite. In response to these allegations, Victor Cooper, a spokesperson for Cellebrite, told TechCrunch via email, “We do not respond to speculation and encourage any organization with specific, evidence-based concerns to share them with us directly so we can act on them.”
When questioned about the differing response compared to the Serbia case, Cooper stated, “the two situations are incomparable,” and that “high confidence is not direct evidence.” Cooper also did not reply to multiple follow-up emails regarding whether Cellebrite would investigate the Citizen Lab’s latest report or what differences exist compared to its case in Serbia.
Citizen Lab had contacted Cellebrite before publishing their reports to allow the company a chance to respond. Concerning the Jordan report, Cellebrite stated that “any substantiated use of our tools in violation of human rights or local law will result in immediate disablement,” yet did not commit to investigating this case, nor did it disclose customer-specific information. On the Kenya report, Cellebrite acknowledged receiving Citizen Lab’s inquiry but offered no comment, according to John Scott-Railton, one of the investigators on the Citizen Lab team.
Scott-Railton urged Cellebrite to disclose the criteria used for approving sales to Kenyan authorities and reveal how many licenses have been revoked previously. “If Cellebrite is serious about their rigorous vetting, they should have no problem making it public,” he told TechCrunch.
In response to earlier abuse reports, Cellebrite, which claims more than 7,000 global law enforcement customers, severed ties with Bangladesh and Myanmar, as well as Russia and Belarus during 2021. Additionally, Cellebrite stated it halted sales to Hong Kong and China due to U.S. government regulations on exporting sensitive technologies. Local activists in Hong Kong had accused authorities of using Cellebrite to unlock protesters’ phones.