Cellebrite cut off Serbia citing abuse of its phone unlocking tools. Why not others?

Last year, phone hacking tool maker Cellebrite said it suspended Serbia’s police as customers after human rights researchers alleged that local police and intelligence agencies used the company’s tools to hack into the phones of a journalist and an activist, and then plant spyware.

It was a rare instance of Cellebrite publicly cutting off a customer after documented accusations of abuse, and the company cited Amnesty International’s technical report in explaining its decision.

But after more recent, similar allegations involving Jordan and Kenya, the Israeli-headquartered firm responded by dismissing the claims and declining to investigate them. It remains unclear why Cellebrite appears to be taking a different approach now, especially given how it handled the Serbia case.

On Tuesday, researchers at the University of Toronto’s Citizen Lab published a report alleging that the Kenyan government used Cellebrite’s tools to unlock the phone of Boniface Mwangi, a local activist and politician, while he was in police custody. In a separate report published in January, Citizen Lab accused the Jordanian government of breaking into the phones of several activists and protesters using Cellebrite’s tools.

In both investigations, Citizen Lab — which has a long track record investigating abuses involving spyware and hacking technologies worldwide — said it based its conclusions on traces found on victims’ phones that pointed to a specific application linked to Cellebrite.

Citizen Lab said the traces provide a “high confidence” signal that someone used Cellebrite’s unlocking tools on the phones because the same application had previously been discovered on VirusTotal, a malware repository. It was signed with digital certificates owned by Cellebrite.

Other researchers have also connected the same application to Cellebrite.

“We do not respond to speculation and encourage any organisation with specific, evidence-based concerns to share them with us directly so we can act on them,” Victor Cooper, a spokesperson for Cellebrite, said in an email.

When asked why Cellebrite is treating the allegations differently than it did in the Serbia case, Cooper said “the two situations are incomparable,” and added that “high confidence is not direct evidence.”

Cooper did not respond to multiple follow-up emails asking whether Cellebrite would investigate Citizen Lab’s latest report, or what differences, if any, exist compared with the Serbia situation.

In both the Kenya and Jordan cases, Citizen Lab said it contacted Cellebrite ahead of publication to provide the company an opportunity to respond.

In response to the Jordan report, Cellebrite said that “any substantiated use of our tools in violation of human rights or local law will result in immediate disablement.” Still, it did not commit to investigating the allegations and declined to provide detailed information about customers.

For the Kenya report, however, Cellebrite acknowledged receiving Citizen Lab’s inquiry but did not provide a comment, according to John Scott-Railton, one of the Citizen Lab researchers involved in the Cellebrite investigations.

“We urge Cellebrite to release the specific criteria they used to approve sales to Kenyan authorities, and disclose how many licenses have been revoked in the past,” Scott-Railton said. “If Cellebrite is serious about their rigorous vetting, they should have no problem making it public.”

Cellebrite, which says it has more than 7,000 law enforcement customers worldwide, has previously cut off other customers following allegations of abuse. The company ended relationships with Bangladesh and Myanmar, and also cut off Russia and Belarus in 2021. Cellebrite has also said it stopped selling to Hong Kong and China following U.S. government rules restricting the export of sensitive technologies to the country, after local activists in Hong Kong accused authorities of using Cellebrite to unlock protesters’ phones.