Last year, phone-hacking tools maker Celebrite announced it had suspended Serbian police as a customer after human rights researchers alleged that local police and intelligence agencies had used its tools to hack into the cellphones of journalists and activists and plant them with spyware.
This was a rare example of Celebrite publicly cutting off a customer following documented allegations of abuse, citing Amnesty International's technical report as the reason for its decision.
However, following recent similar abuse accusations in Jordan and Kenya, the Israeli-based company dismissed the accusations and refused to commit to investigating. It is unclear why Cellebrite changed its approach, which appears to be at odds with its previous actions.
On Tuesday, researchers at the University of Toronto's Citizen Lab released a report alleging that the Kenyan government used a Cerebrite tool to unlock the mobile phone of local activist and politician Boniface Mwangi while he was in police custody. In a separate report in January, Citizen Lab accused the Jordanian government of using Celebrite tools to hack into the phones of several local activists and protesters.
Both investigations were based on the conclusion that Citizen Lab, an organization that has investigated the misuse of spyware and hacking techniques around the world, found traces of certain applications linked to Cellebrite on victims' mobile phones.
The researchers said these traces are a “high confidence” signal that someone used Cellebrite's unlock tool on the phone in question, as the same application was previously discovered on the malware repository VirusTotal and is signed with a digital certificate owned by Cellebrite.
Other researchers have also linked the same application to Cellebrite.
“We do not respond to speculation and encourage organizations with specific evidence-based concerns to share those concerns directly with us so we can act on them,” Cellebrite spokesperson Victor Cooper told TechCrunch in an email.
When asked why Celebrite was acting differently than in the Serbia case, Cooper said, “The two situations are not comparable,'' and “high confidence is not direct evidence.''
Cooper did not respond to multiple follow-up emails asking whether Celebrite would investigate Citizen Lab's latest report and what, if any, differences it had from the case in Serbia.
Contact Us Want more information about Cellebrite or other similar companies? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
In both the Kenya and Jordan investigations, The Citizen Lab contacted Celebrite before publishing its reports and gave the company the right to respond.
In response to Jordan's report, Celebrite said that “any demonstration of use of our tools in violation of human rights or local law will result in immediate deactivation,” but it did not commit to investigating the matter and declined to disclose specific information about its customers.
But on the Kenya report, Cerebright acknowledged receiving the Citizen Lab study but did not comment, said John Scott Railton, one of the Citizen Lab researchers who worked on the Cerebright study.
“We urge Cerebrite to publicly disclose the specific criteria it used to approve its sales to Kenyan authorities, and to disclose how many licenses have been revoked in the past,” Scott Railton told TechCrunch. “If Cellebrite is serious about rigorous vetting, they should have no problem publishing it.”
Following reports of previous misconduct, Celebrite, which claims to have more than 7,000 law enforcement customers worldwide, severed ties with Bangladesh and Myanmar, as well as Russia and Belarus, during 2021. Celebrite previously announced that it had halted sales to Hong Kong and China in response to U.S. government regulations restricting exports of sensitive technology to Hong Kong and China. Local activists in Hong Kong had accused authorities of using Celebrites to unlock the phones of protesters.