Cellebrite cut off Serbia citing abuse of its phone unlocking tools. Why not others?

Cellebrite accused of phone hacking in Kenya, Jordan

The phone hacking toolmaker Cellebrite is facing new allegations that its technology was used to target activists in Kenya and Jordan. The company has dismissed the reports and declined to commit to investigating them.

This marks a shift from last year, when Cellebrite publicly suspended Serbian police as customers after a similar human rights report. Researchers say the company's new stance contradicts its past actions.

Traces of Cellebrite found on activists' phones

On Tuesday, researchers at the University of Toronto's The Citizen Lab published a report alleging the Kenyan government used Cellebrite tools to unlock the phone of activist and politician Boniface Mwangi while he was in police custody. A separate report in January made similar accusations regarding activists and protesters in Jordan.

The researchers based their conclusions on finding traces of a specific application linked to Cellebrite on the victims' phones. They say this is a "high confidence signal" because the same application was previously found on the malware repository VirusTotal and was signed with Cellebrite's digital certificates.

Cellebrite dismisses the allegations

Cellebrite spokesperson Victor Cooper dismissed the reports. "We do not respond to speculation and encourage any organization with specific, evidence-based concerns to share them with us directly," he told TechCrunch.

When asked why the company's response differed from the Serbia case, Cooper said "the two situations are incomparable" and that "high confidence is not direct evidence." He did not respond to follow-up emails asking if Cellebrite would investigate or clarify the differences.

Company gave vague responses to researchers

The Citizen Lab reached out to Cellebrite before publishing both reports. In response to the Jordan allegations, the company said any "substantiated use" of its tools in violation of human rights would result in immediate disablement but did not commit to an investigation.

For the Kenya report, Cellebrite acknowledged the inquiry but provided no comment. Researcher John Scott-Railton urged the company to be transparent. "If Cellebrite is serious about their rigorous vetting, they should have no problem making it public," he said.

Cellebrite's history of cutting off customers

The company, which claims over 7,000 law enforcement customers worldwide, has previously suspended sales following abuse allegations. Its past actions include:

• Cutting off Bangladesh and Myanmar after abuse reports
• Suspending sales to Russia and Belarus in 2021
• Stopping sales to Hong Kong and China following U.S. export regulations

In the Hong Kong case, local activists had accused authorities of using Cellebrite to unlock protesters' phones. The company's recent reluctance to investigate the Kenya and Jordan cases stands in contrast to this record of action.