Use of Controversial Phone-Cracking Tool Is Spreading Across Federal Government

Cellebrite's extensive federal sales come as another Israeli phone-spying firm, NSO Group, falls under federal sanctions.

2CNTWMC SIM cards using for Cellebrite UFED TOUCH, a device for the data extraction from mobile device such as mobile phone or smart phone, are seen at Tokyo office of Japanese electronics maker Sun Corp. during a photo opportunity in Tokyo March 30, 2016.  Israel's Cellebrite, a subsidiary of Japan's Sun Corp and a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation's attempt to unlock an iPhone used by one of the San Bernardino, California shooters, the Yedioth Ahronoth newspaper reported on March 23, 2016. REUTERS/Issei Kato
Cellebrite UFED TOUCH SIM cards, used for data extraction from mobile devices, are seen at a Tokyo office of Sun Corp. on March 30, 2016. Photo: Issei Kato/Reuters/Alamy

Investigators with the U.S. Fish and Wildlife Service frequently work to thwart a variety of environmental offenses, from illegal deforestation to hunting without a license. While these are real crimes, they’re not typically associated with invasive phone hacking tools. But Fish and Wildlife agents are among the increasingly broad set of government employees who can now break into encrypted phones and siphon off mounds of data with technology purchased from the surveillance company Cellebrite.

Across the federal government, agencies that don’t use Cellebrite technology are increasingly the exception, not the rule. Federal purchasing records and Cellebrite securities documents reviewed by The Intercept show that all but one of the 15 U.S. Cabinet departments, along with several other federal agencies, have acquired Cellebrite products in recent years. The list includes many that would seem far removed from intelligence collection or law enforcement, like the departments of Agriculture, Education, Veterans Affairs, and Housing and Urban Development; the Social Security Administration; the U.S. Agency for International Development; and the Centers for Disease Control and Prevention.

Cellebrite itself boasted about its penetration of the executive branch ahead of becoming a publicly traded company in August. In a filing to the Securities and Exchange Commission, the company said that it had over 2,800 government customers in North America. To secure that reach, The Intercept has found, the company has partnered with U.S. law enforcement associations and hired police officers, prosecutors, and Secret Service agents to train people in its technology. Cellebrite has also marketed its technology to law firms and multinational corporations for investigating employees. In the SEC filing, it claimed that its clients included six out of the world’s 10 largest pharmaceutical companies and six of the 10 largest oil refiners.

Civil liberties advocates said the spread of Cellebrite’s technology represents a threat to privacy and due process and called for greater oversight. “There are few guidelines on how departments can use our data once they get it,” said Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project. “We can’t allow every federal department to turn into its own spy agency.”

But Cellebrite’s extensive work with U.S. authorities may be providing it with something even more important to the company than money: political cover. Like NSO Group, whose formidable phone malware recently made headlines, Cellebrite is based in Israel. While NSO’s Pegasus malware is far more powerful than Cellebrite’s technology, providing near-effortless remote infection of devices, both companies have stirred controversy with their sales to authoritarian governments around the world. Cellebrite’s technology is cheaper and has been used in China to surveil people at the Tibetan border, in Bahrain to persecute a tortured political dissident, and in Myanmar to pry into the cellphones of two Reuters journalists. (Under pressure, the company has pledged to stop selling in China and Myanmar, though enforcement is spotty.)

Related

Chinese Police Kept Buying Cellebrite Phone Crackers After Company Said It Ended Sales

But unlike NSO and the lesser-known Israeli spyware company Candiru, which were added to a Commerce Department trade blacklist in November, Cellebrite has yet to face calls for sanctions. There are signs that people at the company are worried: The day before the NSO listing, D.C. lobbying firm Alpine Group registered with the U.S. Senate to lobby on behalf of Cellebrite. The contract was Cellebrite’s first engagement with outside lobbyists since 2019.

Cellebrite and Alpine Group declined to comment on the lobbying contract. But according to Natalia Krapiva, tech-legal counsel for Access Now, “Cellebrite tries hard to distinguish themselves from NSO by claiming that they are not a spyware company that gets involved in foreign espionage.” While she did not know for certain the reason behind Cellebrite hiring Alpine Group, she said, “They are investing a lot of resources into aggressively defending their reputation, especially in the West.”

“Cellebrite is now trying to put the flashlight more on how much they are connected to the American government,” said Israeli human rights lawyer Eitay Mack, who has repeatedly exposed abuses perpetrated with Cellebrite technology. “But I believe that they are very worried. They are working in many countries that the Americans have problems with. Because of the story of NSO Group, they are afraid that things could become difficult for them.”

So far, however, Cellebrite’s growth seems to be continuing unimpeded, pushing deeper and deeper into police, corporate, and bureaucratic surveillance.

The Fish and Wildlife Service, along with most of the U.S. departments and agencies contacted by The Intercept, did not comment for this article. A spokesperson with the strategic communications firm Reevemark, which represents Cellebrite, pointed The Intercept to the “Ethics and Integrity” page on Cellebrite’s website but otherwise declined to comment.

FILE - In this July 18, 2011, file photo, an examiner at an FBI digital forensics lab views data extracted easily from a smartphone, in Salt Lake City. A digital forensics firm known for helping law enforcement crack into locked smartphones has fallen victim to hackers. Technology news website Motherboard said Thursday, Jan. 12, 2017, that it has obtained 900 gigabytes of data related to Israel-based Cellebrite. (AP Photo/Lynn DeBruin, File)

An examiner at an FBI digital forensics lab views data extracted from a smartphone, in Salt Lake City, Utah.

Photo: Lynn DeBruin/AP

The Rise of Cellebrite

Cellebrite’s journey into the citadels of global power began in the 1990s, when it was started as a relatively benign consumer technology outfit. Its first product was a tool to migrate contacts from one cellphone to another. It eventually moved into coercive forms of data transfers, allowing customers to bypass phone passwords and vacuum data out of devices.

As smartphones came to contain more and more information about people’s daily lives, business boomed among police and militaries around the world. Cellebrite cashed out in 2007, selling to the Japanese conglomerate Sun Corp., although many of the researchers who collect cellphone vulnerabilities remain based at its campus in Petah Tikva, Israel.

In 2016, the company got a boost from speculation that the FBI had used a Cellebrite product to unlock the phone of one of the perpetrators of a mass shooting in San Bernardino, California. The rumors turned out to be false, but Cellebrite’s government work in the United States continued to grow. It gained clients within the FBI, Immigration and Customs Enforcement, and the Air Force, as well as among local police departments, which have used its technology on people accused of minor crimes like graffiti, shoplifting, and being drunk in public.

“We talk about the sanctity of the home, but there’s so much more on your phone … than probably anything in your house.”

The company has a 4,000-square-foot showroom that it calls an “envisioning center” in Tysons Corner, Virginia, a stone’s throw from the nation’s capital. Today its chief marketing officer, Mark Gambill, is based in the area, according to his LinkedIn profile.

Cellebrite’s flagship offering is the Universal Forensic Extraction Device, or UFED, a phone-hacking kit, but it also offers software that can perform similar feats through a desktop computer as well as products to access data stored in the cloud.

This type of work has been lucrative. According to Cellebrite’s recent SEC filing, the company’s average government customer spends $415,000 on data collection devices and services, with additional millions if they add on analytics software.

The cost of that business, Cellebrite’s critics say, is borne by citizens, and not just in the form of tax dollars. “We talk about the sanctity of the home, but there’s so much more on your phone that gives a deeper and more intimate view than probably anything in your house,” said Jerome Greco, a public defender for the Legal Aid Society. Greco remembers police turning to a Cellebrite UFED-type device following a bar fight between strangers. “What could be on the person’s phone, when they didn’t know each other?” he said.

The proliferation of Cellebrite’s technology within the federal government is “deeply alarming,” said Cahn. While a 2014 Supreme Court ruling set new legal hurdles for searches of cellphones, citing the intimate information the devices now contain, this has “meant very little on the ground.”

“Very, very few people understand the power of the tools that Cellebrite offers.”

“Not only is there no justification for agencies like U.S. Fish and Wildlife Service to use this sort of invasive technology, it’s deeply alarming to see agencies use these devices in more and more low-level cases,” he added. Federal wildlife investigators aren’t the only ones using Cellebrite tools in the great outdoors: Wildlife officers in Missouri and Michigan, for example, use such devices, and Cellebrite has heavily marketed its hardware and software for combating animal trafficking. Upturn, a nonprofit focused on justice and equity, last year published a report documenting the purchase of mobile device forensic tools, including Cellebrite technology, by over 2,000 smaller agencies. “Very, very few people understand the power of the tools that Cellebrite offers,” said Upturn’s Logan Koepke.

“Cellebrite should only be used by competent law enforcement agencies with proper oversight and screening, and only for more serious crimes,” said Krapiva. “It should be up for public discussion as to whether we as a society accept that such invasive tools are being used by educational institutions, private firms, and government agencies.” Other experts interviewed by The Intercept said they believed that cellphone crackers should never be used, even when investigating serious crimes.

Cellebrite’s federal customers provide little transparency as to how they’re using the powerful technology. Of the agencies that did respond to The Intercept’s requests for comments, few offered any concrete information about their use of the tools or answered questions about the implications of that usage. The U.S. Department of Veterans Affairs, for example, would not comment on specific technologies, according to a spokesperson, who said only that the department uses a “wide variety of tools” to “leverage technology” to advance its mission.

The Department of Education at least allowed through a spokesperson that it uses Cellebrite tools for “investigative work” by its inspector general and “to determine if a government-issued iPhone has been compromised and to what extent.” The Department of Energy, whose responsibilities touch on nuclear weapons and federal research labs like Los Alamos, said that it uses Cellebrite products in investigations by its Office of Intelligence and Counterintelligence and inspector general and to examine government-owned handsets “that have exhibited or been reported to exhibit strange or malicious behavior; or devices that were taken on foreign travel where there is an opportunity for compromise or tampering by a foreign adversary.”

A Social Security Administration spokesperson told The Intercept that Cellebrite tech is used in its office solely to investigate allegations of fraud, including stolen Social Security numbers, insurance fraud, and scams related to pandemic-related relief such as Paycheck Protection Program loans and unemployment benefits. The spokesperson declined to discuss specific instances.

2E6HF4G Cables for connecting between several mobile phones and Cellebrite UFED TOUCH, a device for the data extraction from mobile device such as mobile phone or smart phone, are seen at Tokyo office of Japanese electronics maker Sun Corp. during a photo opportunity in Tokyo March 30, 2016.  Israel's Cellebrite, a subsidiary of Japan's Sun Corp and a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation's attempt to unlock an iPhone used by one of the San Bernardino, California shooters, the Yedioth Ahronoth newspaper reported on March 23, 2016. REUTERS/Issei Kato

Cables for connecting between several mobile phones and Cellebrite UFED TOUCH, a device for the data extraction from mobile devices, are seen at Tokyo office of Sun Corp. on March 30, 2016

Photo: Issei Kato/Reuters/Alamy

After Hours, Lining the Pockets of Law Enforcement

Further complicating the ethics of government Cellebrite use is the fact that, according to LinkedIn, Cellebrite has employed more than two dozen U.S. government employees from across the country as contract instructors or forensic examiners. The contract employees have apparently included police detectives, a Secret Service officer, and people who claim to work for the Defense Department and defense contractor Lockheed Martin.

Other contractors say they work for the Florida attorney general’s office and the United States Postal Service Office of the Inspector General.

“Cops teaching cops is not anything new,” said Greco, the public defender. “But I would be concerned that there is a financial incentive to choose Cellebrite’s tools over others.”

“Cops teaching cops is not anything new. But I would be concerned that there is a financial incentive to choose Cellebrite’s tools over others.”

“Even if it’s an appearance of impropriety, it’s concerning,” said Krapiva.

Cellebrite’s apparent payments to police officers and prosecutors may also violate some police departments’ policies on moonlighting. The Florida attorney general’s office did not respond to questions about its policy on taking on side work. A Postal Service spokesperson approached with the same questions said that The Intercept would need to submit a Freedom of Information Act request to the Office of the Inspector General. The policy, which was eventually provided following a request, requires agents with the office to seek formal approval of outside employment in writing so that the position can be reviewed for potential conflicts of interest. It is not clear whether that happened in this case.

In another instance of government collaboration, Cellebrite has also brokered a partnership with an influential attorneys general’s association, with the goal of “creating legal policy and procedures” that allow for the use of a Cellebrite cloud tool.

Cellebrite may need all the U.S. government work it can get. Its stock prices have taken a dip. Recent exits from authoritarian countries have made its U.S. contracts even more critical to staying afloat. In December, facing recruitment difficulties in Israel following negative press coverage, the company launched a public relations campaign comparing its employees to superheroes.

Mack, the human rights lawyer, said the campaign had an air of desperation to it. “They have already been marked because they are working in some very bad places,” he said. “And things are going to keep being exposed.”

Join The Conversation