“I sleep well at night, because I know who I work for and who I serve.” That was the caption of an extensive interview given in 2019 by the CEO of the phone-hacking firm Cellebrite, Yossi Carmil, to the Israeli news site Ynet. In recent weeks, thanks to intensive investigations by human rights lawyer Eitay Mack, the public too is finding out for the first time who Carmil works for and what interests his company serves. Mack and other human rights activists filed Wednesday a petition against Cellebrite, in an attempt to bar the exports of its technology, which can break into mobile phones, to Russia.
What Mack’s investigations, based on public documents and reports published over the years, revealed was mainly the gap between the impressive front put on by the company, which promises of high standards and the protection of human rights, to its actual client list and what they use the so-called mobile forensics technology for. Following revelations relating to Hong Kong, Venezuela and Belarus, Mack again appealed to the Defense Ministry body in charge of regulating arms exports, demanding that it monitor Cellebrite too. This time, the reason given is the sale of the company’s technology to Russia.
The Defense Exports Control Agency’s director Rachel Chen responded to Mack with the agency’s standard letter: “As we informed you in response to your previous appeal, the Defense Ministry operates under the 2007 law that regulates such exports and monitors the exports of defense-related products, including equipment related to missiles, war materiel and regulated dual-use equipment. This is based on a list of controlled items, which itself is based on lists used by international agencies. The ministry does not provide information about its export policy or about specific permits or companies on its list of exporters, due to security, diplomatic and strategic considerations”.
>> Do you work at Cellebrite or in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an enycryped email
The Vice news website revealed that Russia was one of Cellebrite’s clients, having purchased its UFED (Universal Forensic Extraction Device) technology for hacking phones. However, that report only mentioned Russia’s general prosecution as using the technology, without elaborating on other Russian agencies that had purchased and used its technology. Deeper delving revealed far more problematic clients that seem to stand in tension with its CEO’s comments.
This is what Carmil told Ynet in that interview: “In our field, you have to know beyond any doubt whom to sell and whom to avoid. We have our in-house regulator and an in-house legal department. We are subject to supervision in the U.S. and Europe. In Israel, we work with the export supervision unit. We sometimes give up substantial revenues, including in places we do not have to do so. We abide by corruption and human rights indices we have developed. 160 countries out of 200 on planet earth are not on our immediate customer list. We focus our efforts on a small number of countries”.
Carmil resents a comparison with the NSO Group. “I know the people at NSO and appreciate their know-how, but Cellebrite works in the legitimate world of the police force, whose abilities are closely controlled, unlike the world of NSO customers and others who engage in illegal and concealed activity. Cellebrite is totally on the good side, where court orders are used. We do not make tools for breaking into private entities or espionage organizations.”
- Revealed: Israeli Firm Provided Phone-hacking Services to Saudi Arabia
- Despite Sanctions, Israeli Firm Cellebrite Sold Phone-hacking Tech to Venezuela
- Israeli Phone-hacking Firm Cellebrite Vowed Not to Sell to Sanctioned Countries. So What's It Doing in Belarus?
However, the BBC’s Russian website reported in 2018 that Cellebrite’s technology was purchased by Russia’s spy agency. There is at least one document on the Russian government’s website dealing with tenders indicating that the FSB, the agency that replaced the KGB, was planning to buy the technology for its office in the western Russian city of Nizhny Novgorod. It was harder to find further evidence for use of this technology by the agency.
One Russian agency which does take pride in using UFED technology is the Russian Federation’s Investigative Committee. Mack found that already back in 2013, this agency showed interest in purchasing this technology. Ever since then, its director Alexander Bastrykin has not ceased praising it, with contracts and updates continuing to be supplied. This agency reported that this technology was used more than 26,000 times for hacking various phones.
A visit to the Wikipedia article about the Investigative Committee will cause no concern. It is described as a regular police unit specializing in investigating serious crimes such as murder and corruption. There are numerous reports of its role in cracking ordinary crimes, something that is congruent with Cellebrite’s claims.
The problem is that the entries on Wikipedia do not give the full picture. The Investigative Committee was established in 2007 as part of a reform in Russia’s law enforcement agencies. In the beginning it was subordinate to the general prosecutor’s office. In 2011 it broke loose, now answering only to President Vladimir Putin (Bastrykin went to university with Putin and is considered one of his close associates.)
In the following year, notes Mack, “Putin and his supporters in parliament started promoting legislation that would incriminate his critics and reduce the democratic space in Russia.” This includes a long list of amendments to the law, intended to restrict the freedom to demonstrate and limit opposition groups by turning them into “foreign agents”. There was also a drive to legislate anti-LGBT laws. In 2018, a law was passed requiring online service providers to give the authorities information, without the need for any legal injunctions.
These amendments provided the legal foundation for one of the agency’s main purposes. “In practice, the Investigative Committee is one of Putin’s key tools for political persecution, for silencing critics, opposition activists and anti-corruption activists, as well as a tool for persecuting minorities” writes Mack.
Among other activities, the committee is responsible for launching an investigation of RBK, the anti-corruption organization set up by Alexei Navalny, who only recently survived what appears to have been a poisoning attempt. The committee is also busy with attempts to incriminate and persecute members and supporters of the Pussy Riot musical group, in addition to the criminalization of a thousand opposition and human rights groups, using the law relating to “foreign agents.”
Cellebrite has claimed in the past, in response to questions posed by Haaretz, that it does not sell devices or services to regimes and organizations that are under sanctions. In this case, not only did the European Union and the U.S. impose a host of sanctions on exports to Russia, but Bastrykin himself was added to the list of individuals subjected to personal sanctions in 2017. His assets in the U.S. were frozen, and U.S. citizens are forbidden from having any contact or business dealings with him. A year ago, the State Department added two other people in the Investigative Committee to the list, for persecuting Jehovah’s Witnesses in Russia.
The State Department report noted that investigators tortured seven members from the group in Russia, using electric shocks, strangulation and beatings. The 2019 report adds that this treatment was also the fate of their lawyers. In one case, reported by the human rights group Agora, an attorney was removed by force from a courtroom in Novomoskovsk after objecting to a judge’s ruling which prevented him from cross-examining a witness. He was taken to a local office of the Investigative Committee and beaten, after complaining of being treated violently in court.
The committee has also been used against the LGBT community. Among other cases, an investigation was opened regarding “a violent sexual assault of minors under the age of 14”. This involved the producers of and participants in a YouTube clip in which children interviewed a gay man named Maxim Pankratov about his life. The video did not deal with sex and did not include any sex acts, but rather only questions about the man’s life in general. In another case, the committee opened an investigation regarding a homosexual couple which adopted children, leadinng the two men to eventually flee the country.
In the Ynet interview, Carmil repeated the claim that his company was tightly monitoring the use of its devices. He related to reports that old devices were being sold online: “I suggest you try and buy one. The person who has put up the device for sale is breaching his contract but is also a fool, because it is like selling a tablet without an operating system. Buying our device online is like buying an empty flower pot. We control all the products remotely, activate the licenses remotely, and make sure they are in the right hands. Whenever in doubt, we place the suspected device on the blacklist.”
However, according to the BBC in Russian, in some cases, the purchasers in Russia were not actually the final users. Moreover, the Russian website dealing with tenders notes organizations which ostensibly have nothing to do with legal or police investigations, but have still purchased these devices. This includes the UGRA Research Institute of Information Technologies, which signed a contract for using UFED in 2019, including obtaining software updates for three more years.
Last week, attorney Mack sent a letter to the exports control agency and to Cellebrite. Haaretz has also requested the company’s response. Cellebrite has asked for clarifications as to what they are supposed to respond to. So far, no response to Mack’s letter has been received.