Phone-Cracking Cellebrite Software Used to Prosecute Tortured Dissident

The Israel-based firm Cellebrite, which specializes in software that breaches cellphones, enjoys a reputation as a silver bullet in 21st-century policing whose products are used only to beat terrorists and find abducted kids. Like any good, vaguely sinister corporate spy outfitter, the company has never publicly confirmed which governments are among its customers, and deflects questions about whether it would sell its infamously powerful software to a repressive, rights-violating regime.

Political activist Mohammed al-Singace (commonly referred to as Abdali) was arrested at his home on the morning of May 15, 2013, in the tiny island petro-monarchy of Bahrain. For years, Singace — brother of the well-known dissident Dr. Abduljalil al-Singace, currently serving a life sentence for his role in Bahrain’s February 2011 protests — had worked to bring attention to the Bahraini government’s mishandling of poverty and inflation and to advocate for the poor. The Bahraini government is among the worst human rights offenders in the world, routinely disappearing and torturing dissidents and citizen organizers for purely ideological reasons. According to Amnesty International, over the past year, hundreds have been convicted in unfair trials, and “many defendants in terrorism cases were convicted largely on the basis of ‘confessions’ that they said interrogators had forced them to make under torture; some received death sentences.” In particular, “torture and other ill-treatment of detainees, mainly suspects in security or terrorism-related cases, remained rife … within the Criminal Investigations Directorate (CID).”

Shortly after his arrest, Singace was transferred to “Building 10” of Bahrain’s infamous Jau Prison, a facility known for its particularly brutal treatment of prisoners. According to the Bahrain Center for Human Rights, Singace says his beatings began while he was still in bed:

[Singace] stated that he was tortured from the moment of his arrest from his bed as policemen beat him with an unknown machine causing him to bleed and fall unconscious. While being unconscious, they beat and kicked him mostly on the back, hands and head. The signs are still visible on Alsingace as he entered the court with hands that looked abnormal, in addition to a wound on his head, and neck pain which he still suffers from.

According to the Bahrain Institute for Rights and Democracy, Singace’s beard was also shaved against his will.

Political activist Abdali al-Singace.

Beatings and humiliation are timeless torture techniques, but for draconian police forces desperate to construe personal association as criminal conspiracy, the ability to exploit the contents of someone’s cellphone is still novel. Getting into someone’s phone without their cooperation is more technically sophisticated than simply hanging them upside down or battering them, given how typical it is to lock your device with a password or even a fingerprint — and this is where Cellebrite comes in.

Aimed at “law enforcement, military, intelligence and e-discovery personnel,” the company’s marketing materials promise “unprecedented access” to “the widest variety of mobile devices and operating systems” through the use of its trademarked Universal Forensic Extraction Device, which siphons virtually every scrap of data from a phone and makes it searchable and browsable on a third-party computer. Conveniently, the extraction process completely deactivates or bypasses any password you might have put in place to prevent just this kind of intrusion.

When Cellebrite was founded in 1999, this access would have been limited to call logs and contacts. But in the smartphone era, when Cellebrite started marketing forensics gear to military and police customers (Motto: “ACCESS. UNIFY. DEFEND.”), billions of people around the world began carrying a full computer’s worth of information on their person: personal emails, bank records, photos, videos, and IMs. In other words, exactly the trove of personal errata, lists of association, and circumstantial evidence that any police force would covet — particularly that of a repressive regime with an acute allergy to due process. It’s little surprise that our increasingly martial American police have leapt at the chance to use Cellebrite equipment; a CNN investigation reported that “for years, it has been the go-to resource for FBI agents breaking into suspects’ phones, according to security researchers familiar with the FBI’s operations.” This new ability to spirit away someone’s cellphone and copy its contents has already attracted the attention of the ACLU, which worries that Cellebrite tech could help police skirt the Fourth Amendment.

The company is a truly 21st-century corporation: Founded in Israel, Cellebrite is now owned by a Japanese software conglomerate, operating sales offices in New Jersey for customers in Michigan. But the cracking gear isn’t just popular among U.S. police: A 2014 CNN Marketplace Middle East segment on the company counted 140 different police clients worldwide. As is typical, this report cited “the advancement of ISIS … deep into Iraq and Syria” as the explanation for Cellebrite’s sales to Gulf and North African states, a rationale Cellebrite repeats in all of its marketing materials. Left unmentioned was the possibility that Cellebrite might sell its wares to countries that would buy this power only to abuse it. An impressed, wide-eyed corporate profile by the BBC included one interesting moment, when tech correspondent Rory Cellan-Jones asked Cellebrite VP Yuval Ben-Moshe if there were any ethical limits to its sales:

Cellan-Jones: And who will you sell this equipment to? Is it any law enforcement in any country?

Ben-Moshe: We typically sell to any … I wouldn’t say any but … government-owned or government-operated law enforcement agencies around the world.

Cellan-Jones: What about repressive regimes that are intent on spying on their citizens in ways that many people would find offensive? Would you sell to them?

Ben-Moshe: I don’t know. … I don’t know the answer to that and I’m no position to comment on that in this point in time.

Cellan-Jones: So you won’t say whether Cellebrite will sell to, say, Saudi Arabia, for example, or Iran, or various regimes around the world which might be oppressive?

Ben-Moshe: We operate under law. Under international and the laws of every jurisdiction and country we work at and this is what guides us.

Not exactly a moral stance. Perhaps Ben-Moshe evaded the question because the company does exactly what Cellan-Jones was asking. Based on a recently uncovered document presented as evidence in Singace’s prosecution, we can conclude that Bahrain is among the governments that use Cellebrite technology, because it used the technology against Abdali al-Singace.

Singace’s phone was taken from him as he was arrested and placed in police custody, where it was cracked and its contents extracted using Cellebrite’s UFED technology. A report on the contents of Singace’s phone, prepared by Bahrain’s General Directorate of Anti-Corruption and Economic and Electronic Security and generated by Cellebrite’s software, was entered as evidence against him during his trial. It contains nearly 20 pages of Singace’s private WhatsApp conversations. Other court documents show that photos were taken from Singace’s phone as well, including several images that were specifically cited during his sentencing as evidence of criminal association. A page from the prosecution’s report can be seen below on the left — on the right is a sample Cellebrite report page from the United States National Institute of Standards and Technology:

Left: An extraction report showing personal WhatsApp chats pulled from Abdali al-Singace’s phone. Right: Sample Cellebrite report from the United States NIST.

Yaniv Schiff, an Illinois-based mobile forensics expert, told The Intercept he is “very confident” the extraction report was indeed created using Cellebrite. After viewing the documents, Cindy Murphy, a certified forensics instructor at the SANS Institute who worked as a digital forensics examiner with the Madison Police Department for 17 years, told The Intercept, “This is an easy one. It’s [from] Cellebrite Physical Analyzer or Logical Analyzer.”

Left: Page from the extraction report of Abdali al-Singace’s phone. Right: Sample page from a Cellebrite report published by the United States NIST. Note the nearly identical headers on these two documents.

Cellebrite would be in good company, too: Bahrain relies on a variety of technology firms to keep tabs on its people, including Nokia-Siemens, FinFisher, and Netsweeper.

Notably, just two weeks before Singace’s arrest, another Bahraini dissident, Naji Fateel, a human rights activist and blogger, was arrested suddenly at his home and subjected to equally brutal treatment. Fateel was prosecuted in the same case as Singace and 48 other defendants. And just like they would do with Singace’s phone, Bahraini authorities extracted and analyzed the contents of Fateel’s phone, according to court documents. Although it is clear from Singace’s case that authorities had access to Cellebrite’s technology and were willing to use it against political dissidents, there is no direct evidence that it was used to crack Fateel’s phone.

According to a source with direct knowledge of Fateel’s prosecution (who asked not to be named for fear of reprisal), the data vacuumed off of his Samsung phone wasn’t just used against him in court, but used as a basis for suspicion, evidence of criminality, and pretext for torture: “Naji’s and the others’ phone contact was mentioned to them as evidence against them during their interrogation in CID … the torture happened in CID.” This source also said that in the prosecution of a co-defendant of Fateel’s, the sole evidence presented against him was his presence in a private WhatsApp group chat used to discuss Bahraini news. Fateel is currently serving a 15-year sentence after a trial that, according to human rights watchdog Front Line Defenders, “fell short of fair due process guarantees.” No observer was permitted to witness the appeals trial, which upheld the conviction on the charge of forming “a group for the purpose of disabling the constitution.”

Bahrain’s relationship with Cellebrite or its parent company is still unclear because neither side will say anything. It’s possible, too, that the Bahraini government purchased Cellebrite equipment through a third party reseller, rather than directly from the company. Seeking some clarity here, The Intercept contacted Cellebrite co-CEO Yossi Carmil, who referred me to Jeremy Nazarian, the company’s CMO. Nazarian told The Intercept that the use of Cellebrite technology to torture a Bahraini human rights activist “doesn’t ring a bell,” and “as a general policy we don’t discuss anything having to do with field operations.” Nazarian said he would “do some digging” on the matter, but the next day The Intercept received an email from Mike Reilly of Banner Public Affairs, a Washington, D.C.-based firm that represents Cellebrite, saying that the company declined to comment any further. Multiple requests for comment sent to both the Bahraini Embassy in Washington and Bahrain’s United Nations consulate in New York went unanswered. But we do know that Bahrain is on the record as using Cellebrite tech, per a 2014 newspaper article by an adviser to the kingdom’s Interior Ministry:

The administration uses the most recent technologies and machines in its work specially in the process of evidence examination. Work on developing these technologies and machines regularly with what is appropriate with the international technological advances — Encase, FTK, Cellebrite, [and] XRY.

Sharah Tal, Cellebrite’s director of research, told The Intercept in October that the company has “a strong ethics backbone, a clear-use case for our capabilities, and dramatically less potential for abuse should ‘evil customers’ attempt to deceive us.” According to Cellebrite’s own user manuals, its software can only be used if remotely activated, either with a USB dongle provided by the company or through an internet connection to the company — either of these routes would provide Cellebrite a means of blocking known repressive regimes from using its technology.

If the Bahraini General Directorate of Anti-Corruption and Economic and Electronic Security and the Criminal Investigations Directorate wanted to see Abdali al-Singace imprisoned and horrifically tortured, they could have done so without the use of Cellebrite or any other modern forensic technology, as has been fashionable for millennia. Keeping Cellebrite UFED kits out of the hands of tyrannical monarchies and repressive police forces won’t put an end to that which makes them tyrannical and repressive.

A Cellebrite UFED device connected to an Android smartphone like Abdali al-Singace’s, ready to extract its contents.

But whereas past regimes might have had to put in serious legwork to find the friends of their political enemies (think long-term wiretaps, visual surveillance, blackmail), Cellebrite has made graphing an individual’s entire digital network of association as easy as a few touchscreen taps. Viewed through Cellebrite software, the contents and connections of someone’s phone are actually easier to browse than they would be on the phone itself.

It’s worrying, at the very least, that a company whose services have such a great and obvious potential for misuse would have a policy of not talking about how their services are used. We’re left, then, to speculate about what sort of precautions Cellebrite takes or neglects to take. Amnesty International’s Sara Hashash told The Intercept that Cellebrite’s obligations under international law “are laid out in the U.N. Guiding Principles on Business and Human Rights (UNGPs),” which say that “companies have a responsibility to respect human rights wherever they operate in the world” and must “take proactive steps to ensure that they do not cause or contribute to human rights abuses within their global operations and respond to any human rights abuses when they do occur.” It’s entirely possible that Cellebrite, with sales operations around the globe, did not wittingly sell its products knowing they would be used to prosecute activists like Abdali al-Singace. “The pressing question here,” said Hashash, “is what they are going to do now to mitigate and prevent any further such incidents.”

There is a popular line of reasoning that all technologies are neutral, and the relative good or evil of their functions is decided by the user — the Guns don’t kill people, people do argument. This camp might point out that nuclear fission can be used to power an entire city or destroy it. But this approach misses — perhaps deliberately — that all technologies have makers, and they’re made for a purpose. The gun is designed to kill, the bomb is designed to immolate, and Cellebrite is designed to pry, making it inherently more weighty than, say, Microsoft Excel. Cellebrite’s raison d’etre is taking a completely private thing (your smartphone) and neutralizing that privacy for the consumption of strangers.

When a tool that potent is created, shouldn’t the creators try to make sure it doesn’t fall into the wrong hands — or, failing that, at least be honest about its potential to do harm? Smartphone cracking has its legitimate and good uses. There can be no doubt that Cellebrite is used by some upstanding police to do some upstanding police work. Just look at Cellebrite’s own website, where it rattles off success stories of good policing made better through technology: “UFED helped decrypt a suspect’s phone and reveal in excess of 90 deleted images of the suspect being engaged in sexual activity with a minor,” reads one from Putnam County, West Virginia. Another describes a foiled school shooting. But nowhere on the Cellebrite website is there a testimonial from the Bahraini Criminal Investigations Directorate describing how radically easy it is to intimidate prisoners with the contents of their private lives.

The discovery of Cellebrite’s darker uses is reminiscent of how Hacking Team, the Italian company that marketed its wares as for legitimate, peaceful purposes (“We provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities”), was found to be supplying its tools to the likes of Morocco, Kazakhstan, and — yes — Bahrain, so that these regimes could spy on their citizenry. Media coverage of the scandal was swift and revelatory, but should anyone have been so surprised? Of course any government that can’t afford a state apparatus like the NSA will outsource its worst informational impulses to independent firms. The question is only, then: Will these companies do what it is necessary to keep tools so prone to misuse and horrible ends out of the wrong hands, or let that technology quietly proliferate?