Citizen Lab investigation reveals Cellebrite tools used in Russia
Russian authorities used tools from Israeli company Cellebrite to break into the phone of political prisoner Andrei Pivovarov months after the company said it cancelled its contracts with Russia, according to an investigation by the University of Toronto's Citizen Lab research unit. The case raises questions about how much control Cellebrite has over its own software, which allows users to easily break into phones and examine their contents. The tools are sold worldwide and widely used by police forces in the UK and the US.
Andrei Pivovarov's arrest and phone hacking
Andrei Pivovarov, the director of the organisation Open Russia, was arrested in May 2021 and released more than three years later as part of a high-profile exchange that also involved US journalist Evan Gershkovich. While he was imprisoned, Russian authorities used forensic tools to break into his phone, extracting information about his contacts and his personal and professional life. Pivovarov said this was a “violation of his privacy” that put many of his colleagues at risk. “They tried to find my messages to other colleagues from my organisation and other politicians and may use these in criminal cases against them. After my arrest, several of my colleagues left Russia immediately,” he said.
Evidence of Cellebrite use
The Citizen Lab said a forensic investigation had found “with high confidence” that Cellebrite tools were used, and this was confirmed by a document prepared by Russian authorities and given to Pivovarov during his criminal prosecution. Authorities gathered extensive information about his contacts, including the content of his messages on apps such as WhatsApp and Viber. Some of his contacts were later targeted by Coldriver, a Russia-linked group – a link the Citizen Lab said warrants further investigation.
Cellebrite's claims and contradictions
Cellebrite claims it is “totally on the good side” and has attempted to differentiate itself from companies like NSO Group, whose Pegasus spyware has been used against dissidents and journalists. Pivovarov was hacked in May 2021, months after Cellebrite said it would stop selling its solutions to customers in Russia and Belarus. That announcement followed media pressure in Israel after human rights lawyer Eitay Mack revealed Cellebrite's tools had been used against tens of thousands of people in Russia, including Alexei Navalny.
Questions about control over software
Mack said that while Cellebrite announced it would stop sales, it never dismantled the tools it had already sold to Russia – even though some public documents suggest it has the ability to do so. “In contracts with American authorities, they, Cellebrite, keep the right to dismantle the equipment. But the fact is that their equipment is everywhere.” Mack said there were other instances where Cellebrite's tools appeared to be used after contract cancellations, and investigations indicated the software could be used even with a dated licence.
Pivovarov's open letter to Cellebrite
In an open letter to the company, Pivovarov wrote: “The body of investigations that has been carried out demonstrates that the Russian Federation and other authoritarian states continue to operate your devices long after the formal termination of contracts. I submit that your company ought to end the practice of effectively shielding clients who abuse your technology.”
Broader sales to autocratic regimes
Cellebrite has sold technologies to autocratic countries including Russia, Belarus, China, Jordan, Kenya, Myanmar and Serbia. It has terminated contracts in Serbia, Russia, Belarus, Bangladesh, Hong Kong and China, but not with Kenya or Jordan, even though Citizen Lab found evidence of authorities in both countries using Cellebrite to surveil activists' phones. John Scott-Railton, a senior researcher at the Citizen Lab, said: “If Cellebrite wants to stop equipping political prosecutions, the path is clear: stop selling to autocrats, remotely disable their tech after credible reports of abuse, and end the era of plausible deniability by implementing cryptographically signed watermarks on all imaged devices.”
Cellebrite's response
Approached for comment, Cellebrite sent a mass email saying it was impossible to respond to a report it was denied the opportunity to review prior to publication. It stated: “Cellebrite technology is provided exclusively under licence and for legally authorised uses, there are no exceptions … Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorised.” It said hardware sold before March 2021 would be “incompatible with modern devices and would operate without our technical support.”
