Rights activists raise alarm over Israeli cellphone hacking tech sold to Belarus

Lobbyists urge Defense Ministry to curb export of Cellebrite’s technology to Lukashenko regime as long-time dictator cracks down on opposition

Belarusian opposition supporters gather for a protest rally in front of the government building at Independent Square in Minsk, Belarus, August 18, 2020. (Dmitri Lovetsky/AP)
Belarusian opposition supporters gather for a protest rally in front of the government building at Independent Square in Minsk, Belarus, August 18, 2020. (Dmitri Lovetsky/AP)

An Israeli firm that has bragged that its products can help law enforcement break into the vast majority of smartphones on the market is alleged to have provided its technology to Belarus, raising fears it is being used against the opposition to the country’s long-time dictator, Alexander Lukashenko.

The Cellebrite technology enables a full file system extraction, allowing, in effect, a copy of the phone’s data to be transferred to a client’s computer.

Human rights groups have asked the Defense Ministry body that monitors exports to immediately halt the sale of Cellebrite’s phone hacking technology to Belarus, arguing that it should be subject to the same strict guidelines as military equipment.

In a recent letter to the Defense Ministry’s Defense Export Control Agency, human rights lawyer Eitay Mack wrote that Belarus citizens “are under constant intrusive surveillance by the state, in both public and private spaces,” Haaretz reported Tuesday.

“Under these circumstances, it’s clear that in the specific context of Belarus, Cellebrite’s technology has become dual-use as defined in the law regulating such control. It can be used to attack and incriminate demonstrators and pro-democracy activists there,” he added.

“The Defense Export Control Agency and its head should initiate enforcement, effectively and actively, against any citizen or corporation suspected of operating without appropriate licensing. That is why this agency was established,” Mack wrote.

Belarusian President Alexander Lukashenko chairs a Security Council meeting in Minsk, Belarus, August 18, 2020. (Andrei Stasevich/Pool Photo via AP)

On Sunday Cellebrite issued a statement responding to the letter, which Haaretz said was identical to a statement the company put out when challenged over its activities in Hong Kong, where local police are believed to be using the technology against pro-democracy protesters.

“In accordance with company procedures and policy, we do not respond to claims about specific customers or about the use of our technology,” Cellebrite wrote. “We apply meticulous internal standards which dictate the way our technology is used.

Cellebrite said it doesn’t sell to countries “that are under sanctions from the US administration, the Israeli government or the international community. Furthermore, Cellebrite does not deal with surveillance and does not operate in that field.”

Because the company’s product is for extracting data rather than monitoring, it is not considered a surveillance technology, Haaretz reported.

Though Celebrate refuses to confirm if it is providing the technology to Belarus, information indicating that to be the case has reportedly come in the form of several official reports by investigative agencies that found the data extraction has been used in the country since 2016.

It is not clear what oversight there is of Cellebrite’s exports. When attorney Mack inquired about Cellebrite activities in Hong Kong, the Economy Ministry told him that responsibility lies with the Defense Ministry.

“According to your letter, the goods are intended to a final user which is part of a police or security force. The responsibility for monitoring such exports lies with the Defense Ministry,” the ministry wrote in a response.

However, the Defense Ministry said in a statement that it “does not provide details on defense export policy, including information regarding specific export licenses. This is due to security, diplomatic and strategic considerations.”

Lukashenko, who has been in power since 1994, was reelected two weeks ago, though critics say the vote was rigged. While he got 80 percent of the vote, opposition leader Sviatlana Tsikhanouskaya received just 10%. She has since fled the country, fearing for her family’s safety after some of her supporters were arrested.

The European Union on Wednesday said it was rejecting the results of the election.

Tens of thousands have taken to the streets to protest the results and some 6,000 have been arrested, although 2,000 were later released.

Pro-democracy activists hold banners outside a district court in Hong Kong, July 30, 2020. (Kin Cheung/AP)

In July Haaretz reported that human rights activists in Israel and Hong Kong called on Cellebrite to stop working with Hong Kong police, saying officers there were using the technology against pro-democracy protesters.

Following a global petition, Israeli activists wrote to the defense and finance ministries.

“Israeli forensics company Cellebrite has a long history helping Hong Kong police forces to crack into activists’ mobile devices,” wrote activist Nathan Law and claimed that Cellebrite technology was used to access data on the phone of prominent activist Joshua Wong earlier this year and 4,000 detainees last year.

At the time, Mack wrote to Cellebrite and Israeli regulatory bodies that whereas in the past the technology was used by Hong Kong authorities a legitimate way, that changed when Beijing in June imposed national security laws enabling police to search phones without a warrant.

Mack wrote that, under regulatory laws, the Cellebrite technology has dual civilian and military use, which therefore requires it to have a military export license under the Defense Export Control Act. He noted that such an export would then require taking into consideration the situation in Hong Kong.

The Petah Tikva-based Cellebrite was reportedly the company the FBI used in 2016 to hack into the iPhone of the San Bernardino shooter after Apple refused the US government’s request to build a backdoor into its famously secure operating system.

Cellebrite’s technology does not work remotely. It requires a specially designed device to be physically connected to the phone being hacked.

Cellebrite has faced widespread criticism for its refusal to reveal its methods to Apple so the tech giant’s security technicians can seal up the vulnerabilities.

The company has long argued that its help to law enforcement agencies brings greater benefit to the public.

The company has also insisted that it requires potential clients to demonstrate they have the authority to access an iPhone or Android device before making their product available. It has also said the technology’s dependence on physically interfacing with the phones means it is unlikely to be misused.

But critics have noted that Cellebrite has had difficulty ensuring kits it has sent to clients remain with the clients. In February 2019, Cellebrite phone hacking kits were found on sale on eBay, while some clients have not returned the kits to Cellebrite after use, as the company requests.

There are also fears a Cellebrite kit could be reverse engineered to uncover vulnerabilities that the company continues to keep hidden from the cellphone makers.

read more: