Concerns have been raised regarding the effectiveness of corporate sanctions after reports emerged that Russian authorities utilised phone-unlocking technology from Israeli forensics firm Cellebrite to access the iPhone of an opposition politician, Andrey Pivovarov. This occurred in June 2021, three months after Cellebrite publicly declared it would cease all sales and support to Russian government agencies.
The findings, detailed in a report by The Citizen Lab, a digital rights research group based at the University of Toronto, suggest that a Russian government investigative unit employed a Cellebrite tool to breach Mr. Pivovarov's device while he was in custody. This directly contradicts Cellebrite's statement from March 2021, where the company affirmed its intention to "immediately" stop providing hardware and software to its Russian customers. Cellebrite's official website also claims that, as of March 2021, it could prevent its devices from functioning or receiving software updates for withdrawn customers.
The incident has sparked a debate among experts and human rights advocates about the true extent of control technology companies have over their products once they are in the hands of government clients. Eitay Mack, an Israeli human rights lawyer and long-time critic of surveillance technology providers, argued that simply stopping sales or revoking software licences does not necessarily prevent former customers from continuing to use and abuse the technology they have already acquired. He further noted that Cellebrite has not clarified whether it requires customers to dismantle previously sold hacking tools.
The specific Cellebrite tool allegedly used, known as UFED (Universal Forensic Extraction Device), is designed to unlock and extract data from mobile phones. Researchers have previously documented instances where Cellebrite's technology was reportedly used against dissidents, human rights activists, and journalists in various regions globally, including Hong Kong, Kenya, and Jordan. In response to some of these past allegations, Cellebrite has taken steps to cut ties with customers in countries such as Bangladesh, China, Hong Kong, Myanmar, and Serbia.
This case underscores the inherent difficulties in regulating the proliferation and subsequent misuse of sophisticated surveillance technology. Critics, including John Scott-Railton, a senior researcher at The Citizen Lab, suggest that companies like Cellebrite should implement remote disabling capabilities for their tools following credible reports of abuse and introduce cryptographically-signed watermarks to trace the origin of extracted data, thereby ending any "plausible deniability."