Cellebrite refers to itself as a digital intelligence company, but this opaque description doesn’t paint a particularly clear picture.
In short, digital intelligence is code for device hacking; Cellebrite helps government and law enforcement agencies break into the smartphones and laptops of people under investigation – provided the client has legal grounds for doing so.
The Israeli firm has attracted plenty of criticism in recent years from data privacy activists who say its practices are ethically unsound. Others have attacked the company for failing to disclose the active vulnerabilities it exploits to break into devices.
However, Cellebrite is steadfast in its stance that its technology does far more good than it could possibly do harm. It also points to inconsistencies in the arguments of its detractors; there is little criticism of the execution of physical search warrants, says CMO Mark Gambill, so why should different rules apply in the digital sphere?
“We get lumped with surveillance companies, but that’s not what we do. And you cannot use our technology without a legal warrant, so if used correctly there is no breach of privacy,” he told TechRadar Pro.
“There are countless examples of our technology being used for social good; to find missing children, break up drug trafficking rings and more. But unfortunately, we’re in an environment where sensationalism sells.”
However, whether intentionally or otherwise, Cellebrite has courted an air of mystery that it now seeks to dispel ahead of a Nasdaq listing that is set to value the company at $2.4 billion. According to Gambill, Cellebrite has nothing to hide.
Legislating for abuse
Cellebrite says it serves roughly 6,700 customers worldwide, the vast majority (circa 5,000) of which hail from the public sector. In this context, there are three main facets to the company’s services: data collection, analysis and audit.
As Gambill explains, criminals have become extremely savvy about using technology, and predictably, are often unwilling to volunteer their unlocked devices. With legal approval, Cellebrite’s Universal Forensic Extraction Device (UFED) can be used to extract data stored on smartphones, computers, smartwatches and more, sometimes by exploiting active vulnerabilities in the operating systems.
At a software level, Cellebrite’s Physical Analyzer tool then helps clients dig through the terabytes of data often stored on consumer devices today. The company combines keyword-based filtration with artificial intelligence (AI) to surface specific information.
Finally, in order to preserve evidentiary integrity, Cellebrite’s hardware is supported by a management suite that keeps a strict activity log and audit trail.
“It’s critical to have transparency about who is handling evidence, because there are concerns about both privacy and tampering,” said Gambill. “Our solution is able to demonstrate precisely who has accessed what data and when.”
Even more than most companies, Cellebrite has a responsibility to pick and choose which clients it works with. Indeed, Gambill admits there have been instances in which its technologies have been misused, although he stressed these are extremely rare.
To shield against this eventuality, Cellebrite has designed its hardware such that it cannot be used by anyone other than active licensees. Updates rolled out every couple of weeks also mean that out-of-date Cellebrite kit is effectively useless, “unless you want to make a flower pot out of it”, Gambill quipped.
Asked about the potential for a current licensee to misuse the hardware behind closed doors, he told us it would be “very difficult” without Cellebrite finding out. “It’s about having the ability to monitor what’s occurring and, in rare situations where someone goes rogue, to take decisive steps.”
Gambill also notes that Cellebrite has pulled its products from a number of countries, including China and Russia, that it believes may use its technology in an unethical manner or that rank poorly in human rights indices.
However, multiple privacy advocates, such as non-profit Access Now, claim the company has not gone far enough to legislate against the potential human rights abuses its arsenal is capable of facilitating. Further, they say Cellebrite has been too slow to cut ties with unsavory clients and took action only as a result of public pressure.
In a recent open letter, Access Now and its peers argue that Cellebrite has long been aware of the potential for abuse, yet knowingly continued to sell its products into repressive regimes, in the likes of Saudi Arabia and Myanmar (something ex-Cellebrite employees have corroborated). Until it has “taken sufficient measures to comply with human rights”, the firm should not be allowed to go public, the activists say.
Late last year, Cellebrite made an enemy of messaging company Signal. The firm had recently announced support for Signal file types and also released a report suggesting it had cracked the platform’s famous encryption, but this was later debunked and referred to as “embarrassing”.
A few months on, Signal CEO Moxie Marlinspike released a report of his own, in which he demonstrated vulnerabilities in Cellebrite hardware. In the same post, he claimed the company “exists within the grey – where enterprise branding joins together with the larcenous to be called ‘digital intelligence’”.
He also joked he was “willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in future.”
Asked about the ethics around holding onto vulnerabilities that could potentially be abused in the wild by malicious third parties, Gambill gave us an indirect response. He described the company’s relationship with device vendors, such as Apple, as one of “coopetition”, an amalgam of cooperation and competition.
“Apple is a key partner of ours in many ways. Certainly, we all respect the right of people to ensure their phones have the right types of security and encryption from the standpoint of privacy,” he said.
“At the same time, we have an obligation to provide technology and tools that aid in investigations. The means by which we do that is part of our secret sauce.”
Gambill explained he does not recognize a contradiction between the company’s attitude towards privacy and its approach to vulnerability disclosure, partly because it has legal grounds for its behavior and partly because the ends justify the means.
“What we do is provide technology that you can only use with a legal warrant and to me that does not suggest operating in any grey areas – it’s pretty cut-and-dry,” he told us….