Cellebrite Questioned After Serbia Ban Over Abuse

Gregory Zuckerman
By Gregory Zuckerman
Technology
7 Min Read

Cellebrite is under renewed scrutiny for uneven enforcement of its human rights policy after cutting off Serbia over alleged abuses of its phone unlocking tools, while declining to take similar action in Kenya and Jordan. The divergence raises a core question for the “lawful access” industry: when does “high confidence” technical attribution become enough to shut off a customer?

A Rare Public Cutoff Sets a Precedent for Vendors

In the Serbia case, Cellebrite referenced a technical report by Amnesty International that described state agencies using its tools to access a journalist’s and an activist’s phones and to plant spyware. In a rare move, the company publicly suspended Serbian police as customers, signaling that credible external findings could trigger commercial consequences.

Table of Contents
A black and white image of a woman speaking into a megaphone at a protest, surrounded by a crowd of people and flags.

That decision built on earlier pullbacks: the company has said it ceased sales to Bangladesh and Myanmar amid documented abuses, and to Russia and Belarus in 2021. It has also stated it does not sell to Hong Kong and China following U.S. export restrictions on sensitive technology.

Evidence Behind Kenya And Jordan Allegations

Recent research by the University of Toronto’s Citizen Lab alleges that Kenyan authorities used Cellebrite technology to access the phone of activist and politician Boniface Mwangi while he was in custody. A prior Citizen Lab report accused Jordanian authorities of extracting data from the phones of activists and protesters using the same vendor’s tools.

Citizen Lab’s conclusions rest on forensic traces associated with Cellebrite’s Android extraction “agent” — a small application deployed temporarily to facilitate data transfer. Researchers say they found identical agent samples on malware repositories signed with digital certificates tied to Cellebrite, and matched those artifacts on affected devices. Multiple independent researchers have linked these artifacts to the company’s UFED workflow.

Cellebrite has pushed back, arguing that such indicators, while suggestive, are not the same as direct proof of misuse by a specific customer in a specific case. The company has not committed publicly to investigating the Kenya or Jordan claims and has not disclosed the status of any relevant customer relationships.

Why Serbia Faced a Cutoff But Not Other Countries

The disparity likely turns on three intersecting issues: evidentiary standards, legal exposure, and geopolitics. First, the Serbia cutoff followed detailed technical findings from Amnesty International that reportedly included case specifics and corroborating context. In Kenya and Jordan, Citizen Lab describes highly probative technical artifacts, but without access to internal chain-of-custody logs or purchase records, vendors can claim that definitive attribution remains incomplete.

Second, corporate liability differs by jurisdiction. Disabling licenses in one country may pose low contract or regulatory risk, while doing so elsewhere could trigger litigation, jeopardize broader government relationships, or invite countermeasures. Vendors frequently route sales through distributors, further complicating termination.

The Cellebrite logo, featuring a dark blue wordmark and a circular icon with an orange star, presented on a professional flat design background with soft gradients and subtle geometric patterns.

Third, export controls and diplomatic pressures shape decisions. Cellebrite, headquartered in Israel, operates under national export licensing and the reality that major markets scrutinize “dual-use” technologies. In 2021, Western sanctions and policy signals made exits from Russia and Belarus relatively straightforward. Comparable political clarity may be lacking for Kenya and Jordan, both U.S.-aligned security partners.

A High Bar for ‘Substantiated’ Misuse Claims

Cellebrite says it will disable any customer found to have “substantiated” violations of human rights or local law. But the company has not defined, publicly, what constitutes substantiation. Forensic agent traces, certificate validation, and consistent victim testimony might meet a civil standard of evidence; a vendor, however, can demand internal device extraction logs, license telemetry, or formal judicial findings — data that targets and external researchers rarely possess.

This asymmetry creates a catch-22: civil society can reliably flag probable misuse, yet the only actor with the logs to confirm it — the vendor — is not obligated to investigate or publish results. As a result, enforcement risks becoming ad hoc rather than rule-based.

Scale And Risk In A 7,000-Customer Footprint

Cellebrite reports more than 7,000 law enforcement customers worldwide. At that scale, even a small misuse rate can affect large numbers of people. Academic reviews of digital forensics vendors have long urged standardized human rights due diligence, including pre-sale risk scoring, enhanced oversight for high-risk buyers, and independent auditing of license use and casework.

Technically, vendors possess tools to tighten accountability: immutable extraction logs, mandatory case identifiers, periodic license renewals, and remote kill switches when red flags appear. Policy, not just technology, determines whether those controls are activated and reported transparently.

What Accountability Could Look Like in Practice

Independent experts point to several steps that would align practice with the company’s Serbia precedent.

  • Publish a clear standard of proof for disabling customers, including the weight given to external technical reports.
  • Establish a time-bound review process triggered by credible allegations, with public summaries of findings and actions taken, redacted for safety where necessary.
  • Submit to external oversight — for example, an advisory board with human rights experts empowered to review disputed cases.
  • Commit to de-risking sales through robust distributor controls and enhanced screening in jurisdictions with documented patterns of digital repression.

The Bottom Line on Uneven Enforcement Standards

Cellebrite’s Serbia cutoff showed the company will act when it deems evidence sufficient. The Kenya and Jordan cases test whether that standard is consistent. Without a transparent, repeatable process for evaluating credible technical findings, the line between enforcement and expedience will remain blurry — and the people whose phones are being opened will keep paying the price.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News