Why Did Cellebrite Change Its Tune on Human Rights?

Same Company, Different Standards

Last year, Israeli phone hacking tool maker Cellebrite made headlines for all the right reasons. The company suspended Serbian police as customers after human rights researchers documented how local authorities used its tools to hack journalists' and activists' phones, planting spyware. It was a rare example of corporate accountability in the surveillance tech industry—Cellebrite citing Amnesty International's technical report as grounds for action.

But something has changed. When similar allegations emerged from Jordan and Kenya, Cellebrite's response couldn't have been more different: dismissal, deflection, and no commitment to investigate. The question isn't just what happened—it's why the company abandoned its own precedent.

The Digital Breadcrumbs

On Tuesday, researchers at The University of Toronto's Citizen Lab published damning evidence. They alleged Kenyan authorities used Cellebrite's tools to unlock activist Boniface Mwangi's phone while he was in police custody. In January, they made similar accusations against Jordan, claiming the government broke into multiple activists' and protesters' devices.

The evidence? Digital traces of a specific application linked to Cellebrite found on victims' phones. The same application had appeared on VirusTotal, a malware repository, signed with Cellebrite's own digital certificates. For cybersecurity researchers, these traces represent "high confidence" indicators—about as close to a smoking gun as digital forensics gets.

Victor Cooper, Cellebrite's spokesperson, dismissed the findings: "We do not respond to speculation." When pressed about the company's different approach compared to Serbia, he claimed "the two situations are incomparable" and that "high confidence is not direct evidence."

The 7,000 Customer Dilemma

Cellebrite's customer base spans more than 7,000 law enforcement agencies worldwide—a lucrative empire built on the promise of helping police crack encrypted phones. The company has previously demonstrated willingness to cut ties when abuse allegations surface, severing relationships with Bangladesh, Myanmar, Russia, and Belarus in 2021. It also stopped selling to Hong Kong and China following U.S. export restrictions.

But recent responses suggest a shift in corporate philosophy. For Jordan, Cellebrite offered generic assurances about disabling tools if violations are "substantiated" but refused to investigate. For Kenya, the company went silent entirely.

John Scott-Railton from Citizen Lab isn't buying the company's new stance: "If Cellebrite is serious about their rigorous vetting, they should have no problem making it public." He's demanding the company release specific criteria used to approve Kenyan sales and disclose how many licenses have been revoked.

The Accountability Gap

What's driving Cellebrite's apparent policy reversal? Market pressures? Legal considerations? Or simply the realization that cutting off customers hurts the bottom line? The company's $2.4 billion valuation suggests surveillance tech remains highly profitable, potentially creating incentives to look the other way when abuse allegations surface.

The timing is particularly troubling. As authoritarian governments worldwide increasingly target activists and journalists, surveillance companies face growing pressure to implement meaningful human rights safeguards. Cellebrite's inconsistent responses suggest these safeguards may be more marketing than substance.