Israeli phone-hacking firm Cellebrite has decided to stop selling its technology to Bangladesh – where its spyware was reportedly used by a paramilitary unit accused of extrajudicial killings, torture, and disappearances of civilians and journalists – in a decision likely influenced by the company’s plan to go public this year.
According to documents filed with the U.S. Securities and Exchange Commission in August, Cellebrite’s board has also authorized the formation of a special advisory committee to make sure “ethical considerations” are also taken into account in future sales.
Cellebrite offers what it terms “digital forensic” solutions to law enforcement agencies around the world. Cellebrite‘s flagship product is called the Universal Forensic Extraction Device. The product enables the extraction of data from locked mobile phones and their physical position without the owner’s consent. Cellebrite’s main clients are Western police forces, but it also sells its products elsewhere – including, at least until now, Bangladesh.
One of the models in Cellebrite’s Universal Forensic Extraction Device product line.Courtesy
In March, documents filed by human rights lawyer Eitay Mack to Israel’s Supreme Court revealed that Cellebrite had dealings with a Bangladeshi unit known as the Rapid Action Battalion, which has been called a “death squad” by rights groups and has also been accused of persecuting LGBTQs in the Muslim country; according to Amnesty International, in 2018 the unit was responsible for 466 extrajudicial killings. The documents were filed as part of Mack’s petition asking the Supreme Court to make the Defense Ministry explain why it continues to allow Cellebrite to export its products to Bangladesh.
According to the documents filed by Mack, Cellebrite used a company based in Singapore as its proxy for its dealings with Bangladesh, which has no diplomatic ties with Israel and cannot do business directly with Israeli firms. Additionally, officers from the Rapid Action Battalion were also sent to Singapore to undergo training on Cellebrite’s system in 2018 and 2019.
Haaretz has learned that the company made the decision to halt sales to Bangladesh in early 2021, but that this decision was only made public in May, when Cellebrite sent the SEC an updated outline of its activities and revealed its full blacklist of countries that it will not do business with. In August, the company also notified the SEC of its intention to form an ethics committee. Both decisions were probably prompted by Cellebrite’s plans to go public this year, a process that requires the non-U.S. company to disclose its full activity to the SEC.
“Cellebrite does not sell to countries sanctioned by the U.S., EU, UK or Israeli governments or that are on the Financial Action Task Force (FATF) blacklist,” Cellebrite said in its SEC filing.
NSO spyware scandal may threaten Israel’s love affair with Amazon and Google
After spyware scandal, Israeli NSO touts ‘proud family of workers saving lives’
Israeli Cellebrite sold spy-tech to Bangladesh ‘death squad’
“We pursue only those customers who we believe will act lawfully and not in a manner incompatible with privacy rights or human rights. For example, we have chosen not to do business in Bangladesh, Belarus, China, Hong Kong, Macau, Russia and Venezuela partially due to concerns regarding human rights and data security, and we may in the future decide not to operate in other countries or with other potential customers for similar reasons,” the document said. The August filing included an update about the formation of an “Ethics and Integrity Committee,” whose mission “is expected to include advising on ethical considerations related to the use of our technologies.”
Cyber ties
Cellebrite has long claimed it sells only to legitimate law enforcement agencies and that alongside oversight by Israel’s defense establishment it employs its own rigid ethical compliance process. The company says it has refused many times to sell to states accused of human rights infringements.
However, critics have long slammed the company for selling its wares to states with poor human rights records, from Indonesia to Venezuela, Saudi Arabia and Belarus. On several occasions, sales to such countries have been frozen only after they were exposed by the media or through legal processes, casting doubt at Cellebrite’s claims of reviewing its clients’ human rights records.
In response to this report, a representative for Cellebrite told Haaretz that the company “is committed to ethics as part of its core values and practice of work and has developed a very strong compliance framework. Cellebrite has strict licensing policies and restrictions that govern how customers may utilize our technology. Our sales decisions are also guided by internal parameters, which consider a potential customer’s human rights record and anti-corruption policies.”
Cellebrite is not the only Israeli firm to do business with Bangladesh. An investigation by Al Jazeera published in February revealed documents regarding the sale of “passive” cell phone monitoring and “interception” systems made by the Israeli cyber-surveillance firm PicSix to the Bangladesh army. The documents show that though the company is registered in Israel, the country of origin for the sale was Hungary.
The misuse of Israeli technology has recently made headlines as part of the global investigation into NSO Group and its Pegasus spyware. The Project Pegasus investigation revealed that over 180 journalists across the world were selected as potential targets by NSO’s clients. Haaretz – one of over 15 news outlets to participate in the project, led by a nonprofit called Forbidden Stories – helped reveal how the sale of offensive Israeli spyware played a role in Israel’s outreach to hostile nations, including Muslim states. Bangladesh was also named in the investigation after possible targets with Bangladeshi numbers were also found, however it is unclear who was the client and if NSO also did business with the South Asian country.