Israeli phone-hacking firm Cellebrite has decided to stop selling its technology to Bangladesh, reports Israeli daily Haaretz. The newspaper claimed that its hardware was reportedly used by a paramilitary unit accused of extrajudicial killings, torture, and disappearances of civilians and journalists, in a decision likely influenced by the company's plan to go public this year.
In March, Haaretz for the first time revealed that Cellebrite sold spy-tech to Rapid Attack Battalion (RAB). A human rights lawyer of Israel, Eitay Mack, filed a petition then to the country’s apex court seeking its order to ask their Defence Ministry to halt the firm’s exports to the Muslim-majority South Asian country.
At that time, RAB spokesperson Lt Col Muhammad Ashique Billah said that they needed to examine information reported by the newspaper.
According to documents filed with the US Securities and Exchange Commission (SEC) in August, Cellebrite’s board has also authorized the formation of a special advisory committee to make sure “ethical considerations” are also taken into account in future sales.
Details of Cellebrite
The tech firm offers what it terms “digital forensic” solutions to law enforcement agencies around the world. Cellebrite’s flagship product is called the Universal Forensic Extraction Device.
The product enables the extraction of data from locked mobile phones and their physical position without the owner’s consent. Cellebrite's main clients are Western police forces, but it also sells its products elsewhere – including, at least until now, Bangladesh.
According to the documents filed by Mack, Cellebrite used a company based in Singapore as its proxy for its dealings with Bangladesh, which has no diplomatic ties with Israel and cannot do business directly with Israeli firms. Additionally, officers from the Rapid Action Battalion were also sent to Singapore to undergo training on Cellebrite's system in 2018 and 2019.
Halt to the sales
Haaretz has learned that the company made the decision to halt sales to Bangladesh in early 2021, but that this decision was only made public in May, when Cellebrite sent the SEC an updated outline of its activities and revealed its full blacklist of countries that it will not do business with.
In August, the company also notified the SEC of its intention to form an ethics committee. Both decisions were probably prompted by Cellebrite's plans to go public this year, a process that requires the non-U.S. company to disclose its full activity to the SEC.
“Cellebrite does not sell to countries sanctioned by the US, EU, UK or Israeli governments or that are on the Financial Action Task Force (FATF) blacklist,” Cellebrite said in its SEC filing.
“We pursue only those customers who we believe will act lawfully and not in a manner incompatible with privacy rights or human rights. For example, we have chosen not to do business in Bangladesh, Belarus, China, Hong Kong, Macau, Russia and Venezuela partially due to concerns regarding human rights and data security, and we may in the future decide not to operate in other countries or with other potential customers for similar reasons,” the document said.
The August filing included an update about the formation of an “Ethics and Integrity Committee," whose mission "is expected to include advising on ethical considerations related to the use of our technologies.”
Cyber ties
Cellebrite has long claimed it sells only to legitimate law enforcement agencies and that alongside oversight by Israel’s defense establishment it employs its own rigid ethical compliance process. The company says it has refused many times to sell to states accused of human rights infringements.
However, critics have long slammed the company for selling its wares to states with poor human rights records, from Indonesia to Venezuela, Saudi Arabia and Belarus. On several occasions, sales to such countries have been frozen only after they were exposed by the media or through legal processes, casting doubt at Cellebrite's claims of reviewing its clients’ human rights records.
In response to this report, a representative for Cellebrite told Haaretz that the company “is committed to ethics as part of its core values and practice of work and has developed a very strong compliance framework. Cellebrite has strict licensing policies and restrictions that govern how customers may utilize our technology. Our sales decisions are also guided by internal parameters, which consider a potential customer’s human rights record and anti-corruption policies.”
Cellebrite is not the only Israeli firm to do business with Bangladesh. An investigation by Al Jazeera published in February revealed documents regarding the sale of "passive" cell phone monitoring and "interception" systems made by the Israeli cyber-surveillance firm PicSix to the Bangladesh army. The documents show that though the company is registered in Israel, the country of origin for the sale was Hungary.
The misuse of Israeli technology has recently made headlines as part of the global investigation into NSO Group and its Pegasus spyware. The Project Pegasus investigation revealed that over 180 journalists across the world were selected as potential targets by NSO’s clients.
Haaretz – one of over 15 news outlets to participate in the project, led by a nonprofit called Forbidden Stories –helped reveal how the sale of offensive Israeli spyware played a role in Israel’s outreach to hostile nations, including Muslim states.
Bangladesh was also named in the investigation after possible targets with Bangladeshi numbers were also found, however it is unclear who was the client and if NSO also did business with the South Asian country.