In March 2021, Cellebrite, an Israeli digital forensics firm, announced it would cease sales and services to Russia and Belarus, aiming to prevent misuse of its technology. Despite this, recent findings indicate that Russian authorities continued to utilize Cellebrite’s tools to access data from detained individuals’ devices.
According to research from The Citizen Lab at the University of Toronto, in June 2021, Russian investigators employed Cellebrite’s Universal Forensic Extraction Device (UFED) to extract data from the iPhone of Andrey Pivovarov, a human rights activist and opposition politician. This occurred three months after Cellebrite’s public commitment to halt operations in Russia.
Cellebrite’s UFED is designed to unlock and extract data from mobile devices, assisting law enforcement in investigations. The company’s official stance is that, following the termination of services, it can disable devices or prevent them from receiving software updates. However, the Pivovarov case suggests that Russian authorities retained functional access to the technology.
Human rights lawyer Eitay Mack highlighted that merely ending sales or revoking licenses doesn’t necessarily prevent former clients from continuing to use the technology. He noted that Cellebrite has not disclosed whether it requires customers to dismantle or return the tools upon termination of service.
In response to these findings, John Scott-Railton, a senior researcher at The Citizen Lab, recommended that Cellebrite implement measures to remotely disable devices upon reports of misuse and incorporate digital watermarks to trace data extractions back to specific devices.
Cellebrite has faced similar challenges in other regions. In February 2025, the company suspended services to Serbia after reports emerged that Serbian police used its tools to unlock phones and install spyware on journalists and activists. Despite these actions, concerns persist about the company’s ability to control the use of its technology post-sale.
This situation underscores the complexities tech companies face in ensuring their products are used ethically, especially when dealing with government clients. It raises questions about the effectiveness of self-imposed restrictions and the need for more robust mechanisms to prevent misuse of surveillance technologies.
