For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and obtain the data within. And the company has been keen on keeping the use of its technology “hush hush.”
As part of the deal with government agencies, Cellebrite asks users to keep its tech — and the fact that they used it — secret, TechCrunch has learned. This request concerns legal experts who argue that powerful technology like the one Cellebrite builds and sells, and how it gets used by law enforcement agencies, ought to be public and scrutinized.
In a leaked training video for law enforcement customers that was obtained by TechCrunch, a senior Cellebrite employee tells customers that “ultimately, you’ve extracted the data, it’s the data that solves the crime, how you got in, let’s try to keep that as hush hush as possible.”
“We don’t really want any techniques to leak in court through disclosure practices, or you know, ultimately in testimony, when you are sitting in the stand, producing all this evidence and discussing how you got into the phone,” the employee, who we are not naming, says in the video.
For legal experts, this kind of request is troubling because authorities need to be transparent in order for a judge to authorize searches, or to authorize the use of certain data and evidence in court. Secrecy, the experts argue, hurts the rights of defendants, and ultimately the rights of the public.
“The results these super-secretive products spit out are used in court to try to prove whether someone is guilty of a crime,” Riana Pfefferkorn, a research scholar at the Stanford University’s Internet Observatory, told TechCrunch. “The accused (whether through their lawyers or through an expert) must have the ability to fully understand how Cellebrite devices work, examine them and determine whether they functioned properly or contained flaws that might have affected the results.”
“And anyone testifying about those products under oath must not hide important information that could help exonerate a criminal defendant solely to protect the business interests of some company,” said Pfefferkorn.
Hanni Fakhoury, a criminal defense attorney who has studied surveillance technology for years, told TechCrunch that “the reason why that stuff needs to be disclosed, is the defense needs to be able to figure out ‘was there a legal problem in how this evidence was obtained? Do I have the ability to challenge that?’”
The Cellebrite employee claims in the video that disclosing the use of its technology could help criminals and make the lives of law enforcement agencies harder.
“It’s super important to keep all these capabilities as protected as possible, because ultimately leakage can be harmful to the entire law enforcement community globally,” the Cellebrite employee says in the video. “We want to ensure that widespread knowledge of these capabilities does not spread. And if the bad guys find out how we’re getting into a device, or that we’re able to decrypt a particular encrypted messaging app, while they might move on to something much, much more difficult or impossible to overcome, we definitely don’t want that.”
Cellebrite spokesperson Victor Cooper said in an email to TechCrunch that the company “is committed to support ethical law enforcement. Our tools are designed for lawful use, with the utmost respect for the chain of custody and judicial process.”
“We do not advise our customers to act in contravention with any law, legal requirements or other forensics standards,” the spokesperson said. “While we continue protecting and expect users of our tools to respect our trade secrets and other proprietary and confidential information, we also permanently continue developing our training and other published materials for the purpose of identifying statements which could be improperly interpreted by listeners, and in this respect, we thank you for bringing this to our attention.”
When asked whether Cellebrite would change the content of its training, the spokesperson did not respond.
The Electronic Frontier Foundation’s senior staff attorney Saira Hussain and senior staff technologist Cooper Quintin told TechCrunch in an email that “Cellebrite is helping create a world where authoritarian countries, criminal groups, and cyber-mercenaries also are able to exploit these vulnerable devices and commit crimes, silence opposition, and invade people’s privacy.”
Cellebrite is not the first company that asks its customers to keep its technology secret.
For years, government contractor Harris Corporation made law enforcement agencies who wanted to use its cellphone surveillance tool, known as stingrays, sign a non-disclosure agreement that in some cases suggested dropping cases rather than disclosing what tools the authorities used. These requests go as far back as the mid 2010s, but are still in force today.
Here’s the full transcript of the training video:
I’m happy you can join us. And I’m happy to kick off this initial module covering the system overview and orientation for Cellebrite Premium. Thank you and enjoy.
Did you know that Cellebrite Advanced Services has 10 labs in nine different countries around the world? Well, in order to leverage all of that capacity, we are working together to deliver this training to you, so you will be hearing from colleagues from around the world. The following list are those that comprise this current module set, I hope you enjoy meeting them each.
Before we begin, it’s quite important to go over the confidentiality and operational security concerns that we must abide by by using Cellebrite Premium, not only ourselves in our own Cellebrite Advanced Services labs, but most particularly you in your own labs around the world.
Well, we must recognize that this capability is actually saving lives. And in situations when it’s too late, we’re helping to deliver closure for the victims’ families, and ultimately solve crimes and put people behind bars. So, it’s super important to keep all these capabilities as protected as possible, because ultimately leakage can be harmful to the entire law enforcement community globally.
In a bit more detail, these capabilities that are put into Cellebrite Premium, they are actually trade secrets of Cellebrite, and we want to continue to ensure the viability of them so that we can continue to invest heavily into research and development, so we can give these abilities to law enforcement globally. Your part is to ensure that these techniques are protected as best as you can, and to either consider them as “law enforcement sensitive” or classify them to a higher level of protection in your individual country or agency.
And the reason why is because we want to ensure that widespread knowledge of these capabilities does not spread. And, if the bad guys find out how we’re getting into a device, or that we’re able to decrypt a particular encrypted messaging app, while they might move on to something much, much more difficult or impossible to overcome.We definitely don’t want that.
We’re also aware that the phone manufacturers are continuously looking to strengthen the security of their products. And the challenge is already so difficult as it is, but we still continue to have really good breakthroughs. Please don’t make this any more difficult for us than it already is.
And ultimately, we don’t really want any techniques to leak in court through disclosure practices, or you know, ultimately in testimony, when you are sitting in the stand, producing all this evidence and discussing how you got into the phone. Ultimately, you’ve extracted the data, it’s the data that solves the crime. How you got in, let’s try to keep that as hush hush as possible.
And now moving on to operational security or “opsec.” It starts with the physical protection of the premium system and all of its components that you’ve received in the kit.
These little bits and pieces that make all this capability… magic. They’re highly sensitive assets, and we want to ensure that no tampering or any other curiosities are employed on these devices. And in some cases, there is the chance of tampering and disabling the component, and that’s something that you really don’t want to do, because it could knock out your agency from having the capability whilst you await a replacement.
Additionally, exposure of any of these premium capabilities could be quite harmful to the global law enforcement environment. So, be careful with information sharing, whether it’s in face to face conversations, over the phone, on online discussion groups, via email — other things like that — just try to keep it sensitive and don’t go into any details.
When it comes to written documentation, obviously, you don’t want to disclose too much in your court reports. But definitely put the bare minimum to ensure that a layperson can understand the basic concepts of what was done.
Certainly mention that you used Premium, you can mention the version, but do not go into detail of what you’ve done with the phone: either manipulating it or whatever shows up on the graphical user interface of premium itself.
And when it comes to technical operations and quality management within your organization, please be wary that any document that you put together as a standard operating procedure could be visible by an outside auditor for ISO 17025 or other people that could do a Freedom of Information Act request in your agency in whichever laws of your country.
So just be careful with all that. You need to protect this as best as possible. And the other additional factor that you may not be aware of is that failed exploitations on devices — if they’re able to connect to the network — they could phone home and inform the manufacturer that the device is under attack. And with enough knowledge and intelligence, it is possible that the phone manufacturers might find out what we’re doing to achieve this magic. So please do your best to follow all the instructions and make this the best possible procedures [sic] going forward.”
From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You also can contact TechCrunch via SecureDrop.