Russian authorities used tools from Israeli company Cellebrite to break into the phone of political prisoner Andrei Pivovarov months after the company said it cancelled its contracts with Russia, according to an investigation by the University of Toronto's Citizen Lab research unit.
Case of Andrei Pivovarov
Andrei Pivovarov, director of the organisation Open Russia, was arrested in May 2021 and released more than three years later as part of a high-profile prisoner exchange involving US journalist Evan Gershkovich. While imprisoned, Russian authorities used forensic tools to extract information from his phone, including contacts and messages from apps like WhatsApp and Viber.
Pivovarov said this was a "violation of his privacy" that put many colleagues at risk. "They tried to find my messages to other colleagues from my organisation and other politicians and may use these in criminal cases against them. After my arrest, several of my colleagues left Russia immediately," he said.
Citizen Lab Findings
The Citizen Lab said a forensic investigation found "with high confidence" that Cellebrite tools were used, confirmed by a document from Russian authorities given to Pivovarov during his prosecution. The information extracted was used to build a criminal case against him, and some of his contacts were later targeted by the Russia-linked group Coldriver.
Cellebrite's Stance
Cellebrite claims it is "totally on the good side" and has attempted to differentiate itself from companies like NSO Group. It said it stopped selling solutions and services to Russia and Belarus in March 2021, but human rights lawyer Eitay Mack noted that Cellebrite never dismantled tools already sold. "In contracts with American authorities, they keep the right to dismantle the equipment. But the fact is that their equipment is everywhere," Mack said.
Questions About Control
The case raises questions about how much control Cellebrite has over its software, which allows users to break into phones and examine contents. The tools are sold worldwide and used by police in the UK and US. Cellebrite has sold technologies to autocratic countries including Russia, Belarus, China, Jordan, Kenya, Myanmar and Serbia. It has terminated contracts in Serbia, Russia, Belarus, Bangladesh, Hong Kong and China, but not with Kenya or Jordan, despite evidence of misuse.
Response from Cellebrite
Approached for comment, Cellebrite sent a mass email saying it was denied the opportunity to review the report prior to publication. It stated: "Cellebrite technology is provided exclusively under licence and for legally authorised uses, there are no exceptions … Any use of legacy Cellebrite hardware in Russia after March 2021 is entirely unauthorised." It added that hardware sold before March 2021 would be "incompatible with modern devices and would operate without our technical support."
Call for Action
John Scott-Railton, senior researcher at the Citizen Lab, said: "If Cellebrite wants to stop equipping political prosecutions, the path is clear: stop selling to autocrats, remotely disable their tech after credible reports of abuse, and end the era of plausible deniability by implementing cryptographically signed watermarks on all imaged devices."
