Tech

‘Chilling Effect’: Reporter Says Police Are Using This Israeli Tech to Hack Journalists’ Phones

‘ALARMING’

Oppressive governments are increasingly relying on technology from Cellebrite, an Israeli surveillance firm, to search journalists’ phones, privacy watchdogs warn.

GettyImages-625170040_sj2tsx
Jack Guez/Getty

Journalist Tsaone Basimanebotlhe was not charged with a crime—but that didn’t stop Botswana police from searching through her phone with technology from the Israeli surveillance firm Cellebrite, hoping to identify her newspaper’s sources.

It was 2019 and Basimanebotlhe, who works for the Botswana-based Mmegi newspaper, was in a tight spot. Soon enough, police collected thousands of her messages, as well as details from her emails, browser history, and call records using Cellebrite’s Universal Forensic Extraction Device (UFED) and Physical Analyzer, according to an affidavit from the police forensics laboratory.

But Basimanebotlhe didn’t have the information the police were looking for—because they were targeting the wrong journalist, according to a new report from the Committee to Protect Journalists published Wednesday, which details the reporter’s case. The police were interested in uncovering the source behind an apparent leak that revealed the identities of several undercover security agents, which Mmegi had recently covered, according to the report. They ultimately botched the investigation, as Basimanebotlhe had no part in writing the story.

ADVERTISEMENT

It remains unclear what the police did with her data after scouring it using Cellebrite technology. But the entire incident is emblematic of a larger problem for human-rights activists and journalists concerned about freedom of the press, says Jonathan Rozen, a senior Africa researcher at the Committee to Protect Journalists, who points out that the mere existence of technology like Cellebrite’s can have a chilling effect on journalism.

“All the time when journalists are arrested, their phones or computers are seized and so the presence of technology that claims to be able to bypass encryption and extract information from journalists’ devices… that’s alarming and has a chilling effect on freedom of the press,” Rozen told The Daily Beast.

Sources are already drying up in Botswana over fears the government will uncover leaks, or harass or intimidate whistleblowers, says David Baaitse, a reporter for Botswana’s Weekend Post newspaper. Baaitse says government officials have also seized and analyzed his devices in recent months.

“Sources, they no longer trust us,” Baaitse said in a statement. “They no longer want to deal directly with us.”

The news comes as digital rights organizations are working to put a stop to Cellebrite’s efforts to get listed on the Nasdaq stock exchange given the company’s track record selling products to regimes willing to violate human rights. Access Now and other rights organizations earlier this week urged investors and the U.S. Securities and Exchange Commission in a letter to abandon the initial public offering effort “until Cellebrite demonstrates that it has taken sufficient measures to comply with human rights.”

And while Basimanebotlhe’s case occurred two years ago, the abuses are ongoing—numerous other journalists have said they have been targeted with Cellebrite’s snooping technology in the last several years. Security forces also used Cellebrite to search a phone belonging to Oratile Dikologang, an editor at Botswana People’s Daily News, and security services reportedly used Cellebrite technology against two detained Reuters reporters in Myanmar several years ago. Pro-democracy activists in Hong Kong claim security forces used Cellebrite to search their devices just last year.

Natalia Krapiva, tech-legal counsel at Access Now, told The Daily Beast the time has come for Cellebrite and other digital surveillance companies to be held accountable for selling their products to repressive and corrupt regimes.

“Whatever human-rights assessment mechanisms Cellebrite claims to have in place—they are not working,” Krapiva said.

Cellebrite has, in the past, announced it has stopped selling its products in certain countries over human rights issues. The company has further claimed that its “sales decisions are also guided by strict internal parameters, which consider a potential customer’s human rights record and anti-corruption policies,” according to SEC filings. Cellebrite recently halted its sales in Myanmar following reports of security services using Cellebrite technology against two detained Reuters reporters.

“In the extremely rare case when our technology is used in a manner that does not meet international law or does not comply with Cellebrite’s values, we take swift and appropriate action, including terminating agreements,” the firm said in a statement at the time.

Cellebrite also claims it doesn’t do business in Bangladesh, Belarus, China, Hong Kong, Macau, Russia, and Venezuela over concerns about data security and human rights, according to SEC filings.

Even this is not enough, though, Krapiva says.

“In the past, the company had to end contracts with human-rights violating regimes, like Russia, Belarus, and China. However, Cellebrite did not do it on their own initiative, but only after sustained pressure and lawsuits from the civil society,” Krapiva told The Daily Beast.

The firm claims in fine print in SEC filings that “all users are required to confirm, before activation, that they will only use the system for lawful uses,” but acknowledges “Cellebrite cannot verify that this undertaking is accurate.”

And still, the company has nothing substantive to say about the incident with Basimanebotlhe. Cellebrite said in a statement shared with the Committee to Protect Journalists that it would not “speak to any specifics” about customers. It added that Cellebrite “requires that agencies and governments that use our technology uphold the standards of international human rights law… Our compliance solutions enable an audit trail and can discern who, when and how data was accessed, which leads to accountability in the agencies and organizations that use our tools.”

Cellebrite did not return a request for comment on whether an audit had been done on Basimanebotlhe’s case and if any changes have been made as a result of the audit. The government of Botswana did not return a request for comment.

As for accountability in these types of incidents, Krapiva says Cellebrite is “probably hoping they will be ignored and forgotten.”

Got a tip? Send it to The Daily Beast here.