Cellebrite Provides Facts About its Business and Solutions
Cellebrite’s business practices and solutions are sometimes described inaccurately and mischaracterized in media reports. Unfortunately, the resulting false narratives used by critics distract from Cellebrite’s mission of enabling customers to protect and save lives, accelerate justice, and preserve privacy for organizations and communities around the world.
Cellebrite offers a complete end-to-end Investigative Digital Intelligence (DI) Platform that provides the ability to collect and review, analyze and manage a range of digital evidence sources, including mobile phones, computers, cloud-based evidence and open-source information. Cellebrite also offers training for customers to optimize the use of Cellebrite solutions during an investigation.
Here, we clarify how Cellebrite’s industry-leading investigative DI solutions work, provide facts about our business practices, and address myths that may be circulating about what we do and how we do it.
Cellebrite is a cellphone hacking company.
- Cellebrite is not a “phone hacking” company. Cellebrite’s comprehensive Investigative DI Platform helps customers legally collect and review, analyze and manage digital data in a lawful, ethical and auditable manner while protecting privacy.
- When authorized, accessing and extracting digital evidence from a computer or mobile device is not “hacking.” Hacking means unauthorized access to a system, which implies illegal activity. It is therefore inaccurate to refer to Cellebrite as a “phone hacking company” or to describe Cellebrite’s solutions as “phone hacking software” when these solutions are being used in legally sanctioned investigations.
Cellebrite’s solutions are spyware.
- Spyware is malicious software that is installed on a computer or mobile device without the user’s consent. Cellebrite’s technologies are not used to intercept communication or gather intelligence in real-time. Rather, our tools are forensic in nature and are used to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred.
Cellebrite’s solutions are used in surveillance efforts; Cellebrite is a surveillance and monitoring company.
- Cellebrite is not an offensive cyber-technology company, and we do not produce technology solutions that support surveillance or monitoring efforts. It is important to make a distinction between the “surveillance and monitoring technologies” that are predictive and come into play before an event occurs and Cellebrite’s DI solutions, which are used lawfully and with a warrant to help federal government agencies and law enforcement investigate an event after it has taken place.
There are no restrictions on how customers can use Cellebrite’s solutions.
- Cellebrite has strict licensing policies and restrictions to govern how customers utilize our solutions. We sell our solutions only to companies, bodies and agencies that abide by the terms that govern its proper use as outlined in our End-User Licensing Agreement (EULA).
- Before we even consider granting a customer access to our technology, we examine its recent and long-term human rights record and look at any other factors that we consider restrictive. Our sales decisions are also guided by strict internal parameters, which consider a potential customer’s human rights record and anti-corruption policies and reflect the input of our Executive Team, Compliance Officer, and Ethics & Integrity Committee.
- Customers that do not comply with the terms within our EULA no longer receive active product support and do not have their licenses renewed. Cellebrite is able to significantly disable the customer’s access to our connected technology if they do not comply with the EULA terms.
Cellebrite will sell to anyone who wants to purchase Cellebrite’s solutions.
- Cellebrite’s sales decisions, to both public and private entities, are guided by strict parameters, that are continually reviewed by our Executive Team, Compliance Officer, and Ethics & Integrity Committee, that consider a potential customer’s human rights record and anti-corruption policies.
- Cellebrite maintains a robust Code of Business Conduct and Ethics and is steadfast in ensuring only licensed customers use our solutions for the lawful and necessary purposes of serious investigations. Often Cellebrite contracts are publicly available and provide information regarding investigation needs.
Cellebrite does not consider a potential customer’s track record on human rights when making business decisions.
- Cellebrite does not sell to countries sanctioned by the U.S., EU, UK or Israeli governments, or that are on the Financial Action Task Force (FATF) blacklist. We pursue only those customers who we believe will act lawfully and not in a manner incompatible with privacy or human rights. For example, we have chosen not to do business in Bangladesh, Belarus, China, Hong Kong, Macau, Russia and Venezuela partially due to concerns regarding human rights and data security, and we may in the future decide not to operate in other countries or with other potential customers for similar reasons.
- Cellebrite continuously reviews and updates an internal list of countries and regimes we do not export to. The list is updated based on strict internal parameters, recent and long-term human rights record, and additional restrictive factors, which are determined with input from our Executive Team, Compliance Officer, and Ethics & Integrity Committee.
Cellebrite has no recourse if a country is sanctioned after purchasing Cellebrite solutions.
- Customers that do not comply with our End-User Licensing Agreement (EULA) no longer receive active product support and do not have their licenses renewed. When necessary, Cellebrite will also take appropriate enforcement action and is able to disable the customer’s connected technology.
Cellebrite’s devices still work even after a software license has expired.
- As of March 2021, when an internet connected Cellebrite UFED license expires, Cellebrite can stop the device from functioning or receiving software updates.
- Cellebrite is in the process of moving all licenses to an annual subscription model and when these licenses expire the device will immediately stop working.
Cellebrite’s solutions can be used to target journalists and human rights activists.
- Cellebrite vigorously supports the democratic ideals of freedom of speech and freedom of the press. We do not condone the use of Cellebrite’s solutions to access the personal information of journalists, activists or others who are working against the interests of repressive regimes and doing so outside the bounds of a legally sanctioned investigation expressly violates the terms of our licensing agreements.
Cellebrite devices are available for sale on eBay and anyone can purchase a functional UFED this way.
- Our licensing agreements strictly prohibit unauthorized third-party re-sales. Cellebrite routinely reviews eBay and other platforms for unauthorized re-sales and takes legal action to remove unauthorized listings.
- The majority of devices listed on eBay are Cellebrite Touch (formerly Mobilogy) devices. These devices have no forensic value and can be used only to transfer, back up or restore data from one phone to another.
Cellebrite’s technology can clone a phone’s SIM card and surreptitiously intercept messages and listen to calls without the individual’s knowledge.
- Cellebrite’s solutions are not used to intercept communication or gather intelligence in real-time, and there is no ability for the Cellebrite solution to intercept messages or calls.
Cellebrite’s solutions are used to remotely access an individual’s mobile devices without their knowledge or consent.
- This claim is false. Cellebrite’s UFED cannot remotely access a mobile device. We enable our customers to collect and review, analyze, and manage data in a lawful and auditable manner – when authorized – and provide them with solutions to do this ethically while protecting privacy.
- Cellebrite’s EndPoint Inspector enables enterprise customers to connect to computers and mobile devices that they own to remotely collect data as part of an internal investigation. Employment agreements and company policies generally govern express authorization for accessing company-owned technology, and employees whose devices are accessed by Endpoint Inspector must provide their consent via a pop-up screen or physically connect their device to hardware.
Cellebrite does not operate in a manner that sufficiently protects data privacy.
- Protecting data privacy is a core principle of our mission at Cellebrite. While citizens should be able to keep their personal information and private lives free from unnecessary and unwanted intrusions, investigations sometimes require authorized and lawful access to an individual’s private data. When this occurs, citizens must be confident that the technology and tools utilized in the investigatory process can maintain the security of their data.
- Our DI Platform adheres to a standard model of Confidentiality, Integrity, and Availability (CIA) to help keep investigations within legal boundaries while also providing a roadmap to ensure personal privacy.
- Cellebrite’s solutions utilize data to help investigators solve crimes, but Cellebrite does not hold or have access to customer data. Any data collected, reviewed, analyzed or managed by a Cellebrite device is securely stored and all interactions with the data are tracked and auditable.
Cellebrite’s solutions can only be used with older phone models.
- The capabilities of Cellebrite’s solutions are continuously updated as new phone technology becomes available. In the event a customer is unable to access data on a device, the customer can send their device to a secure Cellebrite Advanced Services lab, where an advanced technical approach is taken to unlock or recover data.
- No other DI Platform can match the breadth of Cellebrite’s capabilities with Apple and Android devices.
Cellebrite has no insight into how law enforcement agencies actually operate.
- Cellebrite has Customer Councils, Customer Success Teams and ongoing partnerships with some of the top law enforcement agencies in the world. In addition, Cellebrite employs many active and retired law enforcement individuals to ensure our solutions and training are addressing the evolving needs of our law enforcement customers. This connectivity helps to ensure a constant feedback loop so that Cellebrite can help agencies meet the toughest challenges they face as they modernize to handle digital investigations.
Digital data collected by Cellebrite’s solutions should not be relied upon as evidence.
- Cellebrite is one of the most trusted names in the industry having served the law enforcement community and private enterprise for more than 14 years.
- We constantly strive to ensure that our solutions and software meet and exceed the highest standards in the industry so that all data produced with our products is validated and forensically sound.
- Forensics reports from Cellebrite or other vendors should not be relied upon as evidence in court. They should be used as trusted and accurate facsimiles or representations of evidence or visual aids. Cellebrite-generated reports cannot be tampered with and any previously identified security vulnerabilities have been rectified. All reports are fully auditable and law enforcement and other organizations routinely rely on reports generated by Cellebrite solutions to accelerate cases. The evidence submitted in the court of law to secure convictions is the device(s) involved in a case and the results of the data extraction collected by an examiner using Cellebrite solutions.
Cellebrite is affiliated with NSO Group.
- Cellebrite is not affiliated, nor do we work with NSO Group in any way. Cellebrite is a publicly traded company listed on the Nasdaq stock exchange under the ticker CLBT. Its shareholders include Sun Corporation, True Wind Capital, Axon and Israel Growth Partners.