Spy firm for sale Twitter card

Wall Street keeps bankrolling dangerous surveillance tech. Congress must act

The 2021 Cellebrite IPO is the result of a broken public disclosure regime that actively ignores serious human rights violations around the world. The U.S. Congress must ensure the Securities and Exchange Commission (SEC) does its job properly so investors can evaluate the human rights impacts of their acquisitions and make sound decisions. 

Last April, Cellebrite announced its intention to make an initial public offering. The company’s flagship product is the Universal Forensic Extraction Device (UFED), a powerful mobile data forensics tool that extracts and analyzes data stored on a phone or computer. While UFEDs can be used in the context of legitimate law enforcement investigations, Cellebrite also reportedly sells them to repressive regimes, which then employ the devices to expose journalists’ contacts, incriminate regime critics and human rights defenders, and prosecute pro-democracy protesters. As U.S. Representative Tom Malinowski put it, Cellebrite “has demonstrated a consistent disposition to sell first and ask questions later.” 

Despite all of this, the Cellebrite IPO got the green light. The company won the endorsement of the SEC, got approval for its IPO plan, and is now listed on NASDAQ. So what went wrong — and how do we fix it?

The rule goes: all “material” information must be disclosed

The IPO process requires companies to file a registration statement that covers all material information that “a reasonable investor would think is important in determining whether to buy or sell the stock.” Companies are responsible for the accuracy and adequacy of disclosures.

In its role as overseer of securities markets, the SEC is responsible for reviewing the registration statement of any company targeting an IPO and communicating its concerns to companies. While the SEC has been getting more vocal under the Biden administration about companies’ failure to make appropriate disclosures related to climate change, it hasn’t applied that same stringent approach to companies that sell surveillance tech.

The SEC says: only what Cellebrite considers material is “material” 

In May last year, Cellebrite filed a draft registration statement, covering the risk of abuse of UFEDs. But there was something missing. Out of at least eight countries or areas where UFEDs were reportedly abused, Cellebrite disclosed only a report relating to China. It remained silent on Bangladesh, Belarus, and Russia — mentioning these countries only to say it “ha[s] chosen not to do business” with them. It likewise kept mum on Bahrain, Botswana, Myanmar, and Nigeria. Yet reports by the Washington Post, The Intercept, Haaretz, and the Committee to Protect Journalists, among others, credibly document how authorities in each of these countries used UFEDs to destroy individuals’ private and professional lives, attacking their freedom. The facts they uncovered represent material information that could — and should — damage shareholder value.

After Access Now alerted the SEC to the missing information, the SEC asked Cellebrite for a summary of past abuses of which it was aware, and how the company had improved its safeguards in light of these incidents.

In response, Cellebrite added a line to its registration statement asserting that “[t]hird party reports may be incomplete, unreliable or unavailable,” and that “a determination as to whether our products are being misused may involve subjective determinations or being [sic] the subject of differing opinions.” Its implication is that the reports it did not include are either unreliable or subjective, and therefore not “material.” Note: it is Cellebrite itself — without any checks or balances — making this determination.

Disappointingly, the SEC raised no further questions, and approved the registration statement.

Congress must introduce disclosure standards for the surveillance tech industry 

The SEC’s posture here leaves the materiality judgment to the company being assessed, requiring no particular criteria for such determination. This is highly problematic, and more so in this case because the surveillance technology industry is largely unregulated in the U.S. and elsewhere. We are asked to place trust in these companies’ ethical and human rights statements, yet they may not be backed up by any meaningful actions to prevent or stop abuses. When they are granted broad discretion about materiality judgments, it is impossible to say whether they are facilitating privacy and human rights violations in the dark. The Cellebrite IPO is a clear failure to protect investors, and the people use of Cellebrite’s tech has harmed. 

Congress must step in to mandate appropriate restrictions on vendors’ materiality judgments, and introduce disclosure standards applicable to the entire industry. We must require companies to disclose:

  • all past reported abuses; 
  • the criteria used to determine whether a report is credible; and 
  • the specific mechanisms to ensure due diligence and monitoring of clients’ use of products. 

This basic information is essential not only to protect investors from making bad decisions, but also to protect people targeted for surveillance and abuse.

 Access Now is actively working with U.S. lawmakers on this issue. We extend an open invitation to any legislator who is interested in strengthening disclosure standards to reach out and work with us.