Note: On June 24, 2026, Cellebrite responded, denying the allegations made in our joint letter. Cellebrite claims it “stopped all sales and services to the Russian Federation in March 2021, terminating existing licenses, and […] unwinding all legal contracts.” The company maintains that any “legacy technology” still in Russia is obsolete and “ineffective today,” and that any continued use since March 2021 is “entirely unauthorized.” The company says that it does not “transact with countries sanctioned by the US, EU, UK or Israeli governments or on the Financial Action Task Force (FATF) blacklist.”
This response fails to adequately address the consistent documentation from the Citizen Lab, from Israeli and Russian investigative media, and from legal organizations, about Russian authorities’ deployment of Cellebrite tools following the company’s exit from Russia. We call on the company to engage with our recommendations listed below to prevent human rights abuses.
A new investigation by the Citizen Lab at the Munk School of Global Affairs at the University of Toronto (“the Citizen Lab”) has confirmed evidence that Russian authorities used Israeli surveillance firm Cellebrite’s Universal Forensic Extraction Device (UFED) to hack into an iPhone of Andrey Pivovarov, a prominent Russian activist and former political prisoner. Notably, a forensic report provided to Pivovarov by the Russian government states that authorities used UFED to infiltrate several of his devices three months after the company said it was ending sales to Russia “immediately.” The Citizen Lab’s investigation confirms with high confidence the use of the forensic extraction tool on at least one of the devices after Russia was allegedly cut off.
Cellebrite has a long history of selling its technologies to repressive regimes and facilitating human rights abuses, from Venezuela to Myanmar. What’s more, authoritarian governments with poor human rights records have previously been caught using its technology to victimize people after the company purportedly left the market, a demonstration of Cellebrite’s consistent failure to prevent or mitigate the abuse of its products.
In our new letter to Cellebrite, Access Now, the Citizen Lab, and Andrey Pivovarov call on the company to enact appropriate measures to ensure a full and responsible exit when they withdraw from a market, and to put sufficient safeguards in place to halt abuse. Following are details on Pivovarov’s case, the Citizen Lab investigation, and the impact on civil society in Russia, as well as our recommendations for both companies and states to stem the abuse that is undermining people’s basic rights and freedoms.
// Who is Andrey Pivovarov?
Andrey Pivovarov is a prominent Russian human rights activist, opposition figure, and a former executive director of the now-closed Russia-based nonprofit Open Russia. In 2017, Russian authorities designated the UK and U.S. Open Russia entities “undesirable,” and proceeded to persecute the Russian branch and its members for “participating in the activities of an undesirable organization.” As a result, on May 27, 2021, Pivovarov announced the shutdown of the Russia-based organization.
Despite Pivovarov having dissolved the Russia-based entity, on May 29, 2021 the notorious Investigative Committee (SKRF), Russia’s key federal investigative agency, initiated criminal proceedings against him for alleged violations of the undesirable organizations law. On May 31, 2021, Pivovarov was removed from a plane in Saint Petersburg and transferred to the SKRF. A Russian court subsequently convicted and sentenced him to four years in prison. Human rights organizations, UN representatives, and EU officials, among others, condemned the arrest and conviction and appealed for Pivovarov’s release. The European Court of Human Rights also ruled that the Russian law on undesirable organizations violates the European Convention on Human Rights.
Pivovarov served most of his prison term, primarily in isolation, until August 1, 2024, when he, along with other Russian activists and opposition figures, was released in the prisoner swap between Russia, Belarus, and a number of Western countries. Pivovarov is now living in exile in Germany and continues his fight for a free and democratic Russia, including through his involvement in the Russian Anti-war Committee, which peacefully opposes Russia’s aggression against Ukraine and supports anti-war Russians in exile. The Russian government has designated the movement “undesirable” and “terrorist,” and has opened criminal cases against its members.
// Citizen Lab’s investigation
The Citizen Lab’s investigation began when Andrey Pivovarov asked the group to check his iPhone for possible traces of spyware at the 2025 World Liberty Congress. While screening Pivovarov’s phone, Citizen Lab researchers were able to confirm with high confidence the use of Cellebrite’s tools to extract data from the device on or around June 17, 2021, three months after Cellebrite’s announcement that it was ending sales to Russia. This infiltration took place during Pivovarov’s detention by the Russian authorities and the subsequent conviction and imprisonment.
The Citizen Lab’s finding confirms the forensic report that Russian authorities provided to Pivovarov in the course of the criminal case against him (Pivovarov privately shared the report with the Citizen Lab). According to the report, between June 15 and July 12, 2021, the Russian Ministry of Interior (MVD) — upon the order from the SKRF — used Cellebrite’s UFED 4PC device and UFED Physical Analyzer software to extract and analyze data from Pivovarov’s digital devices, to learn about his activities in order to build the criminal case against him. This includes the iPhone 12 later examined by the Citizen Lab.
The MVD report states that the agency was unable to analyze Pivovarov’s MacBook computer due to the device being protected by password and encryption. This highlights the importance of civil society at risk of government surveillance using strong passwords and encryption to protect their sensitive data.
// The harm to Russian civil society
When a company like Cellebrite fails to prevent human rights abuses linked to their products, the impact is severe. The information obtained with the help of Cellebrite’s UFED was likely used as evidence in the criminal case against Pivovarov that resulted in his conviction. According to the MVD forensic report, authorities were able to obtain a plethora of information searching various files and SMS, WhatsApp, Viber, and Telegram messages on multiple devices, using key terms like “Open Russia,” “United Democrats,” and the names of Pivovarov’s associates and prominent civil society and opposition figures, including Pivovarov’s partner, now wife Tatiana Usmanova, Open Russia founder Mikhail Khodorkovsky, and Anastasiya Burakova, currently the head of the human rights and anti-war organization the Ark.
Burakova has previously been targeted for hacking. The Russian Federal Security Service (FSB) hacker group COLDRIVER (also known as STAR BLIZZARD) targeted Burakova along with other victims in May 2024, as revealed in our 2024 investigation with the Citizen Lab (luckily, Burakova did not open the malicious phishing attachment). Access Now and the Citizen Lab also suspect that Maxim Dbar, Mikhail Khodorkovsky’s press secretary, was unsuccessfully targeted by COLDRIVER. It is possible that Russian authorities’ use of Cellebrite’s tools in the Pivovarov case may be enabling arbitrary and unlawful surveillance and persecution of other human rights defenders and civil society organizations and individuals like Burakova and Dbar.
// Cellebrite: no end to abuses
As we have noted, Cellebrite has a shameful record of selling its technologies to repressive regimes around the world. Most recently, Cellebrite tools were used in efforts to suppress activists, protesters, journalists, and the opposition in Serbia, Jordan, and Kenya. But these are only a few examples.
In 2020, Israeli human rights lawyer Eitay Mack and the investigative media outlet Haaretz revealed that the tools were used by the Russian SKRF, which is known to persecute journalists, opposition figures, and activists, more than 26,000 times. Several of the SKRF’s officials, including its head, Alexander Bastrykin, have been sanctioned by U.S. and EU authorities. Official legal documents confirm that the SKRF used UFED to hack into the phone of Lyubov Sobol, an opposition figure and close associate of slain opposition leader Alexey Navalny, and a device belonging to Sobol’s cameraman. These revelations led to Cellebrite’s March 18, 2021 announcement that they were ceasing sales to Russia, “immediately” halting the licenses issued to Russian government agencies, and entering them into the “‘blacklist,” to prevent future misuse.
However, official documents later published by SKRF suggest that it continued to use UFED devices in 2022. This is further confirmed by a 2024 investigation by the Russian human rights organization First Department, which suggests that not only are Russian authorities actively using UFED devices against political prisoners that First Department represents, officials may have been able to get software updates years after Cellebrite claimed it ended services to Russia. Finally, in 2023, Russian independent media Mediazona reported that after Russia’s 2022 full-scale invasion of Ukraine, FSB used Cellebrite technology to extract data from the phone of anti-war activist Dmitry Ivanov, after which he was sentenced to eight and a half years in prison for opposing the war. This information, together with the Citizen Lab’s investigation, casts doubt on the claims Cellebrite have made that also appear in their user agreement, which suggest that they are able to “blacklist” or “disable” UFED devices remotely if a client uses them unlawfully.
Our letter to Cellebrite asks the company to explain the documented misuses of their technology after they claim to have ended business in Russia.
// Recommendations to stop the abuse
Companies have a duty to respect human rights and prevent misuse of their products and services, while states must protect and fulfill human rights obligations. Access Now urges Cellebrite and other companies that offer forensic extraction tools, as well as relevant state authorities, to implement the following steps:
Companies should:
- Conduct robust, ongoing human rights due diligence, in consultation with civil society, before and after the sale of forensic extraction tools, to identify and mitigate adverse human rights impacts and to ensure that the tools are not abused;
- Refrain from providing tools to actors with a history of abusing similar technologies;
- Ensure immediate cessation of existing contracts and future sales to customers that have been credibly accused of abusing the technologies;
- Implement both legal and technical measures to prevent future abuses, such as contract clauses that explicitly prohibit the use of the technologies in violation of human rights law and provide for the revocation or restriction of access to the tool in case of abuse, and “killswitches” that immediately disable technologies and prevent future updates;
- Ensure tools and technologies are forensically discoverable to enable victims whose devices were unlawfully accessed to challenge these abuses in courts;
- Provide remedies to affected people and groups through investing in victim funds and engaging with experts and communities impacted by the technology; and
- Refrain from retaliating against victims, civil society, and researchers who expose the abuses of the technologies.
States should:
- Review all trade agreements, export licenses, and procurement of Cellebrite and other companies whose tools have been repeatedly misused in violation of human rights;
- Deny renewals and implement sanctions where patterns of abuse and repeated failures to respect human rights are evident;
- Include forensic tools into export controls review and licensing screening processes; and
- Require companies developing and deploying these technologies to conduct human rights due diligence, in close consultation with civil society, to prevent and mitigate adverse human rights impacts.
If you are a member of civil society and need help to keep your devices and information more secure, or if you think your devices may have already been compromised with forensic tools like UFED, contact Access Now’s Digital Security Helpline, available 24/7 in multiple languages, including Russian.