What spy firm Cellebrite can’t hide from investors

The Israeli digital intelligence firm Cellebrite, whose products and services are implicated in human rights abuses globally, could soon be rewarded with even more funding and capacity, increasing risks to human rights defenders, journalists, and dissidents around the world. On April 8, Cellebrite announced that it had entered into an agreement with TWC Tech Holdings II Corp., a special-purpose acquisition company (or SPAC), which will allow it to become a publicly listed company on the NASDAQ with an expected value of $2.4 billion.

Cellebrite is primarily known for its flagship product Universal Forensic Extraction Device (UFED), which (i) unlocks mobile phones and other devices by bypassing passwords and encryption; (ii) extracts data; and (iii) in combination with Cellebrite’s other product, Physical Analyzer, allows operators to analyze data and prepare reports. According to Cellebrite’s parent company, Japanese Sun Corporation, UFED has been sold to police, military, law enforcement agencies, and secret services in over 150 countries, and holds the “top share” on a global market. Once it goes public, Cellebrite will have the opportunity to further expand its business.

In this post, we first map the use of Cellebrite’s products in human rights violations across the globe. Then we explain how the company’s human rights compliance system has failed. Finally, we outline the steps for approving or denying Cellebrite’s bid to go public, making a set of recommendations to the relevant actors in the approval chain to require the company to improve its human rights compliance or lose the deal.

Long trail of human rights abuses facilitated by Cellebrite

In its investor presentation, in relation to the anticipated public listing, Cellebrite recognizes that one of its “key risks” is that some of its “products may be used by customers in a way that is, or that is perceived to be, incompatible with human rights” and that “any such perception could adversely affect [its] reputation, revenue and results of operations.” Despite that, the company keeps selling their products to repressive regimes and enabling detentions, prosecutions, and harassment of journalists, civil rights activists, dissidents, and minorities around the world, as we detail below.

Investors beware: Cellebrite’s human rights compliance system is poorly designed and implemented

Cellebrite’s involvement in human rights violations perpetrated by governments across the globe is especially concerning given Signal’s recent discovery of a major vulnerability in Cellebrite’s software that allows anyone to execute arbitrary code to modify the reports the software produces. While Cellebrite reportedly fixed this flaw, the incident exposed the risk of malicious actors tampering with evidence extracted for court cases, putting defendants’ rights in jeopardy.

Government surveillance has profound implications for individuals’ right to privacy and also produces a chilling effect on the ability to exercise other rights. Under international human rights law, such surveillance should never be used to target journalists, human rights activists, government critics, or minorities.

Cellebrite has to be aware of the systematic human rights violations of its customers, as the company has the responsibility to carry out due diligence on its government clients and their misuse of technology. Once it is aware of a client’s human rights record, Cellebrite must take steps to prevent or mitigate its own contribution to the human rights abuses involving its products and services.

Specifically, under the United Nations Guiding Principles on Business and Human Rights (UNGPs), Cellebrite has a responsibility to enact a robust human rights compliance system to prevent use of its surveillance technologies in violation of human rights. For that, Cellebrite must (i) show public commitment to respect human rights through appropriate policies; (ii) conduct an effective, ongoing human rights due diligence and impact assessment to understand how and what kind of human rights abuses its products would implicate, which includes consulting with experts and potentially affected stakeholders; (iii) based on the assessment, design and implement the policies and procedures to adequately mitigate these risks; (iv) keep monitoring and improving the system; (v) investigate and take remedial measures for past human rights violations ; and (vi) issue periodic public communications. In its recent UNGP guidance, the U.S. State Department outlines concrete steps to integrate human rights due diligence into compliance programs such as those for export, and encourages U.S. businesses to follow these steps.

Based on the publicly available information that we have highlighted in this post, Cellebrite has not taken meaningful steps toward complying with these principles, despite claiming to do so in its various published statements.

First, Cellebrite has not shown sufficient public commitment to respecting human rights as it has disclosed neither a meaningful human rights policy nor a company code of conduct applicable to its officers and employees. Even when Cellebrite ended its relationship with oppressive regimes in the past — a positive step — it did not explicitly refer to these customers’ failure to adhere to human rights policies or obligations.

Second, Cellebrite has not demonstrated it takes the appropriate measures to conduct proper risk assessment and understand the human rights implications of its products. In an interview submitted as a part of its SEC filing, Cellebrite claims that it has “a dedicated department that works according to [Cellebrite’s] human [rights] and corruption indices” (ironically, the word “rights” is misspelled in the document). However, it is not clear what human rights indices Cellebrite uses as several of its current or past customers, including China, Belarus, and Saudi Arabia, have had historically very poor scores on major human rights indices, including the Reporters Without Borders’ World Press Freedom Index or Freedom House’s Freedom in the World report. Cellebrite also does not specify anything regarding its attempts to engage with any of the relevant human rights organizations directly. As exemplified by its delayed response to Hong Kong’s sweeping national security laws in June 2020, Cellebrite keeps overlooking red flags in the political and regulatory environment of customer countries that have serious human rights impact. Actions speak louder than words.

Third, Cellebrite’s policy and procedures for customer due diligence are not well designed and implemented to mitigate human rights risks. In its investor presentation, Cellebrite claims that it maintains a “board-level oversight by ethics committee.” However, the company does not disclose the members of this committee, how independent they are of the company’s financial interests, which standards they are using to assess the human rights risks, or when their approval is required. Based on the past sales to historic human rights violators and dictatorships, this ethics committee appears to be simply rubber-stamping what the sales team claims, rather than providing meaningful oversight and due diligence.

In addition, despite Cellebrite’s statements that its “contracts address ethics, privacy, and human rights,” Cellebrite’s standard sales contract lacks robust end user controls, mandatory human rights compliance by customers, obligation to notify the company of any misuse of products, or obligation to submit to the company’s audit of customers’ use of products, which are necessary to prevent potential adverse use of its technology. In addition, while the contract states that the company has a right to disable its devices in cases of misuse, it is not clear whether Cellebrite has in fact disabled or recalled its devices in the countries that are no longer clients.

Fourth, evidence shows that Cellebrite has not sufficiently improved its human rights compliance system based on past abuses. Cellebrite’s publicly severing its relationships with Myanmar, China, Hong Kong, Belarus, and Russia, is a positive step in the right direction, and it is something that another notorious Israeli surveillance firm, NSO Group, has not done. However, the fact that the company did this only after many years of ignoring abuses, and only in response to public pressure and multiple court petitions by human rights activists, indicates that the actions were taken not as a result of a proper working internal compliance system, but simply of getting caught. To monitor and improve the human rights compliance system, it is essential to seek constant feedback from both internal and external sources, something Cellebrite has yet to demonstrate.

Fifth, there is no indication that the company has attempted to provide any remedy to those individuals potentially falsely arrested, tortured, or otherwise harmed with the help of Cellebrite’s technology.

Finally, Cellebrite has not provided periodic public communication on how its compliance system is designed, implemented, and monitored, as well as how the system deals with credible complaints or incidents of human rights violations.

What “going public” means for Cellebrite: more power and money

Going public means that Cellebrite shares will be listed and publicly sold and purchased on a stock market, and will require the company to provide regular disclosures on its business activities. It provides an opportunity to make more money and achieve better brand recognition and public attention.

Cellebrite says the merger with its SPAC and subsequent listing is expected to be achieved in the second or third quarter of 2021. To make it happen, Cellebrite and its SPAC are required to get approval from the SEC, the SPAC shareholders, the private investment in public equity (PIPE) investors, and NASDAQ. As Cellebrite itself identified human rights violations as a “key risk” to its “reputation, revenue and results of operations,” it will need to demonstrate that its human rights compliance system is robust and effective in preventing and mitigating potential risks. Currently, the SEC is reviewing the draft public disclosure materials from Cellebrite (Form F-4) and the SPAC (proxy statement). Upon the SEC’s approval, these documents will be released to the public. We will carefully monitor whether these documents shed more light on Cellebrite’s human rights compliance system.

Our recommendations for those with the power to “greenlight” Cellebrite

The time has come for responsible investors and the wider financial community to recognize that surveillance technology not only facilitates human rights abuses, but is bad for business. We recommend: