Oded Yaron
Pakistan’s Federal Investigation Agency and various police units in the country have been using products produced by the Israeli cybertechnology firm Cellebrite since at least 2012.The flagship product of Cellebrite, whose stock is traded on the Nasdaq exchange, is called UFED. It enables law enforcement agencies to engage in digital forensic work by hacking into password-protected cellphones and copying all the information stored on them – including pictures, documents, text messages, calling histories and contacts.
Cellebrite, whose CEO is Yossi Carmil, says that its tools are only sold to police departments and security forces – to fight serious crime including terrorism. Over the years, however, the company’s hacking tools have also found their way to organizations that oppress human rights activists, minorities and the LGBTQ community.
As Haaretz has reported on numerous occasions, Cellebrite’s clients have included oppressive regimes that were or still are subject to sanctions, including Belarus, China (including Hong Kong), Uganda, Venezuela, Indonesia, the Philippines, Russia and Ethiopia, as well as Bangladesh’s notorious Rapid Action Battalion.
The security forces in Pakistan are known to commit serious violations of human rights and freedom of expression. The U.S. State Department’s 2022 report on human rights in Pakistan stated: “Significant human rights issues included credible reports of: unlawful or arbitrary killings, including extrajudicial killings by the government or its agents; forced disappearance by the government or its agents; torture and cases of cruel, inhuman, or degrading treatment or punishment by the government or its agents; harsh and life-threatening prison conditions; arbitrary detention; political prisoners; transnational repression against individuals in another country; arbitrary or unlawful interference with privacy; serious restrictions on free expression and media, including violence against journalists...”
In 2016, Pakistan passed a cybercrime law, the Pakistan Electronic Crimes Act, or PECA, which severely limits online freedom of expression, particularly criticism of the government. The law permits the exercise of strict online censorship without a court order and also allows the police to collect information from locked devices without a court order. Last year, Pakistan amended its already draconian law to expand the definition of potentially suspicious activity.
“PCA has been used to silence freedom of expression on the pretext of combating ‘fake news,’ cybercrime, and misinformation,” said Nadia Rahman of Amnesty International, in response to the amendment.
According to the Pakistan-based group Freedom Network, in 2021 the law was the basis of the persecution of at least 23 Pakistani journalists for “slandering” the security forces, the justice system and the intelligence agencies. At least one journalist was charged with treason.
Israeli lawyer Eitay Mack has been harshly critical of Cellebrite and the Israeli Defense Ministry, which he says should be providing oversight of the company. “Pakistan is not just another undemocratic country that is violating human rights, but a country that is ruled by the military and its intelligence units, which support international terrorist and crime organizations. Cellebrite’s systems could be used not only to persecute women and religious minorities that have ‘desecrated Islam’ but also to persecute journalists and opposition activists who are working to uncover the military’s ties with terror organizations like the Taliban and Al Qaeda.”
As reported by Haaretz and its business daily, TheMarker, Israel had previously been engaged in cyberdiplomacy promoting the export of digital weaponry such as NSO’s Pegagus spyware, to places such as Saudi Arabia, the UAE and Morocco, in return for the establishment of official relations or secret agreements.
But according to Mack: “Because of internal political considerations in Islamabad [the Pakistani capital] and due to Israel’s strategic relationship with India, there is no way that the sale of any type of security equipment to Pakistan will advance Pakistan’s relations with Israel. This appears to be another instance of an Israeli company that is focused on its profits and is benefiting from the Defense Ministry’s negligent oversight.”
Israeli and Pakistani Foreign Ministers Silvan Shalom (R) and Khursheed Kasuri, in 2005Credit: AP
Israel and Pakistan have held talks via secret channels over the years. And in 2005, a meeting was even held between Israeli Foreign Minister Silvan Shalom and his Pakistani counterpart, at the initiative of Pakistani President Pervez Musharraf. Israeli Prime Minister Ariel Sharon shook Musharraf’s hand at the United Nations. Musharraf had considered recognizing Israel following the completion of the 2005 Gaza disengagement, but the plan elicited intense domestic criticism and was shelved.
The boycott on contacts with Israel also extends to Pakistani citizens. Under Pakistani law, Pakistani passports are explicitly not valid for travel to Israel. Last month, five Pakistanis were sentenced to prison time for having visited Israel, and last year, Pakistani television journalist Ahmed Quraishi was fired for taking part in a delegation that visited Israel. A few months later, another delegation from Pakistan visited Israel, prompting considerable discussion in Pakistan about a possible warming of relations between the two countries.
According to a 2013 British government report, Israel has in the past exported arms to Pakistan, including electronic warfare systems, radars and advanced fighter jet systems. Unlike NSO and other manufacturers of offensive-cyber products, Cellebrite operates in a gray area between security exports and civilian ones. In 2020, the export of forensic equipment such as that produced by Cellebrite came under the Defense Ministry’s oversight, since it was included in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, which defines which dual-use (security use and civilian use) products require oversight.
International shipment records show that, until at least 2019, Cellebrite Asia-Pacific Pte (its Singapore subsidiary) sold products directly to companies in Pakistan and to its Federal Investigation Agency. This, despite Cellebrite’s End User License Agreement forbidding sales to Pakistan.
In 2012, it was reported in Pakistan that the Sind Province police had acquired UFED Touch Ultimate devices made by Cellebrite, and their use has been expanding since. The Express Tribune newspaper published pictures that clearly show Cellebrite’s product.
Operating manuals, documents and official invitations for bids show that police units and the FIA regularly use these systems. FIA officials past and present who were tasked with enforcing the draconian cybercrime law even state in their LinkedIn profiles that they have been trained and certified to use these systems and that they use them on a regular basis.
FIA invitation for bids from 2021 for Cellebrite's UFED system
Court rulings in the country refer to the extraction of forensic evidence from telephones but do not specify which technology was used. Pakistan also uses forensic systems made by other companies, but in a FIA invitation for bids from 2021 for systems made by two other firms – Belkasoft and Compelson – both were required to support files produced using Cellebrite’s technology. Bidding requests issued by the Punjab police include a request for three UFED Ultimate devices. And one from the counterterrorism division of the Peshawar police, from May of this year, includes a request to renew the UFED license for another two years.
Open gallery view
NRTC catalog showcasing Cellebrite's technology. Right: Punjab and Peshawar police tenders for three UFED Ultimate devices and software license
A 2021 catalog from Pakistan’s National Radio and Telecommunication Corporation touts a long list of technologies produced in the country. On page 17, however, there is a listing for a UFED Touch 2 by Cellebrite. On the next page, NRTC advertises BlackBag’s Mobilyze digital forensic technology. Cellebrite acquired BlackBag in 2020.
The spyware connection between Israel and Pakistan has crossed decades, political parties and ruling administrations. In 2012, when Cellebrite's tools were first reported in use, Pakistan was governed by the Pakistan People's Party. The trade continued under Nawaz Sharif's Pakistan Muslim League administration, during which the draconian police surveillance act was passed.
The 2021 FIA tender was published during the tenure of Imran Khan, head of the Pakistan Tehreek-i-Insaf party, a period during which Cellbrite's Singapore subsidiary continued to sell its products directly to Pakistan. The May 2023 Peshawar police tender occurred under the premiership of current Prime Minister Shehbaz Sharif of the Pakistan Muslim League.
In its response for this article, Cellebrite stated: “The company does not sell to Pakistan, directly or indirectly,” but it refused to explain how that claim squares with Cellebrite-Singapore’s shipment certificates to Pakistan and with official tenders in Pakistan that demonstrate that the country’s investigation agency and police use its technology.
“Cellebrite is committed to its goal of creating a safer world by providing solutions for law enforcement bodies that permit them to solve crimes more quickly,” the company added. “For that purpose, we have developed strict means of oversight that ensure proper use of our technology in the context of investigations carried out by virtue of the law. As a global leader in digital intelligence, Cellebrite’s solutions assist thousands of law enforcement agencies to convict those who endanger public security and to do justice to the victims of crime.”
The Israeli Defense Ministry declined to comment.
No comments:
Post a Comment