Israeli Defense Ministry Asked to Stop Sale of Phone Hacking Software to Uganda

Human rights groups have asked the Israeli Defence Ministry to stop permitting its company to sell its phone hacking tool to Uganda, claiming it is used for rights abuses. 

The company, Cellebrite, which specializes in developing tools for digital forensic investigations, is reported to have sold its phone-hacking software known as Universal Forensic Extraction Device -UFED, to the Ugandan police and other security services. The software enables enforcement authorities to hack into password-protected cell phones and retrieve all the information they contain.  

Uganda Police Force reportedly uses the same technology, the UFED cloud analyzer to extract data from online storage services like dropbox, google drive, OneDrive and Apple’s iCloud. Although Cellebrite publications explain that remote access is only possible if the account holder provides the password, an IT specialist who preferred anonymity said that the user of the system is actually able to extract days from the cloud services installed on the hacked phone.

But Israeli Human Rights Lawyer Eitay Mack is leading a campaign to demand that UFED should not be sold to Uganda. Mack, one of Israelis’ leading voices against arms sales to human rights violators is leading several human rights organizations which signed a letter to the Defense Ministry stating that Uganda is using the software to oppress critics. The Defense Ministry’s Defense Export Control Agency monitors and approves sales of security technologies abroad.

The letter, which is also copied to the supplier Cellebrite, detailed murders, kidnappings, and torture of human rights activists, dissidents, and members of the opposition. They also made reference to a 2021 Country Reports on Human Rights Practices, published by the US Department of State which highlighted a series of state-instigated violations against Ugandans.

The report faulted the government and its security forces for participating in arbitrary killings, forced disappearances, cruel, inhuman, or degrading treatment of suspects and torture. The same report also points to restrictions on free expression including violence and unjustified arrests or prosecution of journalists, and overly restrictive laws on the funding or operation of nongovernmental organizations and civil society organizations.  

But Cellebrite said its products were sold to Uganda’s police and security services to fight serious crime and terror, according to a report by The Times of Israeli and Haartez.com. The two publications quote Cellebrite saying that it always ensures that its tools are only used for legal and ethical purposes.

The same report quotes the company saying that it is committed to its mission of creating a safer world through providing solutions to law enforcement organizations while ensuring legal and ethical use of its products. “We have developed strict means of oversight that will ensure proper use of our technology in the context of investigations carried out under the law. 

The company has also insisted that it requires potential clients to demonstrate they have the authority to access an iPhone or Android device before making their product available. It has also been saying the technology’s dependence on physically interfacing with the phones means it is unlikely to be misused.   But critics have noted that Cellebrite has had difficulty ensuring kits it has sent to clients remain with the clients.

In February 2019, Cellebrite phone hacking kits were found on sale on eBay, while some clients have not returned the kits to Cellebrite after use, as the company requests. There are also fears a Cellebrite kit could be reverse-engineered to uncover vulnerabilities that the company continues to keep hidden from the cellphone makers.   Cellebrite has sold the same software to Belarus, China, Hong Kong, Venezuela, Indonesia, Russia, the Philippines, and Bangladesh.

The Israeli Defense Ministry claims that there is tight and effective oversight of Israeli cyber products sold abroad and that it puts human rights at the forefront when permitting the sale of cyber tools.

Yusuf Sewanyana, the director of the Police's ICT Directorate told URN that although the technology was procured, it is not in use at the moment.

//Cue in; "what I know...

Cue... use it for."//

Last year, an advanced spyware Pegasus, created by another Israeli firm NSO Group was reportedly detected on at least 11 iPhones used by US officials in Uganda, as well as locals working for the Embassy. According to a report which was published by the Washington Post, the targeted individuals were notified by Apple that their devices had been hacked. 

While NSO has previously said Pegasus can’t be used against US-based devices, Americans working overseas can and often do acquire local phone numbers, which may be vulnerable to Pegasus attacks. A report by the New York Times indicated that the targets were easily identifiable as State Department employees because they had used their professional email addresses to create Apple IDs.

NSO Group maintains that governments that purchase Pegasus are carefully vetted and are not to use the product except for specific purposes; however, the company has repeatedly sold Pegasus to countries known to use surveillance technology to track dissidents, lawyers, journalists, and other members of civil society.