Published on

Cellebrite: The Phone Hacking Tool Used by Portland Police

Authors

In 2009, in San Diego, California, a man named David Leon Riley was pulled over in a car with expired license registration tags  and was arrested for possession of two firearms in his car. During the arrest, police searched his phone and linked Riley to a gang shooting that occurred three weeks earlier. Riley moved to have the evidence found on his phone thrown out as an unreasonable search and seizure, but was denied.

Five years later, the Supreme Court ruled that indeed, Riley’s Fourth Amendment rights had been violated. The Court, in a majority opinion written by Chief Justice John Roberts, elaborated that phones are “minicomputers” with massive amounts of private data. Since then, warrants have been required to search cell phones, and searches and seizures must be justified and limited to the scope of the warrant.

In theory.

Seven years before the ruling, a then-small data collection company in Israel named Cellebrite Ltd. began manufacturing devices to collect and store data from cell phones without needing a password from the owner. Today, they are ubiquitous around the world, used by both private companies and law enforcement agencies big and small. They have caught the attention of human rights organizations, who decry the violation of privacy and widespread use in surveillance states. The Portland Police Bureau spends several hundred thousand dollars on Cellebrite and tools like it each year. So why has almost nobody heard of Cellebrite?

Cellebrite is a clear and continuing violation of our Fourth Amendment Rights

What Is Cellebrite?

In short, Cellebrite is a phone hacking tool. A Cellebrite user, equipped with a Cellebrite Universal Forensic Extraction Device (UFED for short), can create a mirror image of everything on a cell phone: contacts, text messages, call history, images, video, web data, search history, emails, notes, location history, app data - very literally everything. The user can then browse, search, and store all downloaded data indefinitely.

Cellebrite DI Ltd. began as an Israeli tech company in 1999. Israel, using Palestine as a free and unregulated human testing ground, has manufactured oppressive surveillance tech at an alarming rate. Cellebrite, eager to find an early foothold in the private Israeli espionage industry, opened a mobile forensics division in 2007.  They began manufacturing UFEDs soon after, and have since forged contracts with law enforcement agencies around the world, including militaries, federal governments, and local governments. Since then, Cellebrite has conclusively been used to perpetrate human rights violations across the world.

In 2021, the company announced an intention to have an Initial Public Offering in the United States, using what’s called a special-purpose acquisition company (SPAC), or a “blank-check firm,” to go public. This sparked numerous investigations. Access Now alerted to the relaxed regulation Cellebrite was receiving from the SEC. In their own statement to investors, Cellebrite admits that they themselves cannot prevent abuse of their software:

...all users are required to confirm, before activation, that they will only use the system for lawful uses, but Cellebrite cannot verify that this undertaking is accurate. Further, some of our government customers may use our solutions in a manner that is incompatible with, or perceived to be incompatible with, human rights without our knowledge or permission.

In July of 2021, twenty-eight human rights groups wrote an open letter to the Securities and Exchange Commission demanding that Cellebrite demonstrate human rights compliance before it is allowed to go public. The SEC did not respond, and Cellebrite Ltd. went public in August of 2021.

Cellebrite has told investors that there are over 2,700 accounts active in US state and local governments. They are active in all 50 states, and all of the twenty largest police departments in the country. A full 20% of their revenue comes from the United States Federal Government. They intend to grow into more vectors for data collection, including GPS devices and vehicles. Cellebrite even holds a contract with the department of Fish and Wildlife.

How Does PPB Use Cellebrite?

When Cellebrite announced an impending IPO, OPB conducted a detailed investigation into how Cellebrite is used by police in Oregon. They found that PPB was spending more per capita on digital extraction technologies than nearly all other police departments in the country. As of the writing of this article three years ago, police memos indicate that PPB is searching phones nearly every day. In 2020, Portland Police adopted a new policy requiring a quarterly report detailing the number of devices searched and the total volume of data extracted. We are working to obtain these records.

In theory, when PPB has a phone they want to search, they have to submit a search warrant detailing exactly what they expect to find on the phone, and evidence for probable cause. A judge can then deny the warrant, relying on the Fourth Amendment to say that the evidence is not substantial or that the search is too broad.

But Cellebrite doesn’t work like that. A Cellebrite device extracts all data on a target’s cell phone, cover to cover. Once the data is extracted, police have access to all of it.

Again, in theory, police are to limit their search to what is detailed in the warrant, share with no other offices or police departments, and delete after a regulated amount of time (usually 30 days). For this to work, we rely on bureau policy and technological security. Both have proven inadequate time and time again. In 2022, Willamette Week found that of the 37 data collection tools used by PPB, less than half had policies around data collection and retention. Even when a policy is written, police have been known to violate it. Willamette Week’s same report documents data collected on 2020 protesters without foundation. The data was kept beyond the 30-day limit and available through a central records management system, accessible to even other police departments in Oregon. As long as PPB is allowed to write and enforce their own policies internally, they are effectively subject to no accountability.

As for cyber security, Cellebrite’s record is far from flawless. In 2021, a founder of the Signal messaging app, demonstrated a number of security vulnerabilities of Cellebrite devices. Perhaps most notably, if a target cell phone has specific exploit code on it, it can use what’s known as code injection to execute any code on a Cellebrite device at the time of extraction. This code could modify its own extraction or modify past and future extractions in any way - all without leaving a timestamp or a trail back to the hack itself.

Cellebrite soon pushed an update patching the exposed vulnerabilities. But such vulnerabilities are commonplace in tech. In 2023, the National Vulnerabilities Database recorded over 28,000 vulnerabilities found just that year. Software companies struggle to keep up with ever changing exploits to their software. If Cellebrite is compromised, as it was in 2021, we may unknowingly see modified or falsified data admitted in a United States courtroom.

Unfortunately, Cellebrite is just one in a host of tools the Portland Police Bureau uses for data extraction. In 2015, Willamette Week documented the tools used for wiretapping, impersonating cell phone towers in real time, and reading license plates (which can be used to map a car’s location over time). The article also highlights parallel construction, a known tactic police use to falsify probable cause. If police find evidence of a crime using an unlawful search, with Cellebrite for example, they can pass on the data to another department or agency to develop their own post hoc probable cause.

What Can We Do?

The OBP report from 2021 outlines an ongoing battle between law enforcement agencies and the courts since the first Supreme Court ruling over cell phone searches in 2013. In this framing, law enforcement agencies use tools like Cellebrite, often partially in secret, and judges use the Fourth Amendment or a state’s version of it to call this unreasonable search and seizure.

So far, this has not proven to be effective. Use of Cellebrite has only grown across the United States. Cellebrite continues to encourage police to be covert about the use of Cellebrite tools, as Portland Police spend more than ever on Cellebrite.

As residents and voters in Portland, we elect the city council and mayor, who in turn have appointment and impeachment power over Portland Police. It is therefore our city council that sanctions the use of mobile forensic tools like Cellebrite. As citizens of Portland, we have a right to privacy and safety from unreasonable government search and seizures. A right clearly violated by Cellebrite software and by the Portland Police Bureau. We must demand our city councilors put an end to the use of Cellebrite here in Portland. We must demand our public funds are no longer spent on violations of our Fourth Amendment Rights, and are instead used to bolster public programs and restore wellbeing and power to the powerless of our city.