When Israeli digital forensics firm Cellebrite announced in February 2025 that it had suspended its services to Serbia, the move was hailed by human rights organizations as a rare instance of accountability in the surveillance technology industry. The decision came after Amnesty International published a damning report documenting how Serbian security services had used Cellebrite’s phone-unlocking tools to target journalists and civil society activists. But the celebration was short-lived. As industry observers and press freedom advocates quickly pointed out, Serbia is far from the only government credibly accused of abusing Cellebrite’s technology — and the company’s selective enforcement of its own ethics policies has drawn pointed criticism.
The Serbia suspension, first reported by TechCrunch, followed months of mounting pressure on the company after Amnesty International’s December 2024 report, titled “A Digital Prison,” detailed how Serbian intelligence operatives had deployed Cellebrite’s Universal Forensic Extraction Device (UFED) to break into the phones of journalists and activists without judicial oversight. In at least two documented cases, the extraction was followed by the installation of spyware, suggesting a coordinated campaign of digital surveillance that went well beyond lawful investigation.
A Tool Designed for Law Enforcement, Deployed Against Dissent
Cellebrite’s UFED is one of the most widely used digital forensics tools on the planet. The device, roughly the size of a tablet, can extract data — including messages, call logs, photos, and location history — from thousands of smartphone models, often bypassing lock screens and encryption. Cellebrite markets the product exclusively to law enforcement and government agencies, and the company has long maintained that it has rigorous internal processes to vet customers and ensure compliance with human rights standards. The company went public on the Nasdaq in 2021 and has positioned itself as a responsible actor in a sector frequently tainted by scandal.
But the gap between Cellebrite’s stated principles and its actual client list has been a source of tension for years. According to documents reviewed by multiple news organizations and reports from digital rights groups, Cellebrite products have been sold to or used by authorities in countries with well-documented records of political repression, including Bangladesh, Myanmar, Saudi Arabia, the United Arab Emirates, Russia, China, and Venezuela. In many of these countries, the tools have been linked — directly or circumstantially — to the targeting of political opponents, human rights defenders, and members of the press.
Why Serbia and Not Others?
The question posed by TechCrunch is straightforward but uncomfortable: If Cellebrite was willing to cut off Serbia after documented abuse, why has it not taken similar action against other governments where abuse has been reported? The answer, according to analysts and former industry insiders, lies at the intersection of commercial incentive, geopolitical calculation, and the inherent difficulty of policing how technology is used once it leaves the manufacturer’s hands.
Cellebrite has not publicly disclosed its full client list, but leaked documents and investigative reporting over the years have painted a broad picture. A 2021 investigation by the Israeli newspaper Haaretz found that Cellebrite had sold its tools to authoritarian regimes across the globe, including to police forces in countries with no independent judiciary. In response to repeated inquiries, Cellebrite has typically pointed to its ethics committee and its stated commitment to refusing sales to governments on international sanctions lists. But sanctions lists are narrow instruments — they do not cover many of the governments most frequently accused of digital repression.
The Amnesty Report That Forced Cellebrite’s Hand
The Amnesty International report on Serbia was notable not only for its specificity but for its attribution. Researchers were able to identify the exact Cellebrite tools used, document the chain of custody, and tie the extractions to specific Serbian security agencies. Two Serbian journalists — one working for an investigative outlet and another for a media freedom organization — described being detained, having their phones confiscated, and later discovering through forensic analysis that their devices had been subjected to Cellebrite extraction. In one case, the phone was also infected with a previously undocumented Android spyware variant, which Amnesty’s technical team attributed to Serbian state actors.
Cellebrite’s response, when it came, was carefully worded. The company said it had conducted an internal review and determined that its products had been misused in violation of its end-user license agreement. It announced the suspension of all services to “relevant customers” in Serbia, a formulation that left some ambiguity about whether the ban applied to all Serbian government agencies or only to the specific units implicated. The company did not address the broader question of why similar reviews had not been conducted — or at least not acted upon — in other countries where abuse allegations were equally well-documented.
A Pattern of Selective Accountability
Digital rights organizations have long argued that the surveillance technology industry operates with a structural accountability deficit. Companies like Cellebrite, NSO Group, and Intellexa sell powerful capabilities to governments, collect substantial revenues, and then disclaim responsibility when those capabilities are turned against civilians. The Serbia case is instructive precisely because it is an exception: Cellebrite acted, but only after a major international human rights organization published an extensively documented report that generated significant media coverage and reputational risk.
“The question is not whether Cellebrite did the right thing in Serbia — it did,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, in comments reported by TechCrunch. “The question is why the same standard is not applied everywhere.” Ó Cearbhaill and other researchers have pointed to cases in Bangladesh, where Cellebrite tools were reportedly used by the Rapid Action Battalion — a security force sanctioned by the U.S. Treasury Department for extrajudicial killings — and in Myanmar, where the military junta has been accused of genocide by international investigators.
Commercial Pressures and the Limits of Self-Regulation
Cellebrite is a publicly traded company with obligations to shareholders. Its revenue, which exceeded $300 million in its most recent fiscal year, is overwhelmingly derived from government contracts. Cutting off a small market like Serbia — whose security agencies represent a negligible share of global revenue — carries minimal financial risk. Cutting off larger, more lucrative clients would be a different matter entirely. Saudi Arabia, the UAE, and other Gulf states are major purchasers of surveillance technology, and the loss of those contracts would be material to Cellebrite’s bottom line.
This commercial reality is not unique to Cellebrite. The broader surveillance technology sector — estimated to be worth tens of billions of dollars annually — is characterized by a fundamental tension between the profit motive and human rights. Companies argue that they cannot be held responsible for how their products are used, much as a car manufacturer cannot be held liable for a driver who commits a crime. But critics counter that surveillance tools are not general-purpose consumer products; they are sold to specific government agencies for specific purposes, and the manufacturer has both the ability and the obligation to assess the risk of misuse before completing a sale.
Regulatory Gaps and the Push for Government Oversight
The European Union has taken steps toward regulating the export of surveillance technology, most notably through its 2021 update to the Dual-Use Regulation, which requires EU member states to assess human rights risks before authorizing exports of cyber-surveillance tools. Israel, where Cellebrite is headquartered, has its own export control regime administered by the Ministry of Defense, but enforcement has been inconsistent. The Israeli government has historically been reluctant to restrict the activities of its surveillance technology sector, which is seen as a strategic asset and a source of diplomatic leverage.
In the United States, the Commerce Department has placed some surveillance firms — including NSO Group and Intellexa — on its Entity List, effectively barring them from receiving American technology. Cellebrite has not been placed on the Entity List, and the company has actively sought to expand its presence in the U.S. market, where it counts federal, state, and local law enforcement agencies among its customers. The company’s 2021 Nasdaq listing was itself a signal of its orientation toward the American market and its desire to be seen as a mainstream, compliant technology provider rather than a shadowy purveyor of hacking tools.
What Comes Next for Cellebrite and Its Industry
The Serbia episode has placed Cellebrite in an awkward position. By acting against one abusive client, the company has implicitly acknowledged that it has the capacity — and perhaps the responsibility — to police the use of its products. That acknowledgment makes its inaction in other cases harder to defend. Human rights organizations are expected to press the point, using the Serbia precedent as a benchmark against which to measure Cellebrite’s conduct in other markets.
For the surveillance technology industry more broadly, the case underscores the growing tension between commercial expansion and ethical accountability. As governments around the world invest heavily in digital forensics and surveillance capabilities, the demand for tools like Cellebrite’s UFED will only increase. Whether the industry can develop meaningful self-regulatory mechanisms — or whether external regulation will be imposed — remains an open question. What is clear is that the Serbia decision, however welcome, was a response to public pressure rather than a reflection of systemic change. Until companies like Cellebrite apply their ethics policies uniformly, rather than selectively, the pattern of abuse is likely to continue.