News

Cellebrite halts use of its forensic tool in Serbia

UPDATE 28 February 2025:

Amnesty International’s Security Lab found one more case of abuse of Cellebrite’s tool on a phone of a student activist, who was held on 25 December after attempting to attend the SNS rally in Sava centar. More information and technical findings available at: https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/



The digital forensics tool is withdrawn from use by clients in Serbia, the company Cellebrite announced on February 25. The company conducted an internal investigation into the misuse of its products following a December 2024 report by Amnesty International (AI), which stated that the tool had been used in Serbia for unauthorized unlocking of phones belonging to civil activists and journalists.

According to the statement, Cellebrite made this decision in accordance with its ethics and integrity policies. The company emphasized that its products support “lawfully sanctioned investigations” and noted that these tools are not “spyware, surveillance or any other type of offensive cyber activity.” Cellebrite further clarified that it assesses the countries “both on an annual and ad hoc basis due to political and cultural shifts. We regularly track countries and review a multitude of indexes ranging from democratization to human rights to rule of law.”

Head of AI’s Security Lab, Donncha Ó Cearbhaill, stressed that withdrawing licences from customers who misused the equipment for political reasons is a critical first step. “Now, Serbian authorities must urgently conduct their own thorough and impartial investigations, hold those responsible to account, provide remedies to victims and establish adequate safeguards to prevent future abuse,” Ó Cearbhaill stated.

Forensic experts analysing the phones of journalists and activists in Serbia have reliably determined that the police and the Security Information Agency (BIA) used a new type of spyware, which Amnesty International called NoviSpy, in conjunction with the misuse of the highly sophisticated Cellebrite tool. At the time, BIA categorically rejected the claims in AI’s report, while the Ministry of Interior stated that the tool was used strictly in accordance with the law.

The Cellebrite UFED product package, developed for use by state investigative authorities, enables data extraction from mobile devices even without access to the passwords. The Norwegian Ministry of Foreign Affairs donated this digital forensic tool to Serbia’s Ministry of Interior through the United Nations Office for Project Services (UNOPS).

Amid near-daily protests across Serbia and armed police raids on civil society organisations, the misuse of spyware technology and digital surveillance of citizens poses an extremely high risk to human rights and advocacy for the public interest. The SHARE Foundation demands that the competent institutions immediately conduct investigations in line with the civil sector’s complaints.

Related content

Draft withdrawal a step towards moratorium on biometric surveillance

As an organisation dedicated to digital rights and freedoms, fighting against the use of mass biometric surveillance, we welcome the decision of the Serbian Minister of Interior to withdraw the controversial Draft Law on Internal Affairs. We call on the authorities to take another step and impose a moratorium on the use of advanced technologies for biometric surveillance and mass […]

Round two of the battle against mass biometric surveillance

The controversial Draft Law on Internal Affairs was withdrawn from the procedure on Monday, December 26. The decision to withdraw followed two sessions of the public discussion, which was initially open for three weeks and then extended at the request of civic organisations. At the same time, the Government announced “broad consultations” in further work on the […]

Clubhouse – our worst hangover yet!

Clubhouse is not the origin of all evil when it comes to compromising user privacy and the grave consequences of it. But, in the times we live in, where privacy became a household name and a recurrent legal and PR problem for established platforms like Facebook and Google; and with the presence of milestone regulations […]