# Cellebrite — Export Controls and Human-Rights Record The [[Cellebrite]] org page records the LRPD procurement facts and notes that the company's FY2024 Form 20-F discusses "reputational risk arising from press reporting on Cellebrite tools' use abroad" without extracting it. This page extracts that layer. It assembles the **Tier-2** export-control record (Israeli regulators, Cellebrite's own SEC filings, the contract text) and the **Tier-3** record of established reporting on how Cellebrite's tools have been used, so that the Little Rock contracts can be read against who the vendor is and the regime it operates under. The connection to Arkansas is the product, not a new Arkansas fact. The [[Little Rock Police Department]] bought Cellebrite's Inseyets-UFED software and its Advanced Services lab agreement ([[Cellebrite Advanced Services Agreement]]); the LRPD Endpoint SaaS Terms §14.4 already names Israeli, EU, and US export controls including the US Export Administration Regulations (EAR) as a Tier-1 corpus fact. What follows is the regime behind that clause and the public record of the same product class elsewhere. Nothing here documents misuse of LRPD data; the corpus produces no such evidence. > [!note] Cellebrite is not NSO Group > Cellebrite makes the UFED / Inseyets family of **physical-access phone-extraction** tools, which require possession of a device and operate after the fact under legal process. This is a different company and a different technology from **NSO Group**, whose Pegasus product is **remote spyware**. Cellebrite states it "is not affiliated, nor do we work with NSO Group in any way" (Tier-2 vendor statement, [Cellebrite facts page](../../web%20archive/2026-06-07/cellebrite.com/cellebrite-facts-vendor-position.md)). The two must not be conflated, and no source on this page does. ## The Israeli export-control regime (Tier-2) Cellebrite's exports are administered primarily by Israel, not the United States. In its own most recent annual report, the company states that "the export of some of our products and our solutions is subject to Israeli export control laws and regulations which are administered primarily by the Israeli Defense Export Controls Agency ('DECA') within the Minister of Defense," and that "we currently operate under an export license issued pursuant to the Israeli encryption control regime" (primary public record, [Cellebrite FY2025 20-F — export controls](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2025-export-controls.md)). That license is conditional and country-specific. Israeli "export control laws and regulations as well as the licenses granted to us by DECA prohibit us from exporting some of our products to customers in certain countries and require us to obtain the consent of DECA to export some of our products to customers in certain other countries" (primary public record, [Cellebrite FY2025 20-F](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2025-export-controls.md)). Cellebrite states its understanding that these restrictions rest "on both considerations of national security and the Israeli government's assessment of the human rights record of the country in question" (primary public record, [Cellebrite FY2022 20-F](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2022-encryption-regime.md)). The Israeli Ministry of Defense describes the same machinery from the regulator's side. DECA "has tightened the control of cyber exports" and publishes an "End User Declaration" that "a state interested in acquiring a cyber or intelligence system is required to sign … as a condition for issuing an export license"; the Ministry states that "Israel approves the export of cyber systems solely to governments for the purposes of investigation and prevention of terrorism and crime," controlling such exports "in accordance with its legislation, which is based on the Wassenaar Arrangement" (primary public record, [Israel MoD — tightened cyber-export controls](../../web%20archive/2026-06-07/gov.il/mod-tightens-control-of-cyber-exports-2021.md)). Israel is not a member of the Wassenaar Arrangement but has adopted its Dual-Use List as the basis for its own regime, a distinction the Cellebrite filings confirm. ### The cryptography carve-out and the 2025-2026 change The regime that licenses Cellebrite is in transition. Historically, Cellebrite's cryptographic capabilities have sat outside Israel's ordinary dual-use export rules: "cryptography that is subject to Israeli encryption control laws is not regulated under the Israeli export control regime, even where its capabilities would otherwise place such cryptography within Part 2 of Chapter 5 of the Wassenaar Arrangement Dual Use List … Israeli law instead subjects such cryptography goods and technologies to its own encryption control regime" (primary public record, [Cellebrite FY2022 20-F](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2022-encryption-regime.md)). The same filing notes that the regime does not reach the whole product line: "currently, some of our solutions are not subject to any export control laws." Cellebrite's FY2025 filing discloses that this is being repealed. "On November 18, 2025, the Israeli Minister of Defense signed an order repealing the current encryption control regime and adopting a new regime. The new regime becomes effective on March 18, 2026." Cellebrite states it believes its "current license should remain valid until September 2027," and that under the new regime "some of our products will be controlled primarily under the Israeli Defense Export Control Law, 5767-2007 administered primarily by DECA and, to a lesser extent, the Import and Export Order (Export Control over Dual Use Goods, Services and Technology), 5766-2006" (primary public record, [Cellebrite FY2025 20-F](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2025-export-controls.md)). These dates are Cellebrite's own forward-looking disclosure; the change is prospective. The Israeli regime is not abstract for Cellebrite. The company discloses that "in August 2020, a group of 61 petitioners, including a number of human rights activists, filed a petition before the District Court in Tel Aviv against various Israeli government entities and Cellebrite," asking the court "to exercise its power under the Defense Export Control Law to stop the exportation of our UFED solution to police forces in Hong Kong" (primary public record, [Cellebrite FY2022 20-F](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2022-encryption-regime.md)). That is the company's own disclosure of an allegation by petitioners, not an adjudicated finding. ### The contract clause, and the limit of what it says On the customer side, the export-control hook is a generic compliance covenant. The publicly posted Cellebrite Advanced Services General Terms require that "each Party shall retain responsibility for its compliance with all applicable export control laws and economic sanctions programs" (numbered §13.1 in the posted General Terms; the LRPD-specific Endpoint SaaS Terms variant in the corpus is §14.4 and does name the EAR, Israel, and the EU). The clause itself does not map a customer onto any particular regime; which laws are "applicable" — the EAR on the US side, the DECA regime on the Israeli side — is the reading, not the contract language. ## The documented human-rights record (Tier-3 reporting) Established reporting ties Cellebrite's tools to several governments with serious human-rights records. These are journalistic findings, attributed below; several rest on a single outlet and are flagged as such. **Myanmar.** Per the Washington Post (reported via Times of Israel and The Intercept), "police in Myanmar used … Cellebrite's products to breach the … mobile phones" of Reuters journalists Wa Lone and Kyaw Soe Oo, "Pulitzer Prize-winners … sentenced to seven years in prison for violating state secrecy laws" while reporting on the killing of Rohingya (Tier-3 reporting, [Times of Israel — Cellebrite in Myanmar](../../web%20archive/2026-06-07/timesofisrael.com/cellebrite-myanmar-reuters-journalists.md)). "A former Myanmar military official described the country as a 'major customer' of Cellebrite, though the company said … it would stop business in Myanmar"; Cellebrite's former broker later told the Post that police "still had access to UFEDs" after the claimed pullout (Tier-3 reporting, [The Intercept — Cellebrite in China](../../web%20archive/2026-06-07/theintercept.com/cellebrite-china-cellphone-hack.md)). **Bangladesh.** Documents obtained by Al Jazeera's Investigative Unit and Haaretz show "the Bangladesh government spent at least $330,000 on phone-hacking equipment made by an Israeli company, even though the two countries do not have diplomatic relations." The documents say the Rapid Action Battalion (RAB) — "a paramilitary force that has a well-documented record of abductions, torture and disappearances" — "would be trained on the usage of Cellebrite's hacking systems under an ongoing project that began in 2019 and is set to be completed in June 2021." Nine Criminal Investigations Department officers "were given the approval to travel to Singapore in February 2019" to train on UFED and "would ultimately qualify as Cellebrite Certified Operators and Cellebrite Certified Physical Analysts" (Tier-3 reporting, [Al Jazeera I-Unit — Bangladesh / RAB](../../web%20archive/2026-06-07/ajiunit.com/bangladesh-cellebrite-rab.md)). The record describes planned and approved training, not confirmed completion. **Hong Kong.** Pro-democracy activist Joshua Wong "said that police had used Cellebrite technology to access his phone" after it was seized in December 2019, during a period in which "police had taken thousands of phones from protesters" (Tier-3 reporting, [The Intercept](../../web%20archive/2026-06-07/theintercept.com/cellebrite-china-cellphone-hack.md)). Israeli human-rights lawyer Eitay Mack put the figure higher, stating "the police used Cellebrite's systems to access the phones of 4,000 protesters," and petitioned to retract the export licenses of Cellebrite and Picsix to Bangladesh (Tier-3 reporting, [Al Jazeera I-Unit](../../web%20archive/2026-06-07/ajiunit.com/bangladesh-cellebrite-rab.md)). The 4,000 figure is Mack's; the Intercept's own reporting says only "thousands." **Elsewhere.** The Intercept records "reports of abuses involving Cellebrite technology … in Bahrain, Botswana, Indonesia, India, and Saudi Arabia" which Access Now's Natalia Krapiva said "the company has not meaningfully addressed" (Tier-3 reporting, [The Intercept](../../web%20archive/2026-06-07/theintercept.com/cellebrite-china-cellphone-hack.md)). These are characterized in the source as reports of abuses, not adjudicated findings in each country. ### The vendor's position Cellebrite contests this record and should be read in its own words. The company states it "has developed a strong compliance framework, and our sales decisions are guided by internal parameters, which consider a potential customer's human rights record and anti-corruption policies" (Tier-3 reporting, [The Intercept](../../web%20archive/2026-06-07/theintercept.com/cellebrite-china-cellphone-hack.md)); that it "demands customers 'uphold the standards of international human rights law,' and in the 'extremely rare case' of non-compliance, the company would cancel agreements" (Tier-3 reporting, [Times of Israel](../../web%20archive/2026-06-07/timesofisrael.com/cellebrite-myanmar-reuters-journalists.md)); and that it "does not sell to countries sanctioned by the U.S., EU, UK or Israeli governments, or that are on the Financial Action Task Force (FATF) blacklist," having "chosen not to do business in Bangladesh, Belarus, China, Hong Kong, Macau, Russia and Venezuela partially due to concerns regarding human rights and data security." Cellebrite frames its tools as "forensic in nature … used to access private data only in accordance with legal due process … after an event has occurred," not "to intercept communication or gather intelligence in real-time" (Tier-2 vendor statement, [Cellebrite facts page](../../web%20archive/2026-06-07/cellebrite.com/cellebrite-facts-vendor-position.md)). Access Now and Eitay Mack dispute that these controls work in practice. ### The withdrawals, and their limits Cellebrite has announced staged withdrawals. On October 7, 2020 it said that "effective immediately it will stop selling its solutions and services to customers in Hong Kong and China," attributing the move to "a change in U.S. regulations" and to "standard business operations" rather than to the documented surveillance of Hong Kong protesters (Tier-2 vendor statement, [Cellebrite — halt HK/China](../../web%20archive/2026-06-07/cellebrite.com/halt-sales-hong-kong-china.md)). On March 18, 2021 it said the same of "the Russian Federation and Belarus" (Tier-2 vendor statement, [Cellebrite — halt Russia/Belarus](../../web%20archive/2026-06-07/cellebrite.com/halt-sales-russia-belarus.md)). An August 2021 Intercept investigation found the China withdrawal was porous: "even after Cellebrite said it withdrew from China and Hong Kong … police on the mainland continued to buy the company's Universal Forensic Extraction Device, or UFED, products" through resellers, including "delivering the Israeli company's software to border guards in Tibet and demonstrating how it could be used to search people's WeChat accounts" (Tier-3 reporting, [The Intercept](../../web%20archive/2026-06-07/theintercept.com/cellebrite-china-cellphone-hack.md)). ## US domestic deployment (Tier-3) The same product class is widespread in US policing. The nonprofit Upturn's 2020 report *Mass Extraction* documents "more than 2,000 agencies … in all 50 states and the District of Columbia" that "performed hundreds of thousands of cellphone extractions since 2015, often without a warrant" (Tier-3 research, [Upturn — Mass Extraction](../../web%20archive/2026-06-07/upturn.org/mass-extraction-mdft-report.md)). These figures cover mobile-device forensic tools as a category, which includes Cellebrite but also competitors such as Grayshift/Magnet; Upturn is an advocacy organization that concludes such tools should not be used, and the figures are not Cellebrite-specific. The tools are not flawless. In April 2021, Signal's Moxie Marlinspike reported that "it's possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned" (Tier-3, [Signal — Cellebrite vulnerabilities](../../web%20archive/2026-06-07/signal.org/cellebrite-ufed-vulnerabilities.md)). Signal is Cellebrite's adversary and the disclosing party, and stresses that Cellebrite "does not do any kind of data interception or remote surveillance"; the exploit requires the device to be physically connected. Federal demand continues. In 2026, DHS/ICE Homeland Security Investigations forecast a contract with a "$100 million ceiling" (an indefinite-delivery vehicle, not an awarded sum) for Cellebrite tools; Cellebrite responded that "our technology is used in forensic environments after an event has occurred — not to conduct surveillance or monitor individuals" (Tier-3 reporting, [FedScoop — DHS/ICE Cellebrite](../../web%20archive/2026-06-07/fedscoop.com/dhs-ice-cellebrite-100m-contract.md)). ## Why this matters to the Arkansas corpus The Little Rock contracts put one of these tools inside an Arkansas police department. The export-control clause LRPD signed reaches an Israeli licensing regime that turns, by Cellebrite's own account, on the Israeli government's assessment of a destination country's human-rights record. The same regime is the subject of an export-license petition over Hong Kong. And the product class LRPD bought is the one documented in Myanmar, Bangladesh, and Hong Kong. None of that establishes anything about LRPD's own use, which the corpus does not document. It establishes who the vendor is and what regime governs it, which the [[Arkansas Act 710 of 2017 — Israel-Boycott Contract Certification]] makes newly pointed: Arkansas requires its vendors to certify that they do not boycott Israel as a condition of the contract. The cross-jurisdiction argument is developed in [[The Surveillance-Export Economy in Arkansas Law Enforcement]]. ## Sources - Israel Ministry of Defense, tightened cyber-export controls and updated End User Declaration (primary public record, [gov.il](../../web%20archive/2026-06-07/gov.il/mod-tightens-control-of-cyber-exports-2021.md)). - Cellebrite DI Ltd. Form 20-F (FY2025), export-control sections (primary public record, [SEC EDGAR](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2025-export-controls.md)). - Cellebrite DI Ltd. Form 20-F (FY2022), encryption-control regime and Hong Kong petition (primary public record, [SEC EDGAR](../../web%20archive/2026-06-07/sec.gov/cellebrite-20-f-fy2022-encryption-regime.md)). - Cellebrite Advanced Services General Terms, export-control clause (primary public record, [legal.cellebrite.com](../../web%20archive/2026-06-07/legal.cellebrite.com/advanced-services-general-terms-export-clause.md)). - Cellebrite, corporate facts / position statement (Tier-2 vendor statement, [cellebrite.com](../../web%20archive/2026-06-07/cellebrite.com/cellebrite-facts-vendor-position.md)). - Cellebrite, sales-halt press releases for Hong Kong/China and Russia/Belarus (Tier-2 vendor statements, [HK/China](../../web%20archive/2026-06-07/cellebrite.com/halt-sales-hong-kong-china.md); [Russia/Belarus](../../web%20archive/2026-06-07/cellebrite.com/halt-sales-russia-belarus.md)). - Mara Hvistendahl, "Cellebrite … China," The Intercept, Aug 26 2021 (Tier-3 reporting, [theintercept.com](../../web%20archive/2026-06-07/theintercept.com/cellebrite-china-cellphone-hack.md)). - Al Jazeera Investigative Unit, Bangladesh / RAB Cellebrite procurement, Mar 8 2021 (Tier-3 reporting, [ajiunit.com](../../web%20archive/2026-06-07/ajiunit.com/bangladesh-cellebrite-rab.md)). - Times of Israel on the Washington Post Myanmar investigation, May 2019 (Tier-3 reporting, [timesofisrael.com](../../web%20archive/2026-06-07/timesofisrael.com/cellebrite-myanmar-reuters-journalists.md)). - Moxie Marlinspike, "Exploiting vulnerabilities in Cellebrite," Signal, Apr 21 2021 (Tier-3, [signal.org](../../web%20archive/2026-06-07/signal.org/cellebrite-ufed-vulnerabilities.md)). - Upturn, *Mass Extraction*, 2020 (Tier-3 research, [upturn.org](../../web%20archive/2026-06-07/upturn.org/mass-extraction-mdft-report.md)). - FedScoop, DHS/ICE Cellebrite contract forecast, 2026 (Tier-3 reporting, [fedscoop.com](../../web%20archive/2026-06-07/fedscoop.com/dhs-ice-cellebrite-100m-contract.md)).