THE Israeli company behind Police Scotland’s controversial cyber kiosk technology has been left reeling after top-secret data was leaked to Japanese authorities.
Interpol, the FBI and the National Crime Agency are among the agencies which have had sensitive and confidential information exposed, according to court documents uncovered the Haaretz newspaper.
The data – taken from 2015/17 – includes almost half a million emails belonging to senior officials and directors at Cellebrite, its internal communications and exchanges with clients, invoices, and even contracts.
Police Scotland told The Herald they had spoken to the firm and were satisfied that their systems had not been “compromised or affected adversely”.
However, senior politicians said the force should "reconsider" whether the tools provided by the company were "a sensible use of police resources."
The force first worked with Cellebrite in 2016 when it trialled a Universal Forensics Extraction Device (UFED) in 2016 in Edinburgh and Stirling.
The UFEDs – known as cyber kiosks – allow law-enforcement agencies to unlock both iPhones and android smartphones, and extract most of the data on them.
The devices work even if the phones are locked and even if the data is encrypted. This allows police access to stored passwords and tokens, chats, location data, email attachments, as well as deleted content.
However, it is understood that the device is less effective on newer phone models, without access to the passcode.
Soon after the trial, in April 2018, Police Scotland spent more than £444,000 on 41 cyber kiosk units from the company.
The aim was to deploy them across the country within six months. However, that was paused after concerns were raised by MSPs and lawyers.
It was only in 2020 that the Crown Office and independent senior counsel were confident that there was a legal basis for use of the technology.
According to Haaretz, information was transferred from Cellebrite to its main shareholder, Japanese Sun Corporation.
This was handed over to Japanese officials investigating alleged financial misconduct.
Neither Cellebrite’s management nor its clients knew of the sharing of data.
A legal opinion commissioned by the firm warned the leak could damage its reputation.
It wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”
“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure.”
That opinion was published last week following a court battle with Haaretz which saw two documents relating to a financial dispute lawsuit made public.
After reviewing the full extent of the leak to the Japanese authorities, the company’s lawyer said it contained “confidential information relating to Cellebrite itself [and] confidential information relating to Cellebrite’s clients, including but not limited to agreements entered into with the clients as well as the products used by the clients”.
The court papers revealed that the FBI and Interpol, the Russian Embassy in Japan, and the Tokyo Metropolitan Police Department were all clients at the time of the leak.
So, too, were the US Department of Homeland Security, the US Marshals Service, and US Immigration and Customs Enforcement.
These, as well as the Royal Canadian Mounted Police, were specifically noted as clients who would be concerned by the disclosure.
The leak also contained communications between Cellebrite and the National Crime Agency, the Ministry of Defence, and the American military regarding “data extraction as part of classified investigations”.
Details of how Cellebrite had aided Nasa and Russian police forces were also contained.
A spokesperson for Police Scotland said: “Police Scotland has been liaising with Cellebrite and other partners to fully understand any implications for the service.
“Following this communication, we are satisfied that Police Scotland systems have not been compromised or affected adversely.”
Lib Dem MSP Willie Rennie said:"It has now emerged that internal Cellebrite documents ended up in the hands of foreign governments.
"These kiosks have always operated on debatable legal ground and involved working in partnership with opaque foreign partners. Police Scotland should reconsider whether these tools are a sensible use of police resources."
The papers obtained by the Israeli newspaper were attached to a lawsuit filed last month as part of a dispute between Cellebrite and a strategic consultant called David Spector.
Mr Spector was briefly hired by the firm and claims that he is still owed funds.
However, Cellebrite claims he only included the now-revealed documents in his suit to attract media attention to his case and to try to embarrass the company.
In response to Haaretz’s report, Cellebrite said “the two legal documents appended to the lawsuit provide an inaccurate and partial portrayal of the events in question and their potential ramifications”.
The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest”.
Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities”.
Last week, it was revealed that Cellebrite had sold phone-hacking tools to the dictatorship in Uganda.
It previously cut ties with China after the technology was reportedly used against pro-democracy protesters in Hong Kong.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel