Citizen Lab published findings showing that Cellebrite forensic extraction tools were used on the phone of Boniface Mwangi, a Kenyan pro-democracy activist and 2027 presidential candidate, while the device was in police custody.
What Happened
Mwangi’s Samsung phone was seized during his arrest in July 2025 and returned in September — with the password removed. Citizen Lab identified Cellebrite extraction indicators dated around July 20–21, 2025.
A full Cellebrite extraction can pull messages, files, financial data, passwords, and other sensitive information from a device. Everything on the phone should be considered compromised.
The Pattern
This is not an isolated case. Citizen Lab’s report follows similar findings in Jordan, where Cellebrite tools were allegedly used against activists and human rights defenders between late 2023 and mid-2025. It fits a broader pattern alongside spyware like Pegasus and Predator — commercial surveillance tools marketed to law enforcement but repeatedly found targeting civil society.
Cellebrite responded that its technology is used “only in accordance with legal due process.”
Why This Matters for IT
Cellebrite is a legitimate forensic tool used by law enforcement worldwide, including in the U.S. The concern is not the tool itself but the lack of oversight around its use. For organizations handling sensitive data:
- Full-disk encryption and strong device PINs remain the baseline. They do not make extraction impossible, but they raise the cost significantly.
- Mobile device management (MDM) with remote wipe capability matters when devices may be seized.
- Assume physical access means full access. Plan your data protection accordingly — especially for staff who travel internationally or work in high-risk environments.