In February 2026, Citizen Lab published an investigation highlighting serious concerns regarding the alleged use of Cellebrite’s forensic extraction technology by Kenyan authorities to access the devices of activist and political candidate Boniface Mwangi. As explained by Citizen Lab:

Our analysis of the Samsung Android phone confiscated by the Kenyan police belonging to Mwangi shows signs that Cellebrite was used on the phone on or around July 20, 2025 and July 21, 2025. The device was in the custody of the Kenyan police during this timeframe...The use of Cellebrite could have enabled the full extraction of all materials from Mwangi’s device, including messages, private materials, personal files, financial information, passwords, and other sensitive information...

From a business and human rights perspective, this raises fundamental questions about the company’s human rights due diligence, accountability mechanisms, as well as the implementation of technical and non-technical safeguards to prevent abuse.

Citizen Lab sent the following questions to Cellebrite, which have not been answered at the time of publishing:

• What specific human rights due diligence did Cellebrite perform before, during, and after the sale of Cellebrite technology to Kenyan governmental agencies? What conclusion did Cellebrite arrive at and why? Will you make this assessment public, or describe the criteria used in making it?
• How does Cellebrite's Ethics Committee comply with the United Nations (UN) Guiding Principles on Business and Human Rights? What are the powers and procedures of this Committee?
• What is Cellebrite’s plan to remediate any adverse human rights impacts you have caused or contributed to in Kenya, as required by the UN Guiding Principles?
• What technical measures does Cellebrite apply to ensure that its technology is not involved in human rights abuses?
• Will Cellebrite commit to including a unique, customer-specific watermark in device logs that have been imaged?

Companies selling high-risk surveillance technologies need to prove that they have effective policies, procedures, technical and non-technical safeguards, independent grievance mechanisms, and rigorous investigative protocols to address credible allegations, like those coming from Citizen Lab, to prevent and address abuse of their tools.

Additional questions to ask:

• Given that Cellebrite investigated allegations raised concerning the abuse of its tools in Serbia, but not in the Kenyan context, what is the threshold for triggering an investigation of alleged abuses?
• If highly credible sources alleging the surveillance and criminalization of activists in Kenya do not trigger an investigation, is the current policy fit for purpose?

On 18 February 2026, the BHRC invited Cellebrite to respond to allegations that its technology was used to target a Kenyan activist and political candidate, enabling violations of fundamental rights, including the right to privacy, freedom of expression, and freedom of assembly.

Cellebrite did not respond.

For more information about how forensic extraction technologies work and additional cases, check out the following guide: "Hidden risk is the most expensive: What investors need to know about high-risk surveillance technology"