Digital forensics firm with iPhone cracking technology lists Enforcement Directorate as one of its clients

April 09, 2024 11:14 pm | Updated 11:14 pm IST - New Delhi

The Enforcement Directorate (ED) is a client of a cyber forensics firm that has access to iPhone-cracking hardware, according to the firm’s website.

Nextechno Gen, a Delhi-based firm, lists the ED as a client. It also has a section on its website dedicated to Cellebrite, an Israeli tech firm that has acquired a global reputation for being able to break into Apple Inc.’s iPhones, which are advertised as secure.

Nextechno Gen’s connection with the ED comes at a time when the financial law enforcement agency has stated in court that Delhi Chief Minister Arvind Kejriwal has refused to cooperate in unlocking an iPhone that was seized from him; lawyers for Mr. Kejriwal, who has been in custody since his arrest last month, defended that refusal, arguing that investigators might leak the contents of his phone and serve partisan aims. Apple has told investigators that the company is by design unable to unlock a pin-protected device.

“As a practice, out of respect for our relationships, we do not divulge specific customer information,” Victor Cooper, a Cellebrite spokesperson said in a statement to The Hindu. Mr. Cooper confirmed that Cellebrite had an India office to “assist our customers”. He said Cellebrite’s products were required to be used by law enforcement agencies with transparency safeguards and agency-specific standard operating procedures.

Nextechno Gen did not respond to questions from The Hindu, and neither did the ED. Device cracking technology adds to the repertoire of Indian agencies’ access to digital surveillance tools — the Intelligence Bureau has access to Pegasus, developed by the Israeli NSO Group Technologies. Pegasus exploits unpatched vulnerabilities on smartphones, allowing attackers to spy on phone data and tap real time microphone and camera feeds. The Union government has not denied using Pegasus, and reported Pegasus infections in India continued even a year after a Forbidden Stories consortium investigation found that activists, journalists and politicians had been targeted with the spyware.

Access to software that breaks into secure devices has been sought by law enforcement agencies around the world. In 2017, India sought assistance from the United States to unlock the iPhone of Lashkar-e-Taiba operational commander Abu Dujana. Nextechno Gen, which has a section on its website linking to Cellebrite brochures, lists not only the ED as a client, but also the Bihar Police, the Kerala Police, Delhi’s Forensic Science Laboratory, the Indian Army, the Kolkata Police, and law enforcement agencies in Nepal and the Maldives. The tech portal MediaNama reported in 2022 that the Hyderabad Police and Maharashtra Police have used Cellebrite for device searches.

Indian law enforcement agencies do not typically disclose hacking tools they use for accessing electronic devices when their owners do not cooperate in unlocking them. In a leaked training video from Cellebrite last year, an instructor for the company asked law enforcement agencies to be “hush hush” about their device cracking capabilities, if they are using them.

Digital privacy advocates have argued that there need to be legal protections against arbitrary electronics seizures to safeguard the constitutional right against self-incrimination, a demand that has grown sharply as smartphones’ role in users’ daily lives expands.

Advocate Prasanna S. said that while people are generally protected against giving up passwords to their devices under Indian jurisprudence, the police generally have a wide berth in terms of finding such information themselves. However, he said, the scope of going through electronic devices for information in an investigation should be limited.

Mr. Prasanna is assisting petitioners in the Ram Ramaswamy v. Union of India case, which is one of multiple petitions calling for restrictions around device seizure. “Our argument is that [inspecting seized devices] requires a warrant, and even if you break in, you can’t completely clone all the data, and if you do, you can’t inspect everything except what you want,” he said. “If you’re alleging a conspiracy in a WhatsApp group, you can only see that group,” he argued.