Riana Pfefferkorn: I Have a Lot to Say About Signal’s Cellebrite Hack
Stanford Internet Observatory Research Scholar [Riana Pfefferkorn](https://twitter.com/Riana_Crypto) shares her thoughts on legal implications of the Cellebrite hack.
A more concise version of this appeared in tl;dr sec 84.
Like many security professionals, I enjoyed Signal thumbing their noses at Cellebrite a few weeks ago. While it’s important to help law enforcement fight criminals, I’m a fan of privacy, and not a fan of selling security tools to repressive regimes.
But I’m not a lawyer and I don’t spend much time thinking about the legal or policy implications of my security work.
It’s worth reading the whole thing, but here are a few key points I took from it:
It seems unlikely that Signal will carry out it’s implicit thread of randomly giving users files that exploit Celebrite. Why? Hacking police systems and spoiling evidence are crimes, so not great for the phone user or Signal if it occurs.
This likely won’t have that much impact on trials in practice.
Some defense attorneys may try to use this demonstration cast doubt on data collected Cellebrite. However, this doesn’t mean it will actually sway a judge or jury, as you’d need to show evidece that this Cellebrite device and this data have been compromised, not just “it’s possible that in theory Cellebrite’s data could be untrustworthy.”
Also, there are other similar tools, so the police could just compare multiple tools’ output to determine if tampering has occurred.
There’s also a law doctrine that essentially boils down to saying, “OK, there was unreliable evidence. If it hadn’t been admitted, would the verdict be the same?” If not, the guilty conviction will stand.
Oftentimes there is a variety of evidence beyond just your phone’s data (witnesses, paper trails, website or cellular data, etc.).
The hack was still important to hold vendors for law enforcement accountable to reasonable security practices.
The timing was suboptimal, as Cellebrite devices were used in many of the criminal cases against the Capitol rioters, to extract data from their phones after they were arrested. It’s still early days in those criminal prosecutions, those cases are still ongoing, and there are hundreds of them.
The Signal stunt was poorly done, if your goal is to impact judges and lawyers (vs. impress your hacker friends).
The unserious tone and lack of clarity around what’s a joke vs serious tends not to go over well with judges.
There’s war going on against E2EE, and this doesn’t help.