Bold claim: state abuse of private data is not just a risk—it’s happening in real time to activists, journalists, and dissenters. And this is where the story gets more complicated than headlines. Kenya’s authorities reportedly accessed a prominent activist’s phone using Israeli-forged tech, raising urgent questions about surveillance, rights, and accountability. Here’s what you need to know, explained clearly and with context.
Boniface Mwangi, a well-known Kenyan pro-democracy advocate who has signaled a 2027 presidential bid, had his phone returns from police custody after an arrest last July. He immediately noticed a troubling detail: one of his devices was no longer password-protected and could be accessed without authentication. The device contained intimate family photos and personal messages from friends, mentors, and loved ones. Mwangi described feeling exposed and unsafe knowing the contents could be seen by the state, especially given past reports of harassment and even torture.
A Citizen Lab report, published recently, concluded with high confidence that Kenyan authorities used Cellebrite’s technology to break into Mwangi’s phone while it was in police custody. The technique could have enabled the full extraction of data, including messages, private files, financial information, passwords, and other sensitive materials.
These findings contribute to a growing body of evidence that Cellebrite’s hardware and software are being misused by government clients, and that the company has limited oversight to prevent abuses. Cellebrite responded by saying it maintains a rigorous process for reviewing misuse allegations and takes action—such as terminating licenses—when credible evidence is presented. The company emphasized that it does not respond to speculation and invites concrete, evidence-based concerns directly for review.
Requests for comment from Kenyan authorities and the Kenyan embassy in Washington did not yield responses. Amnesty International echoed concerns last July, noting that the legal case against Mwangi appeared to be part of a broader pattern intended to intimidate lawful dissent. Mwangi was released on bond shortly after arrest and is due back in court.
Mwangi described living under constant surveillance, noting that authorities gathered information from other people’s devices and were aware of his leadership within the movement. He said he tolerates ongoing scrutiny of his calls and messages.
This latest development aligns with earlier forensic findings by Citizen Lab that spyware—such as FlexiSPY—was detected on the phones of Kenyan filmmakers while police were investigating them in connection with a BBC documentary about police actions during protests in 2024. The BBC has denied involvement by those individuals.
Mwangi argues that non-state actors may be enabling government surveillance, potentially increasing risk for activists when private companies enable access. The concern is that sharing access to spy tools with a government that has faced accusations of abductions and repression could put lives at stake.
Citizen Lab’s report follows a January release noting similar patterns in Jordan, where authorities were believed to be using Cellebrite to collect data from activists critical of Israel. In response, Cellebrite asserted that its technology is used only to access private data in accordance with due process or consent following an event, and that it acts on substantiated concerns.
Beyond Africa and the Middle East, there are indications of Cellebrite’s use in other regions, including Myanmar and Botswana, and possible cases in Serbia and Belarus. John Scott-Railton, a senior researcher at Citizen Lab, summed up the concern: phones hold the keys to personal life, and governments should not access them merely because they disagree with what someone is saying. He warned that selling these tools to security services with a history of abuse jeopardizes journalists, activists, and conscientious publics.
Given the stakes, it’s worth considering: should private surveillance tools ever be allowed to be deployed by governments without stringent, independently verified safeguards? What responsibilities do tech vendors hold when their tools enable potential rights violations, and how should they balance business interests with human rights protections? If you have thoughts or experiences related to digital privacy, share them in the comments.
