Documents obtained by Al Jazeera’s Investigative Unit (I-Unit) and Israeli newspaper Haaretz reveal how the Bangladesh government spent at least $330,000 on phone-hacking equipment made by an Israeli company, even though the two countries do not have diplomatic relations.
Developed by the Cellebrite security firm, UFED is a product that is capable of accessing and extracting data from a wide range of mobile phones. Its ability to hack encrypted phone data has worried civil rights campaigners, who have long called for its use to be more strictly regulated.
Bangladesh does not recognise the state of Israel, forbids trade with it and prevents its citizens from travelling there. The Muslim-majority country officially stands in solidarity with the Palestinians on the basis they are denied civil rights and live under Israeli military occupation.
It is unclear whether UFED was provided to Bangladesh directly by the Israeli company or via a Cellebrite subsidiary based elsewhere in the world, presumably with the intention to mask its origins.
In February, Al Jazeera revealed how the Bangladesh military in 2018 signed a contract to acquire mobile phone interception equipment from Israeli firm Picsix Ltd. In February 2019, Bangladeshi officers received training by Israeli intelligence experts in the Hungarian capital, Budapest.
Do you have knowledge of governments using hacking tools to stifle dissent or want to share another tip? Contact Al Jazeera’s Investigative Unit on +974 5080 0207 (WhatsApp/Signal), or find other ways to reach out on our Tips page.
The Ministry of Defence in Bangladesh said the equipment, a passive mobile phone monitoring system called P6 Intercept, was made in Hungary and was purchased for use on United Nations missions – a claim that was rejected by the world body.
The contract listed the manufacturer of P6 Intercept as Picsix Ltd Hungary, yet no public record of such a company exists and all Picsix equipment is made in Israel.
Training in Singapore
The latest documents obtained by I-Unit, which Al Jazeera also found on the Bangladesh home ministry’s own website, relate to contracts signed in 2018 and 2019. They are from the Public Security Division, a department in the Ministry of Home Affairs that is in charge of domestic security and whose agencies include the Bangladesh police force and border guards.
The paperwork details how nine officers from the country’s Criminal Investigations Department were given the approval to travel to Singapore in February 2019 to receive training on UFED to allow them to unlock and extract data from mobile phones. It outlines how the Bangladeshi staff would ultimately qualify as Cellebrite Certified Operators and Cellebrite Certified Physical Analysts.
The documents also say the Rapid Action Battalion (RAB), a paramilitary force that has a well-documented record of abductions, torture and disappearances, would be trained on the usage of Cellebrite’s hacking systems under an ongoing project that began in 2019 and is set to be completed in June 2021.
The Bangladesh government appears to be investing heavily in electronic surveillance systems and the leaked documents also outline the use of a wide range of devices – from WiFi interceptors and surveillance drones to IMSI-catchers, a tool that emulates cell towers to trick cellular devices into revealing their locations and data.
The latest revelation that Bangladesh security services are being equipped with highly intrusive devices capable of accessing encrypted phones that contain private messages comes amid growing concerns over the country’s human rights record.
Bangladesh has faced international criticism over its 2018 Digital Security Act (DSA), which gives security forces broad powers to arrest and detain journalists and political activists who are critical of the state online.
Last week, ambassadors from 13 countries called for an urgent inquiry into the death of Mushtaq Ahmed, a writer who died on February 25 after being held for nine months without charge under the DSA for criticising, on Facebook, the government’s response to the coronavirus pandemic.
Halting exports to Bangladesh
Eitay Mack, an Israeli human rights lawyer who has been fighting the export of Israeli defence technology that could be used for human rights violations – including in Hong Kong, where pro-democracy protesters in 2019 took to the streets for months – explained how intrusive the technologies that Bangladesh has bought from Israel really are.
“You’re able to take all information about the person’s life, about their relationships, medical records, name of friends and in the case of journalists the names of a source,” Mack told Al Jazeera.
“In the case of Hong Kong, the police used Cellebrite’s systems to access the phones of 4,000 protesters.”
Cellebrite eventually stopped its exports to Hong Kong after public outcry and a court case brought by Mack. Now, he is doing the same with Bangladesh. On Monday, Mack filed a petition with the Israeli courts, asking them to retract the export licenses of Cellebrite and Picsix to Bangladesh.
“Even if a company like Cellebrite or Picsix has branches operating in Singapore, it’s still under Israeli law,” Mack told Al Jazeera. “As long as the company is owned by Israeli citizens they need an export license from the Ministry of Defence.”
Mack argued that Israel uses the exports of these tools to build relationships with countries with poor human rights records such as Bangladesh, South Sudan and the United Arab Emirates.
“Exporting these tools is easier than, for example, selling Bangladesh Israeli rifles. These kinds of systems are less present and this is how Israel is able to create secret relationships with these countries,” Mack said.
“But it’s important to note that this is not a relationship between the Israeli people and the Bangladeshi people, or the Emirati people. It’s a relationship between the Israeli government and the local regime.
“This kind of relationship means that Israeli is helping local repression in many places around the world.”
I-Unit reached out to the Bangladesh Ministry of Home Affairs as well as Cellebrite. Neither provided any comments at the time of publication.