Services Australia pays $1.2m for controversial spyware for fraud investigations

Services Australia has paid $1.2m to a controversial digital intelligence company that allows police to crack into smartphones and copy all the data, for software to aid in “investigations into fraud and other criminal behaviour”.

Israeli company Cellebrite’s technology is traditionally purchased by police around the world – including Victorian and New South Wales police in Australia – to obtain data from phones held in their possession.

While Cellebrite has been linked with attempts by law enforcement to bypass encrypted devices, most of its tools are designed to extract information from unlocked devices, to make it easier for investigators to sift through all the data held on a phone as part of their investigations.

Australia’s social support agency signed a $460,000 contract with the firm in 2020, and extended the contract in August this year bringing the total value to $1.2m.

Related: Signal’s hack of surveillance tech used by police could undermine Australian criminal cases

The Canberra Times reported in 2017 the agency had initially spent $32,000 on the software for use “less than 50 times”, suggesting a significant increase in its use in the past four years. On Thursday, the department refused to say how many times it had used the technology.

A spokesperson for the department said Cellebrite’s services “supports its investigations into fraud and other criminal behaviour”.

“This includes examination of evidence gathered under warrant,” the spokesperson said. “We continually adapt and evolve our criminal intelligence and investigation capabilities to combat increasingly sophisticated criminal threats, and to protect the integrity of Australia’s system of social supports.”

When asked why Services Australia needed tools typically used by police rather than partnering with police in fraud investigations, the spokesperson said Services Australia “has conducted its own criminal investigations against the programs we administer” for many years.

“These investigations may result in a referral to the Commonwealth Director of Public Prosecutions (CDPP). The agency also leverages close relationships with law enforcement agencies to identify and address criminal activity where necessary and appropriate to do so,” the spokesperson said.

Services Australia refused to state which programs, such as jobseeker, Medicare or the disability support pension, it used the technology in investigating fraud.

• Sign up to receive an email with the top stories from Guardian Australia every morning

The Greens spokesperson for family, ageing and community services, Janet Rice, said the party would pursue Services Australia about the use of the technology in Senate estimates in late October.

“We need clear answers and accountability from the minister and the agency about what this contract will be used for and why,” Rice said.

“This tender raises serious questions for Services Australia, about why it needs this software, what it will be used for, and whether it can guarantee not to violate people’s human rights, including the right to privacy.

“After the pain and suffering caused by robodebt, it’s horrifying to see Services Australia spend more than a million dollars on what appears to be more surveillance of people receiving income support.”

Email: sign up for our daily morning briefing newsletter

App: download the free app and never miss the biggest stories, or get our weekend edition for a curated selection of the week's best stories

Social: follow us on YouTube, Facebook, Instagram, Twitter or TikTok

Podcast: listen to our daily episodes on Apple Podcasts, Spotify or search "Full Story" in your favourite app

In April, questions were raised about the reliability of data obtained from Cellebrite extracts after Moxie Marlinspike, the founder of encrypted messaging app Signal, published a blog post outlining a series of vulnerabilities in the Israeli company’s surveillance devices.

He claimed he found 100 vulnerabilities, including one which could modify “not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices”.

The company subsequently pushed out an update to its software to address the vulnerabilities and said it could not find instances where the vulnerability to modify data had been used.

Guardian Australia has sought comment from Cellebrite.

Cellebrite has contracts with a number of Australian government departments, including the Australian Taxation Office, the Australian Securities and Investments Commission, the Australian federal police, and the Department of Defence.