Cellebrite's decision to cut off Serbia from its phone unlocking tools over documented abuse should signal that surveillance tool vendors are finally enforcing accountability. But the real story is the opposite: the company's continued operations in Jordan and Kenya—where Citizen Lab has documented similar misuse—reveals that vendor accountability isn't policy, it's public relations. This inconsistency exposes a critical gap in digital rights enforcement and creates regulatory liability that spans enterprise buyers, investors, and policymakers.

The inconsistency is stark. Cellebrite, the Israeli company that manufactures sophisticated phone unlocking and data extraction tools, announced it was cutting off sales to Serbia. The reason cited: abuse of its technology. That sounds like accountability working. Until you ask the obvious question Lorenzo Franceschi-Bicchierai poses in his analysis: if abuse in Serbia justified a sales halt, why does the company continue selling in Jordan and Kenya, where Citizen Lab has documented comparable misuse of the same tools?

This isn't a gray area. Citizen Lab's research has specifically documented how Cellebrite's technology has been used to target civil society activists and journalists in multiple countries. The evidence isn't country-specific or one-off. It's a pattern. Yet Serbia gets the enforcement action, while other documented abuse cases don't.

What's actually happening here is that selective enforcement is becoming the default vendor playbook. Companies make accountability gestures—a cutoff here, a policy review there—but only when reputational pressure becomes unavoidable. It's reactive, not preventive. And it's fragmenting the landscape into a patchwork where oversight depends less on clear policy standards and more on which markets attract media scrutiny.

For decision-makers at enterprises and government agencies procuring these tools, this creates immediate risk. If your agency uses Cellebrite and it's documented that the vendor continues enabling rights violations in other jurisdictions, the reputational and legal exposure is yours, not theirs. You're now operating a tool known to be subject to selective accountability—which is another way of saying no real accountability at all.

Investors face a different timing question. The current model—where vendors self-regulate through selective enforcement—is unstable. Regulatory frameworks like the EU's Digital Services Act and emerging compliance regimes in multiple democracies are moving toward mandatory vendor accountability. What Cellebrite is doing now with Serbia may look smart in the short term (responding to one high-profile case) but exposes the company to regulatory liability the moment a jurisdiction mandates consistent enforcement standards. At that point, the inconsistency becomes an audit trail of intentional selective enforcement.

The deeper shift here isn't about Cellebrite specifically. It's about whether surveillance tool vendors will be required to meet uniform standards across all markets or whether they can maintain a tiered system where accountability depends on political visibility. Right now they're betting on the latter. They're wrong. The window for voluntary consistent policy is closing. After it closes, enforcement will be mandatory, and the current patchwork of selective cutoffs becomes evidence of bad faith.

Cellebrite's Serbia cutoff appeared to mark a turning point in surveillance tool vendor accountability. Instead, it reveals the opposite: selective enforcement is becoming the norm, driven by media attention rather than policy. For decision-makers, this means procurement now carries documented reputational risk. For investors, this signals that the current self-regulatory model is unsustainable—regulatory mandates for consistent enforcement are coming, and companies operating today's patchwork approach will face liability. The question isn't whether accountability will be enforced; it's whether vendors will establish consistent standards voluntarily before regulators make it mandatory.