Judges have refused defendants leave to challenge the admissibility in UK courts of message communications collected by French cyber police from the encrypted phone network EncroChat.
The Court of Appeal ruled on 3 March 2021 that there was no “point of law of general public importance” that would justify referring the Appeal Court’s decision to allow the intercepted communications to be used as evidence to the Supreme Court.
Computer forensic experts working on EncroChat cases say that decision should trigger a wider review of the “far-reaching effects” the legal decision by the Court of Appeal will have on the role of communications interception in future cases.
Duncan Campbell and Ian Brown were the only computer forensic expert witnesses for the first evidence review of police use of data hacked from the ultra-secure EncroChat phone network, held in November and December 2020.
In an analysis published here, they say legal and technical issues highlighted by the Appeal Court’s decision should now be considered by Parliament’s Intelligence and Security Committee (ISC) and the Investigatory Powers Tribunal, including the legal definition of data “transmission”.
‘Questions call out’ for parliamentary and legal review
“These decisions have fundamental and far-reaching effects on the legal role of interception in future UK investigations and cases,” Campbell and Brown said in an article for Computer Weekly. “Parliament and judges will have to address the new and unresolved uncertainties about the legal meaning of ‘transmission’.
“These questions call out for the Intelligence and Security Committee and the Investigatory Powers Tribunal to take a detailed look at the technical and legal issues raised, and to make them clear.”
Police have made more than 1,000 arrests in the UK after French investigators infected EncroChat phones around the world with a software “implant” that covertly harvested messages and data from tens of thousands of phones.
Secure messages obtained through ‘equipment interference’
The ruling follows a decision by the Court of Appeal on 5 February 2021 that communications harvested by the French gendarmerie and shared with the UK’s National Crime Agency were obtained lawfully.
Giving the verdict in Court 4 of the Royal Courts of Justice, Justice Edis said the defendants’ case was “obviously unarguable” and was “simply wrong”.
Quoting from the Appeal Court judgment, he said the expert evidence on which the appellants were relying contained an “obvious error of language and analysis”.
Law enforcement agencies are prohibited by law from using evidence obtained through interception in criminal trials in the UK.
But three Appeal Court judges found in February that communications from the EncroChat network had not been intercepted, but had been obtained through “equipment interference” – or hacking.
The appeal hinged on Section 4 of the Investigatory Powers Act 2016, also known as the Snooper’s Charter, which applies different legal regimes to communications intercepted in “real time” and to data obtained through equipment interference.
Communications were not intercepted
In a controversial decision, the Appeal Court found in February that the EncroChat material was not obtained through interception.
Judges ruled that it was obtained by remotely interrogating the random access memory (RAM) of the phone, and so could be lawfully obtained under a targeted equipment interference (TEI) warrant obtained by the NCA and used as evidence in court.
The case, which is subject to reporting restrictions, is the first EncroChat prosecution to go to the Court of Appeal, but lawyers expect other cases to follow.
Defence barrister Matthew Ryder QC said on Twitter after the verdict that the Appeal Court’s decision does not prevent further legal arguments and future potential appeals as EncroChat cases continued to be heard in the lower courts.
Two-stage attack
A joint investigation team of French and Dutch investigators harvested tens of thousands of messages by cracking the EncroChat phone network last year during Operation Emma.
It emerged that the French gendarmerie infiltrated EncroChat servers in Roubaix, France, and used them to send a software implant to phone users worldwide, under the guise of a software update.
During phase one of the attack, French investigators were able to harvest historic messages, notes and photographs that had been stored on the phones.
During phase two, investigators used the implant to sweep up large volumes of text messages from phone users around the world, storing them on a server at CN3, the French digital crime unit.
The UK’s NCA issued a European investigation order requesting copies of messages sent by phone users in the UK.
French investigators assembled digital packages of evidence and passed them to Europol, which identified messages sent by EncroChat phones in the UK. The NCA was able to download the data using Europol’s Large File Exchange service.
The French authorities have not disclosed how the implants planted on EncroChat phones worked, citing national security reasons.
The network was found to have 60,000 users worldwide and about 10,000 in the UK.
The operators of EncroChat charged up to £1,500 for a six-month contract on one of their £2,500 handsets, which came with pre-loaded instant messaging apps, encrypted VoIP and a remote kill switch to wipe them. They warned users that the network had been compromised on 13 June 2020.
NCA claims sole use of EncroChat was criminal
The UK’s NCA has alleged that the sole use of EncroChat was to coordinate and plan the distribution of illicit commodities and money laundering, and had been used by some criminals for plotting to kill rivals.
Speaking last Friday, Lord Burnett of Maldon, Justice Edis and Justice Whipple said in their ruling: “The court concludes that the principal question admits to only one answer, that there is no point of law of general public importance involved in this decision.”
In a related operation, police in Belgium, France and the Netherlands last week broke into another encrypted mobile phone network, Sky ECC, following two and a half years of planning, and were able to harvest hundreds of thousands of messages that their users believed were protected by encryption.
Belgian and Dutch police conducted raids on 11 March 2021, seizing drugs, luxury cars and firearms, following a joint investigation between police forces in the three countries.
Law enforcement agencies said they had been able to monitor the information flow of 70,000 users of Sky ECC phones since mid-February.
Many users of Sky ECC had switched over from EncroChat after the EncroChat compromise became public in June 2020, European policing agency Europol said in a statement.
Europol, which co-ordinated investigations into both cryptophone networks, said three million messages were exchanged each day on Sky ECC, with more than 20% of users based in Belgium and the Netherlands.
Eurojust, the European Union Agency for Criminal Justice, said in a statement that it had hosted 12 coordination meetings over the operation to infiltrate Sky ECC. It had previously hosted meetings between French gendermarie, Dutch police, prosecutors and the UK’s NCA to discuss plans to infiltrate EncroChat.
The US has issued an indictment and arrest warrants for Jean-François Eap, CEO of Sky Global, which ran the phone network, and Thomas Herman, a former phone distributor, for racketeering and knowingly facilitating the import and distribution of illegal drugs through the sale of encrypted communications devices.
