020 7246 6560 / info@hughmans.co.uk

The ‘Encro’ Hack – Early Reflections

13th July 2020

Luke Smith, a paralegal for Hughmans Solicitors, sets out some early reflections on the hacking of the EncroChat network. Our lawyers are currently dealing with a number of clients affected by recent developments.

Millions of private messages obtained by European law enforcement agencies are evidence of the “global scope of serious and organised crime” say police and prosecutors. Legal questions concerning how the system was ‘cracked’ have a correspondingly trans-national dimension.

Earlier this year EncroChat customers received a startling message. “Today we had our domains seized illegally by Government entities” the notification read, marking the beginning of the end for the telecommunications platform that had, according to police, become a haven for serious organised criminals. Reportedly developed for privacy conscious celebrities, EncroChat offered “military grade” encrypted messaging. The “equivalent of a regular conversation between two people in an empty room” promised its (now defunct) website in March. By June it was clear the room had a backdoor.

In the weeks following the closure of EncroChat, French and Dutch authorities, along with Europol and Eurojust issued a joint press conference revealing that in 2019 the Gendarmerie had cracked the encrypted messaging system. They had achieved this by covertly installing a “technical tool” which enabled the authorities to peel away the layers of protection which were supposed to secure a user’s privacy. Messages could no longer be wiped, passwords were vulnerable to capture, data was cloned. Designed to be both surreptitious and defensive, the tool was able to conceal itself in order to evade both detection and attempts by EncroChat at remote deletion. According to police, for some time the ‘empty room’ EncroChat promised had in fact been home to a hidden intruder that resisted expulsion. As a result, authorities say that they were able to “intercept, share and analyse millions of messages that were exchanged between criminals to plan serious crimes.”

Operation Venetic, the UK enforcement response, has thus far led to over 700 arrests and a haul of £54 million in cash, 77 firearms, and over two tonnes of drugs. The National Crime Agency has said that it has “punched holes in the UK organised crime networks” in what it described as “the biggest and most significant operation of its kind in the UK.”

Though the details of the EncroChat hack are yet to be established, the multi-agency investigation has a substantial European dimension which necessarily raises legal issues within national and international contexts, including European Union (EU) law, the European Convention on Human Rights (ECHR), and the UK’s own legislative framework governing surveillance.

European Union Law

In the joined cases C-698/15 (Watson, Brice and Lewis) v Secretary of State for the Home Department and C-203/15 Tele 2 Sverige AB v Post- och Telestyrelsen The Court of Justice of the European Union (CJEU) ruled that the general and indiscriminate retention of data of all subscribers and registered users relating to means of electronic communications was unlawful. The opinion of the Advocate General opens quoting James Maddison warning of the difficulty governments face in controlling both the governed and themselves. This concern is reflected in a series of conditional obligations set out by the AG that member states must abide by to ensure the practice of covert surveillance is consistent with EU law. The Grand Chamber agreed, holding that data retention must be undertaken for specific purposes, such as fighting serious crime, and that access to said data must be subject to administrative review. Member states of the EU are bound by the acquis communautaire – the body of law comprising the treaties, legislation and judgments of the CJEU. The doctrine of the supremacy of EU law, established in Van Gen den Loos v Nederlandse Administratie der Belastingen (Case C-26/62) [1963] ECR 1 holds that where national law conflicts with EU law the former is subordinate to the latter. Authorities claim that “[EncroChat] data was captured on the basis of the provisions of French law.” Whether the capture of data was consistent with EU law is yet to be determined.

The European Convention on Human Rights

Methods of surveillance such as the interception of communication appear on their face to infringe Article 8 ECHR, which places an obligation upon states to respect an individual’s ‘private and family life, his home and his correspondence.’ In a series of cases including Klass and Others v Germany A 28 (1977); 2 EHRR 214 and Malone v UK A 82 (1984); 7 EHRR 14 the ECtHR ruled that national laws that permit the practice of phone tapping could infringe Article 8 if those laws lacked sufficient safeguards. The Court has recognised that the needs of national security and the prevention of crime as legitimate purposes for which covert surveillance may be undertaken. However, as demonstrated in Kopp v Switzerland 1998-II; 27 EHRR, and Niedbala v Poland hudoc (2000) the ECtHR will consider issues of legality and necessity in cases involving interception. The influence of the ECtHR on national legislation is clear when considering the seminal role played by the Strasbourg Court in the development of the UK’s own legislative framework governing surveillance.

UK Law

Much of the UK’s statutory regime regulating surveillance came about in response to or anticipation of rulings from the ECtHR. In Malone v Metropolitan Police Commissioner [1979] Ch 344 the Court held that, generally, there was no right to privacy in English law. However, when the ECtHR considered the case it found that the interception was not in accordance with Article 8 of the ECHR. The resulting national legislation – the Interception of Communications Act 1985 – was the first piece of the UK’s nascent statutory framework governing surveillance. This body of law has since grown significantly and today encompasses methods of surveillance both covert and intrusive. The collection and retention of data by interceptive means is governed by the Investigatory Powers Act 2016 (IPA 2016) which partially repealed the Regulation of Investigatory Powers Act 2000 (RIPA 2000), and associated Codes of Practice. Aspects of RIPA 2000 were found to be incompatible with Articles 8 and 10 ECHR in Big Brother Watch and Others v UK (Application nos. 58170/13, 62322/14 and 24960/15). In that case however the Court held that the bulk interception of communications per se was legitimate. Other methods of covert, intrusive, and device-assisted surveillance are statutorily governed by such as Part 2 of the RIPA 2000 and the Police Act 1997. As such, establishing the method used to obtain evidence in legal proceedings that may flow from EncroChat will determine which area of the law shall apply. For example, evidence obtained by interceptive methods is subject to Section 56 of the IPA 2016 which sets out circumstances in which such evidence may not be adduced. More generally, Section 78 of the Police and Criminal Evidence Act 1984 (PACE 1984) provides that the court may refuse to allow evidence if, having regard to the circumstances in which the evidence was obtained, it appears to adversely affect the fairness of the trial.

The scope of the response to the EncroChat hack of law enforcement agencies across Europe is unprecedented. The apparent basis of this action – messages collected from the EncroChat encrypted messaging system – raise issues in areas of national and international law. Prosecuting authorities may face challenges as to the legality and necessity of the practices employed to capture EncroChat data and whether these methods were consistent with obligations under EU, ECHR, and relevant national law.

References

Articles

Cox, J (2020) How Police Secretly Took Over a Global Phone Network for Organised Crime https://www.vice.com/en_uk/article/3aza95/how-police-secretly-took-over-a-global-phone-network-for-organised-crime [Online] Accessed 12 July 2020.

Eurojust, (2020) Dismantling of an encrypted network sends shockwaves through organised crime groups across Europe

http://curia.europa.eu/juris/document/document.jsf?text=&docid=181841&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=562479 [Online] Accessed 12 July 2020

Hughes, J (2019) The £3,000 a year encrypted mobile phones with ‘kill pills’ being used by Gloucestershire drugs gangs. https://www.gloucestershirelive.co.uk/news/gloucester-news/3000-year-encrypted-mobile-phones-2883942 [Online] Accessed 12 July 2020

National Crime Agency, (2020) NCA and police smash thousands of criminal conspiracies after infiltration of encrypted communication platform in UK’s biggest ever law enforcement operation. https://www.nationalcrimeagency.gov.uk/news/operation-venetic [Online] Accessed 12 July 2020.

Traynor, L (2020) Secret messages reveal crime kingpins panicking as police EncroChat net closed around themhttps://www.liverpoolecho.co.uk/news/liverpool-news/secret-messages-reveal-crime-kingpins-18545236 [Online] Accessed 12 July 2020.

Websites

https://web.archive.org/web/20190304151845/https:/encrophone.com/en/ [Online] Accessed 12 July 2020.

Legislation

Interception of Communications Act 1985 c. 56

Investigatory Powers Act 2016 c. 25

Police Act 1997 c. 50

Police and Criminal Evidence Act 1984 c. 60

Regulation of Investigatory Powers Act 2000 c. 23

International instruments

The European Convention on Human Rights

Cases

Big Brother Watch and Others v UK (Application nos. 58170/13, 62322/14 and 24960/15).

C-698/15 (Watson, Brice and Lewis) v Secretary of State for the Home Department and C-203/15 Tele 2 Sverige AB v Post- och Telestyrelsen

Klass and Others v Germany A 28 (1977); 2 EHRR 214

Kopp v Switzerland 1998-II; 27 EHRR

Malone v Metropolitan Police Commissioner [1979] Ch 344

Malone v UK A 82 (1984); 7 EHRR 14

Niedbala v Poland hudoc (2000)

Van Gen den Loos v Nederlandse Administratie der Belastingen (Case C-26/62) [1963] ECR 1

More articles


Operation Cotton: FCA fail to secure fraud convictions across the board

The extraordinary saga of Operation Cotton – the first prosecution by the Financial Conduct Authority (FCA) – came to an end with the failure of the FCA to secure convictions across the board against all defendants. The FCA prosecuted 8 defendants for offences relating to the fraudulent sale of land to members of the public […]

Read more

28 Day Limit on Police Bail Comes into Force

On 3 April 2017 parts of the Policing and Crime Act 2017 (“the Act”) came into force aimed at reforming pre-charge bail. These reforms are reported in the press as a 28 day limit on how long a suspect can be kept on police bail. We examine what effect these reforms are likely to have, […]

Read more

New law in the making?

Charles Samek QC and Marc Delehanty, instructed by Peter Black and Matthew Jenkins of Hughmans Solicitors, are acting for Mr Khrapunov in proceedings brought by BTA Bank for an alleged unlawful means conspiracy to breach English Court orders made against Mr Ablyazov. These proceedings, issued in July 2015, are the latest in the long-running Ablyazov […]

Read more