Luke Smith, a paralegal for Hughmans Solicitors, sets out some early reflections on the hacking of the EncroChat network. Our lawyers are currently dealing with a number of clients affected by recent developments.
Millions of private messages obtained by European law enforcement agencies are evidence of the “global scope of serious and organised crime” say police and prosecutors. Legal questions concerning how the system was ‘cracked’ have a correspondingly trans-national dimension.
Earlier this year EncroChat customers received a startling message. “Today we had our domains seized illegally by Government entities” the notification read, marking the beginning of the end for the telecommunications platform that had, according to police, become a haven for serious organised criminals. Reportedly developed for privacy conscious celebrities, EncroChat offered “military grade” encrypted messaging. The “equivalent of a regular conversation between two people in an empty room” promised its (now defunct) website in March. By June it was clear the room had a backdoor.
In the weeks following the closure of EncroChat, French and Dutch authorities, along with Europol and Eurojust issued a joint press conference revealing that in 2019 the Gendarmerie had cracked the encrypted messaging system. They had achieved this by covertly installing a “technical tool” which enabled the authorities to peel away the layers of protection which were supposed to secure a user’s privacy. Messages could no longer be wiped, passwords were vulnerable to capture, data was cloned. Designed to be both surreptitious and defensive, the tool was able to conceal itself in order to evade both detection and attempts by EncroChat at remote deletion. According to police, for some time the ‘empty room’ EncroChat promised had in fact been home to a hidden intruder that resisted expulsion. As a result, authorities say that they were able to “intercept, share and analyse millions of messages that were exchanged between criminals to plan serious crimes.”
Operation Venetic, the UK enforcement response, has thus far led to over 700 arrests and a haul of £54 million in cash, 77 firearms, and over two tonnes of drugs. The National Crime Agency has said that it has “punched holes in the UK organised crime networks” in what it described as “the biggest and most significant operation of its kind in the UK.”
Though the details of the EncroChat hack are yet to be established, the multi-agency investigation has a substantial European dimension which necessarily raises legal issues within national and international contexts, including European Union (EU) law, the European Convention on Human Rights (ECHR), and the UK’s own legislative framework governing surveillance.
European Union Law
In the joined cases C-698/15 (Watson, Brice and Lewis) v Secretary of State for the Home Department and C-203/15 Tele 2 Sverige AB v Post- och Telestyrelsen The Court of Justice of the European Union (CJEU) ruled that the general and indiscriminate retention of data of all subscribers and registered users relating to means of electronic communications was unlawful. The opinion of the Advocate General opens quoting James Maddison warning of the difficulty governments face in controlling both the governed and themselves. This concern is reflected in a series of conditional obligations set out by the AG that member states must abide by to ensure the practice of covert surveillance is consistent with EU law. The Grand Chamber agreed, holding that data retention must be undertaken for specific purposes, such as fighting serious crime, and that access to said data must be subject to administrative review. Member states of the EU are bound by the acquis communautaire – the body of law comprising the treaties, legislation and judgments of the CJEU. The doctrine of the supremacy of EU law, established in Van Gen den Loos v Nederlandse Administratie der Belastingen (Case C-26/62)  ECR 1 holds that where national law conflicts with EU law the former is subordinate to the latter. Authorities claim that “[EncroChat] data was captured on the basis of the provisions of French law.” Whether the capture of data was consistent with EU law is yet to be determined.
The European Convention on Human Rights
Methods of surveillance such as the interception of communication appear on their face to infringe Article 8 ECHR, which places an obligation upon states to respect an individual’s ‘private and family life, his home and his correspondence.’ In a series of cases including Klass and Others v Germany A 28 (1977); 2 EHRR 214 and Malone v UK A 82 (1984); 7 EHRR 14 the ECtHR ruled that national laws that permit the practice of phone tapping could infringe Article 8 if those laws lacked sufficient safeguards. The Court has recognised that the needs of national security and the prevention of crime as legitimate purposes for which covert surveillance may be undertaken. However, as demonstrated in Kopp v Switzerland 1998-II; 27 EHRR, and Niedbala v Poland hudoc (2000) the ECtHR will consider issues of legality and necessity in cases involving interception. The influence of the ECtHR on national legislation is clear when considering the seminal role played by the Strasbourg Court in the development of the UK’s own legislative framework governing surveillance.
Much of the UK’s statutory regime regulating surveillance came about in response to or anticipation of rulings from the ECtHR. In Malone v Metropolitan Police Commissioner  Ch 344 the Court held that, generally, there was no right to privacy in English law. However, when the ECtHR considered the case it found that the interception was not in accordance with Article 8 of the ECHR. The resulting national legislation – the Interception of Communications Act 1985 – was the first piece of the UK’s nascent statutory framework governing surveillance. This body of law has since grown significantly and today encompasses methods of surveillance both covert and intrusive. The collection and retention of data by interceptive means is governed by the Investigatory Powers Act 2016 (IPA 2016) which partially repealed the Regulation of Investigatory Powers Act 2000 (RIPA 2000), and associated Codes of Practice. Aspects of RIPA 2000 were found to be incompatible with Articles 8 and 10 ECHR in Big Brother Watch and Others v UK (Application nos. 58170/13, 62322/14 and 24960/15). In that case however the Court held that the bulk interception of communications per se was legitimate. Other methods of covert, intrusive, and device-assisted surveillance are statutorily governed by such as Part 2 of the RIPA 2000 and the Police Act 1997. As such, establishing the method used to obtain evidence in legal proceedings that may flow from EncroChat will determine which area of the law shall apply. For example, evidence obtained by interceptive methods is subject to Section 56 of the IPA 2016 which sets out circumstances in which such evidence may not be adduced. More generally, Section 78 of the Police and Criminal Evidence Act 1984 (PACE 1984) provides that the court may refuse to allow evidence if, having regard to the circumstances in which the evidence was obtained, it appears to adversely affect the fairness of the trial.
The scope of the response to the EncroChat hack of law enforcement agencies across Europe is unprecedented. The apparent basis of this action – messages collected from the EncroChat encrypted messaging system – raise issues in areas of national and international law. Prosecuting authorities may face challenges as to the legality and necessity of the practices employed to capture EncroChat data and whether these methods were consistent with obligations under EU, ECHR, and relevant national law.
Cox, J (2020) How Police Secretly Took Over a Global Phone Network for Organised Crime https://www.vice.com/en_uk/article/3aza95/how-police-secretly-took-over-a-global-phone-network-for-organised-crime [Online] Accessed 12 July 2020.
Eurojust, (2020) Dismantling of an encrypted network sends shockwaves through organised crime groups across Europe
Hughes, J (2019) The £3,000 a year encrypted mobile phones with ‘kill pills’ being used by Gloucestershire drugs gangs. https://www.gloucestershirelive.co.uk/news/gloucester-news/3000-year-encrypted-mobile-phones-2883942 [Online] Accessed 12 July 2020
National Crime Agency, (2020) NCA and police smash thousands of criminal conspiracies after infiltration of encrypted communication platform in UK’s biggest ever law enforcement operation. https://www.nationalcrimeagency.gov.uk/news/operation-venetic [Online] Accessed 12 July 2020.
Traynor, L (2020) Secret messages reveal crime kingpins panicking as police EncroChat net closed around them. https://www.liverpoolecho.co.uk/news/liverpool-news/secret-messages-reveal-crime-kingpins-18545236 [Online] Accessed 12 July 2020.
https://web.archive.org/web/20190304151845/https:/encrophone.com/en/ [Online] Accessed 12 July 2020.
Interception of Communications Act 1985 c. 56
Investigatory Powers Act 2016 c. 25
Police Act 1997 c. 50
Police and Criminal Evidence Act 1984 c. 60
Regulation of Investigatory Powers Act 2000 c. 23
The European Convention on Human Rights
Big Brother Watch and Others v UK (Application nos. 58170/13, 62322/14 and 24960/15).
C-698/15 (Watson, Brice and Lewis) v Secretary of State for the Home Department and C-203/15 Tele 2 Sverige AB v Post- och Telestyrelsen
Klass and Others v Germany A 28 (1977); 2 EHRR 214
Kopp v Switzerland 1998-II; 27 EHRR
Malone v Metropolitan Police Commissioner  Ch 344
Malone v UK A 82 (1984); 7 EHRR 14
Niedbala v Poland hudoc (2000)
Van Gen den Loos v Nederlandse Administratie der Belastingen (Case C-26/62)  ECR 1