Ruslan Grumble - Fotolia

EncroChat: Appeal court finds ‘digital phone tapping’ admissible in criminal trials

Appeal Court decides EncroChat-encrypted phone records can be used in criminal trials. Critics say the decision means phone tapping no longer has a ‘clear meaning in the digital age’

Judges have decided that communications collected by French and Dutch police from the encrypted phone network EncroChat using software “implants” are admissible evidence in British courts.

Police have made more than 1,000 arrests in the UK after the EncroChat phone network was compromised by French and Dutch investigators.

UK law prohibits law enforcement agencies from using evidence obtained from interception in criminal trials.

But three judges found on 5 February 2021 that material gathered by French and Dutch investigators and passed to the UK’s National Crime Agency (NCA) were lawfully obtained through “equipment interference”.

“Today’s verdict implies that intercepting, or ‘tapping’ – copying other people’s live private calls and messages – has no clear meaning in the digital age,” said Duncan Campbell, who acted as a forensic expert in the case for defendants, speaking after the verdict.

“If upheld, the ruling appears to mean that tapping is only now tapping if a radio, cable or optical signal is split and copied, but not if data is copied from temporary memory. The consequences from this will be significant,” he said.

Computer Weekly is able to report legal arguments around the case for the first time today following the removal of some previous reporting restrictions imposed in the case.

Ban on intercept evidence

Historically, the UK has prevented the use of intercepted communications as legal evidence in court and has restricted its use to intelligence gathering in order to protect the secrecy of surveillance methods.

This contrasts with most other countries, including France and the Netherlands, which routinely permit the use of intercept material in court.

However, the Investigatory Powers Act 2016 – known as the Snoopers’ Charter – also allows communications obtained from mobile phones and computer equipment to be used in evidence, if they are obtained by “equipment interference” – equivalent to hacking a computer.

“It would appear that Parliament has decided that the need to keep the techniques used in the interception communications secret does not extend to techniques used in extracting data from equipment even if they may recover communications,” the judges wrote.

Was the communication stored when intercepted?

The three judges said that the question they needed to answer to determine the admissibility of messages from EncroChat as evidence was whether the communications were stored “in or by the system” at the time they were intercepted.

They dismissed arguments from expert witnesses that law enforcement obtained messages from EncroChat phones while the communications were being transmitted, rather than in storage.

Lord Burnett of Maldon, Justice Edis and Justice Whipple found that while the experts had an important role in explain how a system works, they had “no role whatever in construing an Act of Parliament”.

“They appear to have assumed that because a communication appears in RAM [computer memory] as an essential part of the process which results in transmission it did so while ‘being transmitted’,” they said. “That is an obvious error of language and analysis.”

The judges compared the transmission of a message on EncroChat to sending a letter. That requires a letter to be written, put in an envelope, have a stamp attached to it and to be placed in a post box. “Only the last act involves the letter being transmitted by a system,” they said.

The judges said it was not necessary for them to define exactly where transmission starts and ends: “We do not accept that transmission of the communication started when the use pressed ‘send’.”

They added that data taken from the EncroChat phones, was “not what has been transmitted, but a copy of it or what, in older forms of messaging, might be described as a draft”.

The appeal court decided that “all forms of storage are caught by the Investigatory Powers Act, whether or not they enable the intended recipient to access the communication,” said Campbell.

Data in a type of communication such as a mobile call typically spends 99.9% of its transmission time at rest in some format, in hundreds of memory storage locations, in dozens of en-route devices, he said.

Implants allowed French and Dutch to access cryptophones

A joint investigation team (JIT) of French and Dutch law enforcement officers was able to penetrate the EncroChat network by installing “implants” on tens of thousands of mobile phone handsets. The French authorities have not disclosed how implants planted on EncroChat phones worked.

The phone network was found to have 60,000 users world wide and about 10,000 in the UK, Computer Weekly has reported.

The operators of EncroChat charged up to £1,500 for a six-month contact of one of their £2,5000 handsets, which came with pre-loaded instant messaging apps, encrypted VoIP and a remote kill switch to wipe them. They warned users that the network had been compromised on 13 June 2020.

The UK’s National Crime Agency (NCA) said that the sole use of EncroChat was for coordinating and planning the distribution of illicit commodities and money laundering, and had been used by some criminals for plotting to kill rivals.

Lawyers representing defendants said in their grounds for appeal that communications from EncroChat were intercepted while they were in transmission, rather than while they were being stored in the handsets.

They also questioned the validity of the Targeted Equipment Interference (TEI) warrant used by the UK, arguing that the UK had made a request for assistance from the French in connection with the interception of communications when there was no mutual assistance warrant authorising the making of that request.

The judges found that previous decisions made by courts on interception were not relevant as they had been “decided under different statutory regimes”, adding that the Investigatory Powers Act 2016 was a new statue “on which there is no relevant authority”.

The judges found that communications passed on from the French and the Dutch to the UK were obtained not while they were being transmitted, but while they were stored. “That being so the appeal is dismissed,” they said.

Eric Kind, a visiting lecturer at Queen Mary University London specialising in criminal justice and surveillance technologies, and director of data rights agency AWO, said that the verdict was likely to be appealed.

“The court today has given the green light for this new kind of hacked material to be used in evidence, concluding material obtained using such means wasn’t intercepted. The big question is whether this will be appealed given the ramifications for so many future trials,” he said.

EncroChat evidence ‘improperly and illegally obtained’

Patrick Madden, solicitor with Madden & Finucane, who is representing defendants in Northern Ireland, said there were grave concerns over the lack of transparency by the French authorities over how they carried out the infiltration of the EncroChat phone network.  

Because of national security grounds, “It has not been disclosed how the implanted bugs actually infiltrated the EncroChat network,” he said in a statement. The French authorities are unable to give evidence in court.

Madden said there were also concerns over the reliability of the raw data relied on by the NCA to bring prosecutions.

“We have grave and fundamental objections in respect of how this material was obtained. We consider that it is improperly and illegally obtained evidence,” he said.

The court of appeal’s decision is binding in England, but only “persuasive” in Northern Ireland, leaving scope for further legal challenges.

Read more about data privacy

Read more on Smartphone technology

Data Center
Data Management