sas - Fotolia
Computer forensic and legal experts have questioned the “black hole” of evidence that surrounds intercepted communications from the encrypted phone network EncroChat used in evidence against organised crime groups across the UK.
They claim that law enforcement and prosecutors have not followed long-established forensic principles – potentially undermining evidence being used in prosecutions of people accused of using EncroChat to organise serious crimes.
French investigators broke the supposedly secure EncroChat encrypted mobile phone network which was used by 50,000 people worldwide, including 9,000 in the UK, in April last year, but have refused to disclose how they did it, citing national security.
The UK’s National Crime Agency (NCA), which received intercept evidence from the French gendarmerie through Europol, has made more than 1,550 arrests.
The NCA has refused to disclose how many people have been charged for crimes as a result of Operation Venetic, its investigation into EncroChat, but it emerged last week that about 450 defendants are challenging their prosecutions.
Duncan Campbell, who acted as a forensic expert in the first review of EncroChat evidence, told an online seminar last week that the way the cases have been brought presents “a profound challenge to long-established computer forensic evidence principles”.
The principles, laid out in the Good practice guide for computer-based electronic evidence produced by the Association of Chief Police Officers (ACPO) – now known as the National Police Chiefs’ Council – are designed to maintain the integrity and continuity of electronic evidence.
For example, they require investigating authorities to commission an independent audit covering how data was created and preserved, how it was acquired, what was done to make it secure, and to protect data from being maliciously changed.
In the case of EncroChat, however, Campbell said: “What we know about the exact mechanism, officially how the data was captured, is a large black hole. Not a single one of these principles can be applied – every one of them is breached.”
Brexit meant UK had to seek permission to work with French
As a direct consequence of Brexit, the UK was unable to take part directly in a joint operation with the French and Dutch authorities to harvest data from EncroChat.
That led to the NCA having to obtain a European Investigation Order on 11 March 2020 to request access to data obtained by the French gendarmerie.
The order allowed the NCA to receive millions of messages, photographs and notes stored on EncroChat phones that were channelled in daily batches through Europol’s Sienna computer system’s Large File Exchange (LFE).
Read more about encryption and the law
- Belgian and Dutch police have breached the encryption of users of Sky ECC, the world’s largest cryptophone network. There are significant parallels with the international police operation against the EncroChat cryptophone network which led to hundreds of arrests.
- A court has ruled that the security and intelligence services can no longer rely on ‘general warrants’ to authorise the hacking of large numbers of computers and phones belonging to UK citizens.
- MI5 withheld critical information from the home secretary when it applied for warrants to gather telephone and internet data, Britain’s most secret court has heard.
How the French extracted the information has not been disclosed in the UK courts, for “defence security” reasons, leaving a significant gap in the evidence chain.
The Court of Appeal found, in a controversial decision on 6 February 2021, that messages harvested from the EncroChat phone network through “digital phone tapping” were admissible in UK courts, overturning previous legal precedents.
Juries may now face difficult decisions when asked to decide the guilt or innocence of people based on exfiltrated messages from EncroChat phones.
Campbell, speaking at a seminar organised by FairTrials, said jurors may feel “repugnance” about convicting defendants based on claims about intercept material supplied by another country, in the absence of corroborating evidence.
Expert questions reliability of EncroChat intercept
Peter Sommer, professor of digital forensics at Birmingham City University, speaking at an earlier seminar organised by 25 Bedford Row on 3 March 2021, said there was “no continuity of evidence and no testable provenance” of the intercept material delivered by Europol to the NCA.
Guidelines on the reliability of evidence, including guidance by the UK’s forensic science regulator and the European Telecommunications Standards Institute (ETSI), have not been followed, leaving questions about the reliability of the EncroChat evidence, said Sommer.
EncroChat messages analysed by forensic experts and lawyers show “duplicated files or astonishing gaps”, messages that are bunched up in time, and in other cases defendants are saying that messages are missing, he said.
ACPO principles for digital evidence
1. No action should be taken by law enforcement that would change data.
Unknown: No information is available whether this principle has been complied with.
2. The person accessing original data must be competent and should to give evidence about their actions.
Fail: The French gendarmerie has refused to disclose how the intercept operation took place.
3. There should be an audit trail.
Fail: There is no audit trail of data passed from the French gendarmerie to the NCA.
4. The NCA gold commander in charge of the operation has responsibility to ensuring the ACPO principles are adhered to.
Fail: The gold commander accepted assurances about the data.
Source: Peter Sommer
The reliability tests are not theoretical, said Sommer, who is acting as an expert witness in a number of EncroChat cases. “You can show the anomalies quite easily – and it’s up to the prosecution to explain why they are there,” he added.
The UK had not been provided with full disclosure or detailed technical evidence from the French about how data was obtained, said Sommer. “We would like the server, we would like the handset, we would like the implant to observe what’s going on. We don’t have any of that”.
Questions have been raised about how the data was handled when the NCA passed it on to regional organised crime units.
But there are no issues with how the NCA handled the data, said the experts. “I would say they seem to have handled it according to really good principles,” said Campbell. “They make mistakes, they correct them, they tell us.”
Can phones be linked to suspects?
The success of prosecutions will depend on whether law enforcement officers can attribute incriminating messages or photographs harvested from EncroChat to individuals accused of crime.
By analysing a phone’s connections with cell towers, it is possible, for example, to identify that the owner was driving along a motorway.
“If it then turns out that, at the end of the motorway and at the beginning, there is a capture of my number plate, then the attribution becomes extremely strong,” said Campbell.
Another technique police are using is to match photographs harvested from EncroChat phones showing, for example, drugs on a table or in an outhouse, by comparing them with tables and outhouses photographed during raids.
Four standards for digital evidence that were not followed over EncroChat
- Criminal Procedure rule 19, which deals with expert evidence.
- Forensic science regulator’s code of practice and conduct requires independent validation of evidence.
- ISO 17205, a standard for testing laboratories.
- ETSI Standards for Telecommunication Evidence require audit trails to show warranting authority, all activities and procedures and tamper-proof records.
Source: Peter Sommer
Police may also have information or covert pictures from informers, or may have planted bugs in suspects’ houses, which can be matched up with the EncroChat evidence, he said.
The NCA applied for a targeted equipment interference warrant to harvest millions of messages from the EncroChat phones.
It used the assertion that EncroChat was overwhelmingly used for organised crime, money laundering and drug dealing as a legal basis for applying for a Targeted Equipment Interference (TEI) warrant.
“The police took a chance by surfing on probably incomplete evidence that every user or virtually every user of an EncroChat phone appeared to be playing a role in some kind of crime,” said Campbell.
They appear to have “lucked out” on the decision, he added, with no examples yet emerging of film stars or other privacy-concerned individuals using the phone network for non-criminal purposes.
Timeline of police action against EncroChat and Sky ECC
- Cops take out encrypted comms to disrupt organised crime – In July 2020, after French and Dutch authorities had gained access to the encrypted EncroChat network, the NCA and its counterparts worked to disrupt the serious and organised criminal networks using the platform.
- Appeal court finds ‘digital phone tapping’ admissible in criminal trials – On 6 February 2021, judges decided that, despite UK law prohibiting law enforcement agencies from using evidence obtained from interception in criminal trials, communications collected by French and Dutch police from EncroChat using software “implants” were admissible evidence in British courts.
- Belgian police raid 200 premises in drug operation linked to breach of encrypted phone network – On 9 March 2021, Belgian police raided 200 premises after another encrypted phone network with parallels to EncroChat, Sky ECC, was compromised, in what prosecutors described as one of the biggest police operations conducted in the country.
- Arrest warrants issued for Canadians behind Sky ECC cryptophone network used by organised crime – Following the international police operation to penetrate the Sky ECC network and harvest “hundreds of millions” of messages, a federal grand jury in the US indicted Sky Global’s Canadian CEO, Jean-François Eap, along with former phone distributor Thomas Herman, for racketeering and knowingly facilitating the import and distribution of illegal drugs through the sale of encrypted communications devices.
- Judges refuse EncroChat defendants’ appeal to Supreme Court – In early March, judges refused defendants leave to challenge the admissibility in UK courts of message communications collected by French cyber police from the encrypted phone network EncroChat. Computer forensic experts working on EncroChat cases said that decision should trigger a wider review of the “far-reaching effects” the legal decision by the Court of Appeal would have on the role of communications interception in future cases.
Read more on IT legislation and regulation
EncroChat lawyers raise questions over use of PII secrecy orders on UK decryption capabilities
EncroChat hearings delayed as lawyers seek disclosure on police hacking
Judges refuse EncroChat defendants’ appeal to Supreme Court
EncroChat ruling has ‘far-reaching effects’ for legal role of interception in UK investigations