William - stock.adobe.com
Defence lawyers claim that investigators had access to a “master encryption key” that allowed them to decrypt millions of messages from the EncroChat encrypted phone network.
The claim is the latest challenge to more than 250 prosecutions that are under way in the UK following a joint operation by French and Dutch police to infiltrate the EncroChat network used by organised criminals.
The defence theory comes amid what experts have described as a “black hole” of evidence over how French investigators obtained and decrypted messages from the EncroChat network.
Despite repeated requests from the Crown Prosecution Service, representatives from the French Gendarmerie have refused to give evidence about the interception of EncroChat in UK courts, citing defence secrecy.
“We suggest that a court could only ever make a finding to a criminal standard if the prosecution were able to call direct evidence from the French and the Dutch,” said one defence lawyer.
Prosecutors argue that investigators for the French Gendarmerie’s digital crime unit, C3N, in Pontoise on the outskirts of Paris, were able to bypass the encryption of the EncroChat phones by taking messages directly from the phones before they had been encrypted.
The claim was supported by the Court of Appeal, which found on 5 February 2021 that material gathered by French and Dutch investigators and passed to the UK’s National Crime Agency (NCA) had been lawfully obtained through “targeted equipment interference” warrants.
But defence lawyers have used the same evidence to develop an alternative scenario, which they claim is more persuasive than the prosecution theory. Prosecution experts have agreed that the theory is possible.
According to the defence theory, French technical experts were able to replace the encryption mechanism used in EncroChat phones to enable them to decrypt messages as they passed through EncroChat’s server.
Experts at the Gendarmerie’s Centre for Combating Digital Crime (C3N) were able to gain access to EncroChat’s servers, housed at French datacentre provider OVH in Roubaix.
They were able to reverse engineer them and build a replica of EncroChat servers using a large network of virtual machines, according to the defence hypothesis. Messages were redirected to C3N infrastructure by a “load balancer” installed by French investigators.
Defence lawyers claim that C3N used an update on 1 April 2020 to replace the random number generator, which was used in the phone app to create secure encryption keys, with a corrupted random number generator.
This had the effect of compromising EncroChat’s encryption mechanism, which was based on the Signal Protocol used in applications such as WhatsApp and the Signal messaging app.
French investigators were able to download “ratchet” values used in the Signal Protocol, from the memory of infected phones to enable them to decrypt messages when they arrived on the EncroChat server.
A press release issued by the Netherlands Forensic Institute in April 2021 claimed French cyber experts were able to “read messages on the EncroChat server”.
Sky ECC and An0m
The defence theory has parallels with a Belgian and Dutch operation against another encrypted phone network, Sky ECC, in March this year.
Belgian and Dutch police told a press conference on 10 March 2021 that they had intercepted more than one billion encrypted messages from the Sky ECC cryptophone network and had decrypted half of them.
In June, it emerged that the FBI and the Australian Federal Police had access to the “master encryption key” for another encrypted phone network, known as An0m or Anom.
Police investigators covertly distributed the app to organised crime groups who were unaware that the FBI could read encrypted messages sent by 9,000 encrypted devices for at least 18 months.
No evidence to support defence hypothesis
Experts have differing opinions on whether police hacked EncroChat in the same way, however.
Jonathan Kinnear QC, who is prosecuting 250 EncroChat cases, told a preparatory hearing that the defence arguments were “nothing more than a theory or hypothesis”.
He added: “There is little or no evidence to support that hypothesis in the way there is a huge weight of evidence supporting the Crown’s position.”
Prosecutors argue that because EncroChat messages were encrypted, the only way they could have been obtained was by exfiltrating them from the handset before encryption, rather than decrypting them from a server.
Miasma of hearsay
Defence lawyers claim that evidence cited by the prosecution on the way the implant worked is based on a “miasma” of hearsay.
They claim that decrypting messages from the server, as proposed in the defence hypothesis, is a more “elegant” technical solution that offered greater security.
Under the prosecution scenario, messages would have to be sent three times, rather than once, increasing the risk that the hacking operation would be discovered.
“If text messages were sent in clear text and metadata were being sent in parallel to the C3N server, then someone with technical knowledge would be able to see that,” said one lawyer.
“It is certainly not the defence case that the prosecution inferences are impossible; just that they can’t be proved.”
A defence lawyer said the prosecution has criticised the defence for not being able to point to evidence, adding: “Of course we can’t – we haven’t been given the implant of the server images and the prosecution don’t have the post-implant server images, so it is no surprise we can’t point to specified evidence.”
Also at issue is whether the collection of data from EncroChat phones was lawful.
The NCA obtained a thematic warrant to obtain messages from 9,000 phones in the UK, but defence lawyers say the warrant was wrongly used for bulk collection of encrypted messages.
“It was casting a drift net as opposed to using a harpoon,” they claim.
It was only after obtaining the warrant that prosecutors were able to justify harvesting messages from 9,000 phones by arguing that the users of EncroChat were largely limited to organised crime groups, it is claimed.
“Although the prosecution can clearly now provide a retrospective justification and base that upon what they found, I would accuse the prosecution of Jesuitical sophistry in relation to that,” said the defence lawyer.
“What happened in relation to this case was completely outside what was meant to be a more limited scope of a targeted equipment interference warrant.”
Is EncroChat admissible?
Defence lawyers are also challenging arguments over the Investigatory Powers Act (IPA) 2016, which regulates surveillance.
Historically, the UK has prevented the use of intercepted communications as legal evidence in court and has restricted its use to intelligence-gathering in order to protect the secrecy of surveillance methods.
Defence lawyers claim it is not clear why Parliament would use the IPA – also know as the snoopers’ charter – to prohibit intercept evidence being used in court if the material was obtained during transmission, but not if it were obtained when stored on an electronic device just before transmission.
As a result, material intercepted as storage just before transmission should not be admissible as evidence, say lawyers.
This would avoid the conclusion that “Parliament did not want to countenance disclosure obligations in one context but were able to do it in another context just because it was stored rather than in transmission”.
The NCA has made more than 1,550 arrests under Operation Venetic working with regional organised crime units and regional police forces.
No date has been set for a verdict.
Read more about EncroChat
- French lawyers claim that investigators are unlawfully withholding details of a cryptophone hacking operation in a case that could impact UK prosecutions
- Lord David Anderson QC warned prosecutors that there were formidable arguments against the lawfulness of a police operation to infiltrate the encrypted phone network, EncroChat
- French lawyers are challenging the legality of a French police operation to harvest tens of thousands of messages from the EncroChat encrypted phone network in a move that could overturn criminal prosecutions in the UK
- The Dutch Public Prosecution Service claims Britain has damaged confidence by disclosing details of an international investigation into the EncroChat encrypted phone network to the courts
- Lawyers claim that public interest immunity certificates may have been used to withhold information on UK intelligence agencies’ ability to decrypt encrypted communications
- Court hearings precipitated by police cracking the EncroChat secure mobile phone network have been delayed after defence lawyers request further disclosures on police decryption capabilities.
- Cops take out encrypted comms to disrupt organised crime: In July 2020, after French and Dutch authorities had gained access to the encrypted EncroChat network, the NCA and its counterparts worked to disrupt the serious and organised criminal networks using the platform.
- Appeal court finds ‘digital phone tapping’ admissible in criminal trials: On 6 February 2021, judges decided that, despite UK law prohibiting law enforcement agencies from using evidence obtained from interception in criminal trials, communications collected by French and Dutch police from EncroChat using software “implants” were admissible evidence in British courts.
- Belgian police raid 200 premises in drug operation linked to breach of encrypted phone network: On 9 March 2021, Belgian police raided 200 premises after another encrypted phone network with parallels to EncroChat, Sky ECC, was compromised, in what prosecutors described as one of the biggest police operations conducted in the country.
- Arrest warrants issued for Canadians behind Sky ECC cryptophone network used by organised crime: Following the international police operation to penetrate the Sky ECC network and harvest “hundreds of millions” of messages, a federal grand jury in the US indicted Sky Global’s Canadian CEO, Jean-François Eap, along with former phone distributor Thomas Herman, for racketeering and knowingly facilitating the import and distribution of illegal drugs through the sale of encrypted communications devices.
- Judges refuse EncroChat defendants’ appeal to Supreme Court: In early March, judges refused defendants leave to challenge the admissibility in UK courts of message communications collected by French cyber police from the encrypted phone network EncroChat. Computer forensic experts working on EncroChat cases said that decision should trigger a wider review of the “far-reaching effects” the legal decision by the Court of Appeal would have on the role of communications interception in future cases.
- UK courts face evidence ‘black hole’ over police EncroChat mass hacking: Forensic experts say that French investigators have refused to disclose how they downloaded millions of messages from the supposedly secure EncroChat cryptophone network used by organised criminals – leaving UK courts to grapple with a forensic ‘black hole’ of evidence.