Berlin court finds EncroChat intercept evidence cannot be used in criminal trials

Novel hacking operation

In a novel hacking operation, the French Gendarmerie’s Centre for Combating Digital Crime (C3N) gained access to EncroChat’s servers, housed at the French datacentre provider OVH in Roubaix in April 2020.

The French, working jointly with the Dutch police and the UK’s National Crime Agency, were able to harvest encrypted messages from the EncroChat network.

More than 32,000 phone users in 122 countries were affected, regardless of whether the users were criminal or not, the Berlin court found.

Specialists at C3N collected the messages and passed them on to Europol, which packaged them up according to country of origin and shared them with police forces in Germany, the UK and other countries.

User of intercept not justified in German law

However, the Berlin court found that the interception represented a serious encroachment of individuals’ rights to privacy.

Even if the interception operation was legal under French law, the use of the data in German criminal proceedings was not justified, said Regional Court judge Behrend Reinhard.

“The Regional Court considers that the surveillance of 30,000 EncroChat users to be incompatible with the principle of proportionality in the strict sense. This means that the measures were unlawful,” Reinhard wrote in a 22-page judgment.

The court found that the French had not provided information on how they had intercepted data from the EncroChat handsets, and that French authorities were unwilling to provide further information.

EncroChat phones – Android phones with modified hardware and software – were sold through a network of dealers for between €1,000 and €2,000 for a typical six-month contract.

French police began preliminary investigations into EncroChat in 2016 and 2017 after recovering a number of EncroChat phones in the possession of drug traffickers.

Law enforcement investigators were able to trace the servers used by EncroChat to a datacentre run by OVH in Roubaix, France.

In January 2020, a court in Lille authorised the installation of a software implant that targeted BQ Aquaris X2 Android phones used by more than 32,000 EncroChat users in 122 countries.

The implant, supplied by French intelligence agency DGSE, initially harvested historic data from the phones’ memory, including stored chat messages, address books, notes and each phone’s unique IMEI number.

In stage two, the implant intercepted incoming and outgoing chat messages, probably by taking screenshots or logging keys, and transmitted them to a server run by C3N.

German police received daily downloads of data from the phones from Europol between 3 April 2020 until the operation against EncroChat was discontinued on 28 June 2020.

A French court in Lille approved a European Investigation Order (EIO), issued by the Germany prosecutors on 13 June 2020, authorising German courts to use EncroChat data in criminal proceedings.

But the Berlin court found that the intercepted data was obtained in breach of EU law governing the use of European Investigation Orders.

No grounds for suspicion                   

Grounds for suspicion did not exist when the EIO was ordered and implemented, according to the judgment.

Under EU law, member states are required to notify the German authorities before intercepting telecommunications of people on German territory.

This includes providing all the necessary information, including a description of the interception operation to assess whether the interception would be authorised under German law, and whether the material can be used in legal proceedings.

Judge Reinhard said: “According to the information that has become known so far, it is to be assumed that there was no such request by the French state and no review by the competent Germany authority in this case.”

There was no concrete suspicion that criminal offences had been carried out by the users of EncroChat phones targeted, the court found.

“At the time of the order and implementation, there was no suspicion of a crime against the users of the terminal equipment [handsets] that would have justified the surveillance,” the judgment said.

Criminals often prefer communications channels that are difficult to monitor, such as voice over IP telephones or the secure Tor browser.

But the mere use of an encrypted phone, even one with a high level of security, is not in itself a reason to conclude that criminal conduct had taken place, said the court.

Bolt cutters

Using an analogy, the mere possession of tools used in burglaries, such as crowbars or bolt cutters, does not provide sufficient grounds for a search warrant, it added.

The German federal government is actively encouraging the use of cryptography, through its digital agenda, and has been reluctant to oblige telecoms and internet companies to implement “back doors”.

Encryption technologies have also been supported by the Council of the European Union, which backs the technology to protect the digital security of governments, industry and society.

“A behaviour that is fundamentally desired by a state – protection of one’s own data from foreign access – cannot become the starting point for coercive measures under criminal law,” said the Berlin court.

Use of EncroChat was not criminal

The court found that although EncroChat’s security features made it particularly attractive to criminals, it was no different from any other encrypted service.

EncroChat was equally attractive to journalists, political activists who feared state persecution or employees of companies who wanted to protect themselves from state persecution, it said.

The high cost of EncroChat phones does not justify the conclusion that they can only be paid for through criminal activity, the court found, and there was no concrete evidence that the 60,000 users of EncroChat phones worldwide were part of a “criminal network”.

According to German police, EncroChat customers contacted dealers anonymously by email, who handed phones over for cash during meetings in public places.

“This procedure fits in with the particularly high security standards claimed by EncroChat and a correspondingly particularly pronounced need for security on the part of the customers,” the court found. “But it does not allow any conclusion to be drawn about the purpose of criminal use.”

Retrospective justification

Among French users, the proportion suspected of criminality was only 67.3%, equivalent to 317 individuals out of 417 identified as of 12 June 2020 – a vanishingly small number compared to the 60,000 users registered with EncroChat.

The subsequent discovery of criminal activities after the surveillance began cannot be used to retrospectively justify the interception operation, the court said.

The large quantities of drugs seized during investigations into EncroChat messages worldwide – and the spectacular discovery of a torture chamber used by drug dealers in the Netherlands – cannot be used to justify the presumption that the network was predominantly used by criminals, it added.

According to a communication from the European Commission, by 14 April 2021 – almost a year after the operation had ended – only 1,500 investigations had been initiated and 1,800 people had been arrested – equivalent to just 5.4% of the EncroChat users placed under surveillance.

German law does not allow for surveillance of telecommunications to establish the suspicion of a crime. Vague suspicions and general indications are not sufficient to justify “blanket spying” on all users of the chat service, the court found.

Tobias Singelnstein, chairman of criminology at the Ruhr-Universität Bochum, told Computer Weekly that the Berlin court’s decision was significant, being the first to take into account the serious legal problems inherent in the acquisition of evidence from EncroChat.

Higher courts in Hamburg, Bremen and Rostock have found EncroChat evidence admissible, according to Tagesspiegel.

German prosecutors said they would appeal against the Berlin decision.