Secrecy over police EncroChat hacking is unconstitutional, defence lawyers tell top French court

France’s constitutional court, the Conseil Constitutionnel, has heard arguments that the use of ‘defence secrecy’ to withhold information about police surveillance operations breaches the French constitution

France’s constitutional court will decide on Friday 8 April whether police hacking operations that retrieved millions of messages from encrypted phone networks used by organised criminals breached the French constitution.

Defence lawyers and the French campaign group La Quadrature Du Net argued in a hearing last week that the state’s use of “defence secrecy” to protect police hacking operations deprive defendants of information they need for a fair trial.

The case could have serious consequences for thousands of criminal prosecutions brought by police forces around the world based on millions of electronic messages extracted by French investigators from the EncroChat and Sky ECC cryptophone networks.

“This is a very important case because the hacking of both EncroChat and Sky has led to hundreds of proceedings in France and thousands in the world,” said defence lawyer Robin Binsard, who brought the case. “So if the judge says it was not constitutional, it will have huge consequences.”

EncroChat hack

The French Gendarmerie harvested more than 120 million supposedly encrypted messages, notes and photographs from EncroChat users in 121 countries, in a novel interception operation in 2020, which caused widespread disruption to crime groups and drug gangs in Europe and the UK.

The UK’s National Crime Agency (NCA), working with regional organised crime units, the Metropolitan Police and other law enforcement agencies, had made more than 2,600 EncroChat-related arrests using the French data by December 2021.

More than 1,380 people had been charged with offences and 260 have been convicted under Operation Venetic, the NCA’s response to EncroChat. UK police have also seized 165 firearms, 3,400 rounds of ammunition, 5,600kg of Class A drugs and £75m in cash.

In a second operation in 2021, French police were instrumental in hacking Sky ECC, one of the world’s largest cryptophone networks with 120,000 users worldwide.

Experts from the French Gendarmerie were able to intercept and decrypt hundreds of millions of messages after gaining access to the company’s servers, hosted by the cloud service provider OVH in Roubaix.

Belgian, French and Dutch police launched raids against suspected organised crime groups and drug dealers identified through the intercepted messages from Sky in March 2021.

EncroChat phones were used across Europe

Hacking secrecy

France’s Constitutional Council, which includes former prime ministers Laurent Fabius and Alain Juppé among its members, heard arguments on 29 March over whether the EncroChat and Sky ECC hacking operations were compatible with the French constitution, the right to a fair trial and privacy rights.

At issue is a clause in the criminal code that allows prosecutors or magistrates to invoke “national defence secrecy” to prevent dislosure of information about police surveillance operations that defence lawyers argue is necessary for defendants to receive a fair trial.

Secrecy about how the hack was carried out means that people accused of offences based on captured electronic data do not have “equality of arms”, lack an “effective remedy” to appeal and are unable to verify the authenticity of evidence produced against them, lawyers argued.

The court heard that there were legal appeals pending over the legality in EncroChat cases in the Netherlands, Belgium and Germany. The claims are disputed by the French government.

DGSI led cryptophone spying operations

Patrice Spinosi,  representing the defence, the French bar and the League of Human Rights, quoting Machiavelli, said the key question the court had to consider was whether the ends justified the means during the police hacking operations.

The French criminal code 707-102-1 allows police forces to request the French secret services to intercept, collect and process encrypted data without prosecutors, defence lawyers or investigating judges having any oversight of the interception operation.

Over the past 18 months, France’s security agency, DGSI, has been asked to “massively spy” on the users of two encrypted messaging systems, EncroChat and Sky ECC, Spinosi told the court.

“French services were able to hack into the foreign servers of these messages,” he said. “They recorded all the data that could be collected. Then, they processed all these elements and delivered them in the form of a summary to the various requesting police services.”

The French security agency, DGSI, provided technology to spy on users of EncroChat

This was done without “any precise explanation or control,” said Spinosi.

Police services have benefited from “the fruit of the work of the secret services” and have told the public that they had struck “a gold mine” with the information uncovered, he said.

“The various investigative managers can’t believe the amount of information they have been able to obtain because of the hacking into foreign servers. And a very large number of investigations have been opened in France, but also in various foreign countries,” said Spinosi.

But the satisfaction of the investigators was matched only by equal infringements of fundamental freedoms, the rights of defendants, the respect of the adversarial process in courts and the principle of the rights of appeal, he said.

Security services should be supervised, not disarmed 

The issue is not to disarm the state by preventing the security services breaking encryption, but ensuring that “these exceptional measures” are properly supervised and that people implicated in a criminal investigation can exercise the rights normally granted under the law, said Spinosi.

“However, for the moment, and as the texts stand, this is not the case,” he added. “Once it is activated, article 706-102-1 leads to the application of defence secrecy, which outweighs everything.”

In practice, people accused of crimes, lawyers and judges will only have access to the material handed over by the secret services, with no means of verifying it, the court heard.

It is the equivalent of an intelligence report being used for judicial purposes, and often an intelligence report that forms the bulk of the evidence used in the prosecution, said Spinosi.

Missing information

The police handed copies of decrypted messages over to the defence lawyers and judges, but there are huge unanswered questions, he said.

“How were they established? Who synthesised them? Were there any other statements than the ones that are reported? How was the surveillance operation carried out technically? And what is the mass of the data that was captured, preserved and exploited?”

All these questions are legitimate in any judicial democracy, but are absolutely blocked by the invocation of defence secrecy under article 706-102-1, the court heard.

The legislator has “not thought for one moment about all the legal consequences” of allowing police forces access to technical surveillance tools intended to make police work more effective, said Spinosi.

French police identified EncroChat and Sky ECC servers in a datacentre in Roubaix

Article 706-102-1 created a “legal bridge” between the police services and the secret services that could be used at the discretion of prosecutors and investigating magistrates, he said.

“The defence secret, which is at the heart of the work of the secret services, is an abnormality of our law and must only be used in exceptional cases which are solely related to the security of the state,” said Spinosi.

Defence secrecy cannot be used without the legal controls of French criminal procedure “unless we deny the secular principles that guarantee the law of repression in France”, he added.

Secrecy powers are ‘arbitrary’

Defence lawyer Robin Binsard, co-founder of law firm Binsard Martine, told the court that defence and secrecy were fundamental pillars of French law, but the concept of “defence secrecy” was one of the most “libercidal” measures in the French legal code.

Article 706-102-1 allows investigators and the public prosecutor to secretly capture communications data during an investigation “without criteria, without modification, without appeal”, he said.

“It is a real discretionary power that is left to the arbitrariness of the judges, but also the magistrates and the public prosecutors,” said Binsard.

In practice, this means it is not possible to know where messages, voice recordings or other intercepted data come from, or whether they are authentic.

It is like being accused on the basis of evidence found by a police search, without knowing where the search took place, when it was carried out, and without knowing the methods used by the police investigators, he said.

French police captured data from thousands of Sky ECC cryptophones

Binsard is representing Said Zaoui, who is accused of running a drug-trafficking network based solely on the messages from the encrypted messaging network EncroChat.

“In this case, the defence is deprived of its fundamental right to appeal,” he said. “It cannot correlate this act of investigation in any way. It cannot ensure that the law has been respected.”

There is no way, for example, of knowing whether the messages attributed were intercepted in real time or whether they came from servers or storage, he said.

“For the defence, we have the impossible task, totally impossible, of having to deal with faceless evidence without contours and a prosecution that is draped in veils [of secrecy],” said Binsard.

“At a time when we demand more and more transparency, this law allows magistrates and prosecutors to cover themselves with total opacity,” he told the court.

Huge step backwards in defendant’s rights

What is being proposed here is “nothing more and nothing less than a huge step backwards in the rights of the defence, a huge step backwards in the power of defence lawyers, a huge step backwards in fundamental and indispensable rights”, Binsard told the court.

More dangerously, there are no criteria to say when prosecutors or judges should invoke “defence secrecy”, which overrides common law protections to data capture operations, he said.

The French Public Prosecutor has shared information covered by national defence secrecy with judges in other countries, including the Netherlands, that it has not shared with French courts, he said.

“We are therefore in a situation where we are told that magistrates in another country would be more capable and more trustworthy than [French] defence lawyers bound by professional secrecy,” he added.

Criminal code ‘veiled with shame’

The French government argued that the material protected by defence secrecy is not useful to defence lawyers.

But this is false, said Binsard, because it is not possible to say whether information is useless to the defence without knowing what the information is. And secondly, “it is not up to the public prosecutor to decide what is or is not useful to the defence”, he added.

“It is surely very comfortable for the prosecution to be able to accuse based on evidence that is not contestable – but it is obviously intolerable from the point of view of the rights of the defence,” said Binsard.

Article 706-102-1 constitutes “an intolerable and liberticidal measure that stains the code of criminal procedure with a veil of shame and unconstitutionality”, he told the court.

Public prosecutors can authorise the use of defence secrecy without judicial oversight, because there is no requirement for a judge to rule on the relevance of invoking defence secrecy, the court heard.

Investigating judges can also approve the use of defence secrecy, with no right of appeal for defence lawyers.

“No legal means, no legal remedy is available to the defence to effectively challenge the use of defence secrecy”

Robin Binsard, lawyer

“No legal means, no legal remedy is available to the defence to effectively challenge the use of defence secrecy,” said Binsard.

No right of appeal

Alexis Fitzjean O Cobhthaigh, representing the French NGO La Quadrature du Net, told the constitutional court that under the criminal code, national defence secrecy could be invoked without a particular need, or without it being considered necessary to an investigation.

A judge can authorise the use of a “special investigation technique” to obtain data from an automated data processing system. A prosecutor or an examining magistrate can then invoke defence secrecy without the need for approval from a judge, he said.

“This choice is not subject to any criteria, it is absolutely discretionary, and it does not allow for any appeal,” said Fitzjean O Cobhthaigh.

The lawyer said that when the state uses its powers to capture messages from a cell phone, not only does it capture data belonging to the cell phone’s owner, but conversations with third parties.

This infringes the rights of third parties, but there is nothing in the legal code that foresees that data from third parties could be affected, or any right for them to appeal against their data being collected, he said.

Secrecy should be limited to serious cases

In the case of particularly serious offences, it may be necessary to use “special measures” that are protected by national defence secrecy to obtain electronic data and communications, said Fitzjean O Cobhthaigh.

But it should only be used if it concerns offences with “the most serious penalties” and if the information cannot be obtained through other investigative means, he added.

The use of defence secrecy is a “totally discretionary choice”, he said – there are no minimum guarantees and no requirement to limit its use to particularly serious cases.

Defence secrecy can be invoked by a prosecutor alone, but this does not provide the necessary guarantees of impartiality or independence, he said.

When captured data is shared with other countries through European police agency Europol, that can create “problems” and lead to “frictions” between French procedure and the procedures used by other countries, said Fitzjean O Cobhthaigh.

Article 706-102-1 breaches at least two rights in constitutional law, firstly the right to an effective legal remedy and secondly the right to privacy of personal data, freedom of expression and the right to private correspondence, he said.

Government – defence secrecy does not infringe civil liberties

Antoine Pavageau, representing French prime minister Jean Castix, said the use of defence secrecy did not infringe the Declaration of the Rights of Man and of the Citizen, the French charter for civil liberties introduced in 1789.

He said a person accused in a criminal court must be allowed to contest the conditions under which evidence was collected against him.

However, that does not imply that all the information relating to the origin, course and conditions of collection should be made available.

In the case of EncroChat, the protected information relates “solely to the technical processes of data capture or decryption, the disclosure of which is likely to harm or could lead to the discovery of a secret protected by national defence”, said Pavageau.

Security classification is necessary to protect the technical means used by the intelligence services to access data from EncroChat, he said.

Secrecy is not intended to deprive the defence of a means to act, but only to protect the techniques used by the intelligence services, which are used for intelligence-gathering purposes, in addition to judicial investigations, he said.

“To call into question this protection would be to considerably weaken the action of these services for the benefit of the protection of the fundamental interests of the nation, without providing the person concerned with any particular protection,” said Pavageau.

The lawyer argued it was not the case that no information about the investigation was available. Magistrates must justify the need for authorising data capture by specifying the offence, the exact location and a description of the automated data processing systems targeted and the duration of the operation, he said.

The technical elements of the data capture and the operations carried out must also be recorded in a report along with the data and time that the operations began and ended, he said, adding that defendants may, “as with any other special investigative technique, challenge the authenticity and completeness of the capture data”.

Right to privacy protected

Pavageau argued that the code of criminal conduct does not infringe the right to private life, private correspondence and freedom of expression guaranteed under the 1798 Declaration of Rights.

“The technique of capturing computer data, whether or not it is implemented through means protected by the secrecy of national defence, has no impact on the degree of invasion of privacy or secrecy of correspondence,” he said.

The lawyer said that according to a 2019 decision by the constitutional court, the use of intrusive data capture methods can be justified in the case of serious offences.

Capturing large quantities of personal data was not in itself contrary to the constitution as long as it is surrounded by sufficient guarantees, he said.

“The authorisation is not only closely supervised, it is the subject of a written and reasoned order – justifying that the authorised operations are necessary,” he added.

Law should be revoked

Fitzjean O Cobhthaigh, representing La Quadrature du Net, invited the court to revoke article  707-102-1. If not, the court should provide for the prior intervention of a judge and the means of effective appeal against defence secrecy, he said.

The legal codes simply require prosecutors to provide an explanatory note about the use of interception, but the law should provide for a “minimum amount of information” to be disclosed, he said.

In the case of EncroChat and Sky ECC, defence lawyers do not know whether the messages were intercepted or retrieved from computer storage or whether they were taken from phone handsets or servers, he said. “Potentially, we don’t even know if the data was encrypted or not.”

Read more about encrypted phone networks used by organised crime

Read more on Hackers and cybercrime prevention

Data Center
Data Management