EncroChat: France says ‘defence secrecy’ in police surveillance operations is constitutional

Constitutional court finds that invoking ‘defence secrecy’ to withhold information about the state hacking of EncroChat cryptophones is constitutional. Defence lawyers now head for the supreme court

France’s constitutional court has rejected arguments that the use of “defence secrecy” to withhold information from lawyers about a police hacking operation into an encrypted phone network used by organised crime groups breaches defendants’ rights to a fair trial.

The Conseil-Constitutionnel found today that provisions in the criminal code that allow investigators to use defence secrecy to draw a veil over surveillance operations do not violate defendants’ rights to an effective judicial remedy.

The decision follows a legal challenge by lawyers supported by civil rights group La Quadrature du Net questioning the legality of a French police hacking operation against the encrypted mobile phone network EncroChat, which is widely used by organised criminals.

Robin Binsard, co-founder of Binsard Martine, who brought the case, said that although the council found that defence secrecy is constitutional, it had also identified legal requirements to disclose information about the hacking operation that were not followed in the EncroChat case.

“We are now waiting a decision of the Supreme Court to know exactly which evidence should be disclosed,” he said.

“We are now waiting a decision of the Supreme Court to know exactly which evidence should be disclosed”

Robin Binsard, lawyer

Secrecy necessary to protect intelligence techniques

The constitutional court found today that defence secrecy provisions used in police surveillance operations were necessary to protect the techniques used by the French intelligence services and for “safeguarding the fundamental interests of the nation”.

The law, the court found, strikes a balance between the constitutional rights of defendants to an effective judicial remedy and the right to privacy, and constitutional requirements to identify criminal offenders and protect national security.

The disputed legal provisions “do not violate the right to an effective judicial remedy, the right for a private life, freedom of expression or any other right or freedom guaranteed by the constitution” and must therefore be declared constitutional, the court said in a written decision.

Criminal code

France’s Constitutional Council, which includes former prime ministers Laurent Fabius and Alain Juppé among its members, heard arguments on 29 March over whether the EncroChat and Sky ECC hacking operations were compatible with the right to a fair trial and the right to privacy guaranteed under the French constitution.

At issue is a clause in the criminal code that allows prosecutors or magistrates to invoke “national defence secrecy” to prevent the disclosure of information about police surveillance operations that defence lawyers argue is necessary for defendants to receive a fair trial.

French investigators used article 707-102-1 of the criminal code – described as a “legal bridge” between French police and the secret services – to ask France’s security service, DGSI, to carry out surveillance operations on two encrypted phone systems, EncroChat and Sky ECC.

Patrice Spinosi, lawyer at the Council of State and the Supreme Court, representing the Association of Criminal Lawyers and the League of Human Rights, said the secret services hacking operation had struck a gold mine of information.

But the work also led to infringements of fundamental freedoms, the rights of defendants, the respect of adversarial processes in the courts and the rights of defendants to appeal.

There were huge unanswered questions about how data from EncroChat was obtained, how it was processed, preserved and exploited and how the surveillance operation was carried out, he said.

Defence lawyer Robin Binsard argued that the secrecy around the operation was akin to defendants being accused of the basis of evidence found by a police search, without knowing where the search took place, when it was carried out, and without knowing the method used by police investigators.

“At a time when we demand more and more transparency, this law allows magistrates and prosecutors to cover themselves with total opacity,” he said. 

Defence lawyer Robin Binsard told the Constitutional Court that “defence secrecy” deprived defendants of fundamental legal rights

Alexis Fitzjean O Cobhthaigh, representing the French NGO La Quadrature du Net, told the constitutional court that under the criminal code, national defence secrecy could be invoked without a particular need, or without it being considered necessary to an investigation.

A judge can authorise the use of a “special investigation technique” to obtain data from an automated data processing system, he said. A prosecutor or an examining magistrate can then invoke defence secrecy without the need for approval from a judge.

“This choice is not subject to any criteria, it is absolutely discretionary, and it does not allow for any appeal,” said Fitzjean O Cobhthaigh.

Antoine Pavageau, representing French prime minister Jean Castix, said defendants must be allowed to contest the conditions under which evidence was collected against them.

But that does not imply that all the information relating to the origin, course and conditions of collection should be made available.

In the case of EncroChat, the protected information relates “solely to the technical processes of data capture or decryption, the disclosure of which is likely to harm or could lead to the discovery of a secret protected by national defence”, said Pavageau.

Secrecy is not intended to deprive the defence of a means to act, but only to protect the techniques used by the intelligence services, which are used for intelligence-gathering purposes, in addition to judicial investigations, he said.

“To call into question this protection would be to considerably weaken the action of these services for the benefit of the protection of the fundamental interests of the nation, without providing the person concerned with any particular protection,” said Pavageau.

Court decision

The court found, in its written decision, that it was the responsibility of legislators to reconcile the rights of defendants to challenge evidence on the one hand, with the need to identify offenders on the other hand, and the requirement to safeguard the fundamental interests of the nation.

Article 707-102-1 of the code of criminal procedure allows public prosecutors or investigating judges to invoke national “defence secrecy” during hacking and interception operations. This had the effect of shielding information about the data extraction from “adversarial debate” in a court room.

The legislators’ intention was to allow investigators to benefit from technical measures to capture and process data without weakening the intelligence services by disclosing the techniques they used.

The court found that defence secrecy can only be invoked for a special investigation technique authorised by an investigating judge when it is justified by the requirements of an investigation into serious and complex crimes.

The judge is required to produce a written and reasoned order authorising the use of a data capture device, which remains on file.

The order should contain details of the offence, the exact location or a detailed description of the automated data processing system targeted, and the duration of the hacking operation.

An acceptance report, accompanied by a certificate of authenticity signed by the person in charge of the body carrying out the data extraction, must also be provided certifying the authenticity of the data obtained, the court found.

“The court may request the declassification and communication of information subject to national defence secrecy,” it said.

The constitutional council said that it follows that the disputed legal code strikes a balance between the constitutional rights of defendants and the requirements to safeguard the state.

The contested law does not “violate the right to an effective judicial remedy, the right to respect for private life, freedom of expression, or any other right or freedom guaranteed by the constitution” and “must therefore be declared constitutional”, it said.

Supreme court

Binsard said that although the court can request that information about a hacking opertation is declassified, that option is not open to defence lawyers.

Binsard and Martine will present arguments to the French Supreme Court in July, challenging the French Gendarmerie’s refusal to provide defendants with information on the hacking operation, following the constitutional court’s decision.

They claim that for defendants to have a fair trial, the French police should explain how they obtained intercept evidence from EncroChat phones and should provide a certificate to authenticate the intercepted data and messages.

The lawyers also claim that French computer crime specialists went beyond the legal authority granted to them by judges in a court in Lille.

The disputed court orders include one requiring the French cloud computing service provider OVH, which hosted the servers used by EncroChat at its Roubaix datacentre, to modify its network to enable the interception to take place

Legal 'smokescreen'

The campaign group, Fair Trials, denounced the constitutional court’s decision, arguing that there were clear violations of defendants’ rights in the EncroChat hack.

Laure Baudrihaye-Gérard, Legal Director (Europe) for Fair Trials said in a statement that the decision weakens fair trials not just in France but across Europe.

“We send a strong reminder to all EU Member States that human rights must be upheld for all people, and we continue to denounce the secrecy surrounding the evidence obtained from the hack.”

The EU police agency, Europol, passed the hacked data to police in other member states, said Baudrihaye-Gérard, but EU prosecutors did not ask how the data had been obtained or how reliable it was.

Software implant

Gendarmes based at the C3N digital crime unit in Pointoise, with the assistance of Dutch investigators, were able to covertly take copies of the servers and upload a “software implant” that was able to extract plain text messages from EncroChat phones in April 2020.

Investigators harvested more than 120 million supposedly encrypted text messages, notes and photographs from EncroChat phones in 120 countries.

The operation caused widespread disruption to crime groups and drugs gangs in Europe. In the UK, more than 2,600 people had been arrested, 1,380 charged and 260 convicted under Operation Venetic, the National Crime Agency’s response to EncroChat, by December 2021.

French police were also instrumental in hacking Sky ECC, one of the world’s largest cryptophone networks, which had 120,000 users worldwide in 2021.

Experts from the French Gendarmerie were able to intercept and decrypt hundreds of millions of messages after gaining access to the Sky servers, also hosted by OVH, the cloud service provider in Roubaix.

Police in Belgium, France and Holland launched raids against suspected organised crime groups and drug dealers identified through the intercepted messages from Sky ECC in March 2021.

Forensics experts in the UK have argued that the French Gendarmerie’s refusal to release information on the hacking has led to an “evidential black hole” that has broken accepted principles that evidence should be properly acquired and secured before being used in legal cases.

Logical decision says Gendermie

Following the decision, Matthieu Audibert, an officer of the Gendremerie said that the court’s decision was “logical.”

He wrote on Twitter: “The argument of the lawyers is to say: it is unfair because we do not have access to certain information. The Council (the law) says that this only concerns technical information and this point is fundamental.”

Data capture is the most controlled special investigation technique in French law, he said.

Read more about encrypted phone networks used by organised crime

Read more on Hackers and cybercrime prevention

Data Center
Data Management