Conversation between two police officers formed basis of EncroChat warrant, court hears

The National Crime Agency did not seek a written explanation of a French hacking technique before applying for a surveillance warrant to use French “intercept” in the UK, a court heard

The National Crime Agency (NCA) received a warrant to covertly harvest hundreds of thousands of messages from the EncroChat encrypted mobile phone network, on the basis of a conversation between a French and a British law enforcement official that was not confirmed in writing, a court was told this week.

The claim was made during the second day of a legal challenge in Britain’s most secret court, the Investigatory Powers Tribunal, which will decide whether the NCA had a lawful basis to use material exfiltrated from EncroChat in criminal prosecutions.

The NCA, working with police forces, has arrested 1,550 people across the UK, and seized 115 firearms, £54m in cash and large quantities of drugs by analysing messages obtained by a French hacking operation on EncroChat phones used by organised criminals, in 2020.

NCA intelligence officer Emma Sweeting drafted an email describing how the French would use an “implant” to extract EncroChat messages from telephone handsets during a meeting at Europol to discuss the French EncroChat operation from 19 to 21 February 2020.

Sweeting told the court that on the final day of the meeting she showed the draft email to Jeremy Decou, the criminal investigations officer responsible for the French EncroChat investigation, who agreed verbally that it was correct.

The NCA used the email to apply for a Targeted Equipment Interference (TEI) warrant – which authorised it to use hacked EncroChat messages in criminal prosecutions in the UK - without obtaining written confirmation of its accuracy from the French, the court heard.

French did not use the word ‘implant’

A defence barrister put it to Sweeting that Decou could not have agreed to her email, which described the hacking tool as an “implant,” as that was a word that Decou had refused to use.

The court heard that NCA officers asked Decou in an interview in September 2020 whether he wanted to describe the interception mechanism as an implant, or tool or technical device.

“Jeremy always uses tool, or capture tool or technical device. Once when he was asked whether he wants to use the word implant or something else, he uses the world tool, and he never used the word implant,” he said.

Decou “slipped-up” in the interview by saying that the technical device had retrieved data from the server at OVH - a datacentre in France that hosted EncroChat.

The NCA had obtained its TEI warrant on the basis that EncroChat messages were extracted from phone handsets.

Decou corrected himself by saying that he could not comment on the technical aspects, the barrister told the court.

Sweeting said that she could not answer for what Decou said in the interview. “The truth is as I describe. I put that to Jeremy Decou and he confirmed that it was accurate and true.”

French warned of possible problems

Decou emailed Sweeting in January 2020, suggesting that the French hacking technique might not be accepted in judicial cases in the UK, the court heard.

“I remember at our meeting, you said you can’t have interception on a phone in a judicial case,” he wrote. He said the same issue might apply to interception of phone data.

He told Sweeting that he hoped magistrates would find a solution to allow the NCA to use data from the French operation.

The gendarmerie officer wrote that the phone date would be accessed “live or almost live time” from “our server”.

“That rings alarms for anyone asking for a TEI warrant,” the barrister said.

Read more about EncroChat

Sweeting said it was her understanding that Decou was referring to a server set up by the French to receive the data, not the EncroChat server.

The NCA could apply for a TEI warrant to use material extracted from phone handsets as evidence for prosecutions. If the TEI was not appropriate, it could apply for a Targeted Interception (TI) warrant, which would allow use of EncroChat material for intelligence purposes.

“We were trying to find the correct warrant, TEI or TI,” she said. “If it was TI we could use it as intelligence”.

Europol meeting note

Sweeting was questioned about notes taken during the Europol meeting by NCA officer James Willmott, which recorded that data would only be collected in France from the server rather than targeting every EncroChat device.

“Legal advice now needs to be sought to consider the new definition of the activity,” Willmott wrote.

 Sweeting was asked whether she had organised a call with the NCA legal department because she was “so concerned” over the contents of Willmott’s note.

“We were having regular conversations with NCA legal,” she said. “It was not something I was so concerned about, it was simply an update to legal.”

Sweeting said she could not recall the conversation with NCA legal but had disclosed her notebooks.

The NCA intelligence officer was also questioned about a memo written by a senior NCA officer, Brendon Moore, sent to senior NCA officers in early February before the Europol meeting.

The memo said that the NCA “knew” that the technique used by the French would be based on “TEI not TI”.

“I did not feel as an agency we had a definitive view,” said Sweeting. “I cannot account for what Brendon wrote.”

The court heard that there were at least three emails where Sweeting referred to a TEI warrant without referring to a TI warrant, including one that said “deemed to be TEI” before the Europol meeting.

NCA did not ask questions

Sweeting accepted that she did not instruct a technical officer to ask further questions to Decou about the French hacking technique before the meeting at Europol.

“There is a reason you did not ask. You did not want to have a formal response saying this is TEI,” she was asked.

“There was not a conscious decision. This was in the context of a Europol meeting where we were going to find out more,” she said.

Sweeting said it was untrue to suggest that discussions that did not provide the answer the NCA was looking for were buried.

“The minutes have been provided, the emails have been provided. There were no discussions that we have got rid of,” she said.

Duty of candour

A second barrister asked Sweeting whether she was aware that she had a duty to provide information to the judicial commissioner who authorised the NCA’s warrant, “even if that was information that would not help what you were trying to achieve”.

She agreed that the NCA’s TEI warrant does not say anything about the circumstances in which Sweeting met with Decou. She did not recall any discussion about whether to include this information in the TEI.

He questioned Sweeting why she did not send the email she had shown Decou at the Europol meeting to Decou to get a confirmation of its accuracy in writing.

“Are you suggesting the French did not want to say whether the implant was extracting from the device or the server,” he asked.

Sweeting said that she was not suggesting that. “I am just explaining the course of events in Europol.”

“In that case why not ask Mr Decou to confirm in a formal sense,” Sweeting was asked.

Sweeting told the court: “I just did not choose to follow that course of events”.

Earlier she had told the court that she was aware she would not get a description of the full technical details of how the implant worked in writing.

The case continues.

Read more on Hackers and cybercrime prevention

Data Center
Data Management