NCA officer questioned in Investigatory Powers Tribunal over failure to disclose EncroChat notes

EncroChat hacking warrant was unlawful and in breach of human rights law, the Investigatory Powers Tribunal hears

A National Crime Agency (NCA) officer faced questions in Britain’s most secret court on Wednesday 14 December after she failed to disclose a key document about the agency’s use of hacked text messages from the EncroChat encrypted phone network in criminal prosecutions for over two years.

NCA intelligence officer Emma Sweeting told the Investigatory Powers Tribunal (IPT) that she could not explain why she had overlooked her notes of a meeting she attended with French and Dutch police officers at Europol in 2020 until October this year.

The tribunal is hearing a legal challenge by 10 defendants over the lawfulness of British police’s use of evidence obtained by French and Dutch investigators in a novel hacking operation against the EncroChat phone network, which led to over 1,550 arrests and hundreds of prosecutions in the UK.

Lawyers acting for the defendants claim the NCA “deliberately misled” the independent judicial commissioner asked to authorise the NCA’s surveillance warrant by failing to provide a candid explanation of the hacking operation.

They told the tribunal yesterday that the warrant given to the NCA to enable it to use EncroChat evidence in criminal prosecutions was issued unlawfully and therefore was in breach of the right of privacy under Article 8 of the European Convention on Human Rights.

The IPT heard that the director general of the NCA, Lynne Owens, wrongly approved a Targeted Equipment Interference (TEI) warrant – the only warrant that would allow messages and images intercepted from EncroChat to be used as evidence in court.

“The director general was wrong in law to approve this as a TEI,” a defence lawyer told the tribunal.

He said that under the Investigatory Powers Act, the only warrant that could be lawfully used to request hacked messages from the French was a Targeted Interception (TI) warrant, which would only allow EncroChat messages to be used for intelligence purposes, rather than evidence.

The court previously heard that the NCA’s warrant application was based on an account of an off-the-record conversation between an NCA intelligence officer, Emma Sweeting, and a French cyber crime officer, Jeremy Decou, after the meeting at Europol.

The NCA has not asked for written confirmation from the French that the conversation between Decou and Sweeting took place, or that the NCA’s summary of the EncroChat operation that Sweeting asked Decou to confirm was accurate, the tribunal was told.

Missing notes

The tribunal heard yesterday that Sweeting had discovered “rolling notes” of a key meeting at Europol between 19 and 21 February 2020 on her computer in October this year, some two years after disclosing a summary of the meeting in earlier EncroChat proceedings.

The court heard that the newly discovered notes showed that Europol had drawn 18 “conclusions” about the EncroChat operation, two of which were missing from the notes the NCA used as the basis of its warrant application.

The missing conclusions related to the samples of EncroChat data already available to French authorities, and the NCA’s access to Threat to Life (TTL) analysis tools.

Lawyers for the complainants argue that the evidence suggests the NCA had access to live intercepted messages from the EncroChat system, which were subsequently decrypted. If correct, that would invalidate the use of EncroChat in evidence in the UK.

The NCA maintains that it obtained unencrypted messages taken from memory storage in phone handsets, rather than through live interceptions. 

Sweeting was asked why she had written “would not be able to go live on intercept” and that “intercept evidence is not enough, would need e.g forensics as well” in the newly disclosed notes.

The intelligence officer said some of the notes referred to comments made by other countries at the Europol meeting and that she could not be sure they related to the UK.

Sweeting’s notes also recorded that messages collected in transmission by the French authorities would be “decrypted using a key”.

Defence lawyers said this indicated that Sweeting had information about how EncroChat data was obtained prior to the warrant application.

Another note stating that the NCA would need both TEI and TI warrants was left out of documents used by the agency in its warrant application.

Sweeting said she discussed her notes with colleagues after the meeting to make sure they were true and accurate.

She said she was unable to give more details about how her “rolling note” was turned into a summary note for the NCA.

Europol did not assess EncroChat’s use by criminals

The NCA has argued that the EncroChat phone system was almost entirely used by criminals.

The court heard that Sweeting had written that Europol would make an assessment around the user base being entirely criminal, in her original notes from the Europol meeting.

Under questioning, Sweeting said countries taking part in the EncroChat operation were comfortable that the service was used almost exclusively by criminals.

There was no need for Europol to conduct that final assessment, she said, as everyone was confident that criminals would be using EncroChat.

She agreed that the fact that Europol had not carried out an assessment of criminal use of EncroChat had not been included in the warrant application.

Under cross-examination Sweeting told the court that she had disclosed a summary of her notes, referred to as the “blue and black note” in 2020, but had not realised another version existed: “I had an honestly held the belief that this was the only version, but that was an error.”

She said it was not the case that she had known the earlier document was on her computer all along, and she apologised to the court for disclosing it so late.

“I can’t remember exactly where I found the document, whether it was a Z drive or an email attachment,” she said.

Sweeting said she spell-checked the “blue and black” notes after going through them with colleagues at the Europol meeting to ensure they were accurate, before sending them to the gold commander in charge of Operation Venetic, Matt Horne, on 23 February 2020.

She said the NCA does not automatically delete correspondence as a matter of policy.

Under cross-examination, Sweeting said she did not deliberately delete any documents, or consciously remove any information from the documents initially submitted to the judicial commissioner.

She also claimed that, at the point of the meeting between the NCA and Europol, French authorities had only obtained “imaged” data from EncroChat servers, and that they had not yet completed their development of a “technique” to extract further information from the network.

Wayne Johns, a senior investigating officer at the NCA, was also asked about whether anyone else in the NCA questioned Sweeting’s claims that a TEI was needed. Johns said he was unaware of this happening.

Johns, the named officer on the NCA’s TEI warrant, said he had no idea of the underlying technical details that would make a TEI warrant suitable.

During a follow up meeting with Europol on 9 March the NCA was informed that further meetings could be arranged to discuss procedural follow up and next stages of cooperation, "once technical phase of interception and decoding" is over. 

Johns said he was not aware of what was meant by interception and decoding, and does not recall anyone from NCA asking either.

‘Deliberately misleading’

Matthew Ryder KC claimed that Sweeting’s testimony conflicted with previous testimony and that he would submit to the court that Sweeting has been “deliberately misleading” or “wilfully blind”.

The court refused a request by defence lawyers to order the NCA to disclose its legal advice on the EncroChat warrant.

A lawyer for the NCA argued that it had not waived legal privilege by disclosing details of its legal advice in documents submitted to the court.

According to an email read out in court, because of the fast-moving nature of the EncroChat project, there was no specific legal advice given to the NCA on the use of “equipment interference” (hacking) to obtain EncroChat messages.

The case continues.

Read more on IT for government and public sector

Data Center
Data Management