emiliau - Fotolia

Defence lawyers claim NCA witness gave unreliable evidence on EncroChat hacking operation

National Crime Agency argues that the lawfulness of surveillance warrants issued to hack the EncroChat phone network should only be considered in the light of facts and assessments known at the time

The intelligence officer who played a key role in the National Crime Agency (NCA)’s work on its Operation Venetic investigation into criminals using EncroChat encrypted phones had not given reliable evidence, defence lawyers claimed at the Investigatory Powers Tribunal (IPT).

The court heard yesterday that NCA intelligence officer Emma Sweeting appeared to be confident and credible, but when details of her evidence were unpacked, her credibility could not be sustained.

Defence lawyers criticised Sweeting and the NCA for obtaining a surveillance warrant on the basis of Sweeting’s account of an off-the-record discussion she had with a senior French gendarme relating to the type of warrant needed without attempting to seek written confirmation.

James Eadie KC, representing the NCA, told the court that attacks on the credibility and motivation of NCA officers had already been raised in criminal courts and the court of appeal and had been found to be without foundation.

He said it was not a credible interpretation of the law that if the intercepted EncroChat material turns out not to be a stored communication, but was live intercept, that is a breach of the Investigatory Powers Act.

The IPT is considering claims from 10 defendants who argue that the NCA unlawfully obtained a Targeted Equipment Interference (TEI) warrant to allow EncroChat messages to be used as evidence in court by wrongly arguing that the messages were only extracted from the memory of phones.

Defence experts claim that the NCA obtained EncroChat messages through a live interception operation. This meant that, legally, the NCA should have obtained a Targeted Interception (TI) warrant, which would only allow the messages to be used for intelligence gathering, rather than evidence in court.

‘Misleading impression’

Matthew Ryder KC, representing defendants, said it was completely impossible to know whether a critical meeting between Sweeting and Jeremy Decou, a senior French investigating officer to verify what type of warrant was needed,  took place because there were no witnesses to the meeting and no records of it taking place.

“The absence of anyone else being told about it suggests that it did not happen,” he said. “But if it did happen, then it was given a weight it should not have been given.”

Ryder claimed that Sweeting had misled the independent judicial commissioners responsible for approving the NCA warrant by wrongly suggesting that her description of the EncroChat hacking operation had been approved by the French gendarmerie.

In practice, she had spoken to one gendarme with limited technical knowledge and whose second language was English, the court heard.

The gendarmerie were unable to give any description of how the hacking operation worked because it was protected by French defence secrecy laws, said Ryder.

“That warrant gave a knowingly misleading impression that there had been formal communication and assent but Ms Sweeting knew there could never be formal communication and assent,” he told the court.

Ryder said the NCA had taken no steps to ask Decou to confirm what had happened during his meeting with Sweeting, even though the NCA had the opportunity to do so.

“They have decided to deprive the tribunal of the answer Decou could have provided,” he said.

Ryder claimed that the obvious presumption was that Decou’s answer would not have agreed with the NCA’s version of events.

He said the position was “shocking” and the weight of Sweeting’s evidence about her meeting with Decou should be questioned.

“It is the right conclusion to draw that she is not a credible witness [on this point] and her evidence cannot be relied upon,” said Ryder.

Ryder told the court that Sweeting moved her email conversations with Decou to WhatsApp but did not disclose her WhatsApp conversations when criminal proceedings began in 2020.

“We learn that the reason is that she had reviewed the WhatsApp messages but did not find them relevant,” he said. “We say that is an uncomfortable position for an NCA officer to take.”

That might have been a misjudgment, said Ryder.

Sweeting’s evidence showed there was no note, no information and no evidence of her key discussion with Decou until she made a statement in September 2020, seven months after the meeting took place, Ryder told the court.

“There is no record of her confirming the meeting took place to colleagues – no evidence of any kind,” he said. “If she had told someone or written it down, that could have been put to the judicial commissioners.”

The court heard that the NCA had a duty of candour to disclose the full facts around a warrant application to independent judicial commissioners responsible for approving the warrant.

Sweeting deliberately chose not to ask Decou to confirm in writing what he had said to her in the informal exchange she had with him at the end of the Europol meeting, said Ryder.

“The corollary of not asking the question is, you don’t have anything to present to the judicial commissioners,” he said.

The court heard that when Decou was interviewed by the NCA in September 2020, he contradicted the NCA’s claims that EncroChat hacking operation only recovered stored messages from handsets, saying that during stage two of the operation, they were collected as live intercept.

Decou had also written a report on the French EncroChat operation, Operation Emma, on 2 April 2020 which referred to data being collected live and which made no reference to collecting stored data.

Defence lawyers argued that these facts were critical to determine whether the NCA could be lawfully granted a warrant, but were not put by the NCA to judicial commissioners.

“It is one thing to say that I am going to informally get this – and there can be criticism of that – but it’s a different order if you do that and don’t disclose it to anyone,” Ryder told the court.

Disclosure of notes

The court heard on Wednesday that Sweeting had failed to disclose her “rolling notes” of a key meeting at Europol for more than two and a half years, when she found them on her computer.

Ryder told the court that Sweeting had wrongly claimed in previous hearings that a later summary of her notes, known as the “blue and black” note, was her contemporaneous note of the meeting.

“She was saying the blue and black note was her rolling note,” said Ryder. “It was put to her in express terms: was this actually a contemporaneous note or was it compiled from other notes you had made?”

Sweeting had said: “I wrote it at the meeting.”

Ryder added: “She is a confident, assertive witness when she is wrong and presenting information she should know is incorrect.”

Wayne Johns, another senior NCA officer, was asked whether he accepted that the circumstances around the meeting with Decou should have been made available to the judicial commissioners.

Johns was asked whether the judicial commissioners might not have wanted to know that the warrant application was based on someone looking at a document on a laptop, who spoke English as a second language, and was not a technical specialist.

Johns replied: “Yes, when you explain it in those terms, absolutely.”

Ryder told the court that NCA documents showed that officers were talking about obtaining a TEI warrant before the NCA learned how the hacking operation was to be carried out at the Europol meeting in April 2020. “There is no explanation for that,” he said.

He told the court that there had been no attempt by the NCA to make enquiries about the mechanics of the hacking operation – and the correct warrant application – at the meeting.

“We say the NCA’s submission that NCA officers made strenuous efforts to come to an accurate understanding is not supported by evidence, ” said Ryder.

Bulk interception not addressed

The NCA knew it would not be able to take part in the EncroChat operation with the French and the Dutch if bulk warrants were needed, the court heard.

Abbas Lakha KC told the tribunal that the question of whether the EncroChat interception amounted to bulk interception was never addressed.

“Mr Johns said that it never occurred to the NCA that this was bulk interception,” he said. “He was never aware that it was discussed or that there was legal advice.”

The sole basis for concluding that Operation Venetic did not rely on bulk interception was a 2019 assessment by the NCA that the user base of EncroChat was entirely criminal, said Lakha.

“The only explanation can be that at an early stage, the NCA closed its mind to questions of whether a targeted warrant could be used, ” he said.

Lakha said it was striking that in internal correspondence, a member of the NCA’s legal team had urged Matt Horne, the NCA’s deputy director for investigations, to avoid putting things in writing, which suggested the NCA had not fulfilled its duty of candour.

Was Venetic a single operation?

The court heard that the Investigatory Powers Act allows equipment interference to be carried out only for a “single operation or investigation”.

Lakha said the NCA’s Operation Venetic was not a single investigation, but an umbrella term for multiple investigations conducted by police forces in the UK.

“Operation Venetic was set up solely because the joint investigation team needed a single point of contact,” he said. “From inception, it was intended to be a clearing house.”

EncroChat use by criminals ‘overstated’

Lakha said the NCA’s assertion that EncroChat was exclusively used by criminals was overstated and unjustified.

The NCA relied on a number of submissions to justify to Lord David Anderson, who provided legal advice to the Crown Prosecution Service on the EncroChat warrant applications, that the phone network was solely used by criminals. These included the cost of the service, its use of encryption, and a suggestion that EncroChat phones were not for sale online.

But Lakha said the use of encryption and a high cost does not evidence criminal activity and that, contrary to the NCA’s claims, EncroChat phones were available online on eBay.

He said tracked changes in the warrant application revealed that the application claimed there would be minimal collateral intrusion for innocent members of the public.

That was changed on the same day to say that there would be no collateral intrusion to members of the public, even though no new facts had emerged, to shore up the NCA’s warrant application, the court was told.

The position was inflated from EncroChat being mainly criminal, to majority criminal, to vast majority criminal with collateral intrusion possible, said Lakha.

However, a French legal document showed that of 380 phones active on French soil, 242, or 63.7%, were used for criminal purposes a month into the hacking operation.

The NCA asserted to Lord Anderson that 4% of EncroChat phones had not demonstrated a link to criminality, but said this was because there was insufficient data.

Lakha said, however, that when defence lawyers examined the underlying data, they found examples of phones with thousands of messages that did not show criminality.

“The concern is that the untested assessment of exclusive criminal use without the full and frank disclosure that should have accompanied it, misled the judicial commissioners, in the same way that Lord Anderson was misled,” he said.

The NCA closed its mind to the requirement for bulk interception, the court was told, because otherwise it would not be able to take advantage of Operation Emma and would suffer reputational damage.

Assumed facts

The Investigatory Powers Tribunal initially ordered the NCA to work with a technical expert, to conduct experiments to assess how the implants worked in practice.

But following a closed hearing with the NCA, this plan was dropped and the NCA agreed to proceed with the tribunal on the basis of the expert's hypothesis that EncroChat messages were obtained through intercept and decryption from the EncroChat server was correct.

Sir James Eadie KC, representing the NCA, told the court that many of the issues raised by the defendants’ lawyers had already been addressed in criminal hearings, preparatory cases and appeals, and had been rejected.

The core of the defence case is that EncroChat evidence was obtained while in the course of transmission and, as such, the TEI warrant granted to the NCA should be quashed, Eadie told the court.

But a key finding in Crown Court preparatory hearings, which have been upheld by the Court of Appeal, was that the EncroChat material was obtained while being stored.

They found that attacks on the credibility and motivation of NCA officers were without foundation and that Emma Sweeting had an open mind.

Eadie said the Court of Appeal judgments were binding on lower courts, including those – such as the IPT – that act as a tribunal.

Warrants have to be assessed on evidence at the time they were issued

He said the question for the IPT was whether the warrants were issued lawfully when assessed against the material, issues and judgments at the time the warrant was exercised.

Eadie said that facts established after a warrant had been issued could not invalidate a warrant issued before those facts were known.

“It is one thing to ensure the integrity of a scheme through protections of candour and judicial review,” he said. “It is quite another thing to open up a challenge through material or analysis that was not available at the time.

“There can always be challenges because an expert can say one thing on one day, and six months later someone turns up who calls themselves an expert and says something different.”

There was a risk that people could be penalised if their activities were made unlawful retrospectively, said Eadie.

The assertion that if the EncroChat material turns out not to be a stored communication, that is a breach of the Investigatory Powers Act, is not a credible interpretation of the intentions of Parliament, he said. “You run the risk of criminalising those who are not in a position to know.”

Even the defence expert is right and some part of the EncroChat intercept material was not taken from storage, that does not help the defence lawyers, said Eadie.

“If you have some new piece of evidence that was not, and should not, rationally have been made available at the time, that can’t be used for rending unlawful something that was perfectly lawful at the time,” he said.

The NCA officers did not close their minds to the mechanism by which EncroChat material was obtained, Eadie told the court: “They undertook more than sufficient enquiries. They did not seek to mislead judicial commissioners.”

Eadie said the duty of candour that the NCA owed to the judicial commissioners did not impose a requirement on the NCA to disclose the detailed chain of enquiry leading to the decision over which a warrant was required.

“The NCA reached the correct conclusion, that of a TEI, which was confirmed by Mr Decou,” he said. “The NCA had no reason to think that conclusion was unsound.”

Eadie said the Court of Appeal had found that EncroChat data was not intercepted while it was moving between handsets.

“The theory then being peddled was that the technique might have involved pseudo random numbers,” he said. “They went through all of that when that was the latest expert view being peddled and they were having none of it.”

A verdict is expected in early 2023.

The case continues.

Read more on Privacy and data protection

Data Center
Data Management