William - stock.adobe.com

Investigatory Powers Tribunal finds NCA EncroChat hacking warrants were lawful

Investigatory Powers Tribunal refers questions over whether messages obtained from the EncroChat encrypted phone network are legally admissible back to the criminal court

The National Crime Agency (NCA) lawfully obtained warrants to receive messages from the hacked EncroChat encrypted phone network widely used by organised criminals, a court has found.

The Investigatory Powers Tribunal (IPT) rejected claims from defence lawyers that the NCA withheld critical information when it applied to a senior judge for a warrant to obtain messages from the encrypted phone network.

But in a significant legal move, the IPT referred questions about the legal admissibility of EncroChat evidence back to the criminal courts to resolve, opening up the way for further legal challenges.

The decision comes as prosecution lawyers are attempting to obtain a public interest immunity certificate to withhold information from defence lawyers about how the hack was carried out, on national security grounds. Defence lawyers argue that the information should be disclosed to enable defendants to have a fair trial.

Today’s judgment will be welcomed by the National Crime Agency, which reported in March 2022 that some 2,631 people had been arrested, 1,384 had been charged and 260 convicted. Police had also seized five-and-a-half tons of class A drugs, 165 weapons and £75m in cash.

The NCA obtained the messages sent by 9,000 EncroChat phone users in the UK from French and Dutch police, who collaborated in an operation to hack EncroChat by infiltrating its servers at the OVH datacentre in Roubaix, France.

French investigators developed a software implant that was uploaded as an update to EncroChat handsets and was able to exfiltrate millions of supposedly encrypted messages sent by users of the phones between 1 April and 11 June 2020.

The tribunal found that the refusal of courts to admit evidence obtained by interception during the course of transmission was a policy decision to preserve the use of the technique for intelligence purposes.  

“It is not rooted in any concept that to admit evidence of that sort would be unfair,” the tribunal said, adding that it would not be inconsistent with human rights law to use intercept evidence in courts.

Duty of candour

The case, brought by 11 claimants, hinged on whether French investigators obtained the EncroChat messages while they were stored in phone handsets or whether they intercepted the messages while they were being transmitted.

Under UK law, electronic communications intercepted during transmission are inadmissible in criminal proceedings and require targeted interception (TI) warrants, rather than the targeted equipment interference (TEI) – hacking – warrants obtained by the crime agency.

During hearings in September and December 2022, defence lawyers argued that the NCA failed in its duty of candour to the judicial commissioner responsible for authorising its hacking warrant.

But the tribunal found that the NCA only had to have reasonable grounds to believe that the information it presented to the judicial commissioner was accurate at the time it applied for the warrant.

“We are not satisfied that the decision of the judicial commissioner might have been different had the NCA provided the information that the claimants said they should have done,” the judgment said.

NCA did not have closed mind

The tribunal rejected arguments by defence lawyers that the NCA had “closed its mind” to the possibility that anything other than a TEI warrant – the only warrant that would allow EncroChat evidence to be used in court – would be needed to authorise its receipt of EncroChat messages.

The tribunal also rejected claims by defence lawyers that the NCA had deliberately decided not to allow EncroChat phones in its possession to be infected by the French implant to avoid discovering whether the implant was compatible with the warrants it had applied for.

“We are not satisfied that there was a deliberate decision to avoid inquiry of this sort,” it said.

Credible and reliable evidence

The judges found that the “core” evidence given by NCA intelligence officer Emma Sweeting over a key meeting with her French counterpart, Jeremy Decou, to confirm how the implant worked was “credible and reliable”.

The court heard that Sweeting had typed an email on her computer setting out her understanding that the implant obtained messages from storage in the handset and showed it to Decou – who spoke poor English – who verbally agreed it was correct.

The NCA used the email as the basis for its warrant application without seeking confirmation in writing from the French, the tribunal heard.

The four issues dealt with by the IPT ruling

  1. Whether the National Crime Agency (NCA) failed in its duty of candour when it sought approval from the judicial commissioner, with the result that the warrant should be set aside.

    Verdict: The NCA did not fail in any material respect in fulfilling the duty of candour on it when seeking approval of the targeted equipment interference (TEI) warrant from the judicial commissioner.

  2. Whether the NCA was required to obtain a mutual assistance warrant by reason of section 10 of the Investigatory Powers Act, and whether the absence of such a warrant rendered the making of the European Investigation Order (EIO) unlawful.

    Verdict: The tribunal does not have jurisdiction in relation to the question of whether the EIO was made lawfully.

  3. Whether the NCA was required to obtain a targeted interference (TI) warrant to lawfully acquire the EncroChat data, because of section 9 of the Investigatory Powers Act.

    Verdict: The NCA did not need to obtain a TI warrant.

  4. Whether the NCA was required to obtain a bulk equipment interference warrant to lawfully obtain the EncroChat data.

    Verdict: The NCA did not need to obtain a bulk equipment interference warrant.

The judges, however, rejected claims by the defence lawyers that the circumstances of Decou’s confirmation of the interception technique should have been disclosed by the NCA in its warrant application.

“The central complaint is, in our judgment, without substance. M Decou is an officer of the Gendarmerie. He had, on our finding, confirmed the methodology as described in the application for the TEI warrant,” the court found.

The tribunal found that if the NCA had provided the judicial commissioner with further details of how it had reached its conclusions about the operation of the implant, it would have made no difference to the commissioner’s decision to grant the warrant.

That would still be the case if it subsequently emerged that the implant obtained EncroChat messages in a way that had not been authorised by the warrant.

“From the point of view of the commissioner, he was authorising conduct, which was the collection and sharing of stored data from the devices,” the judges wrote. “If anything else were to happen…he was not being asked to authorise it, nor was he doing so.”

The tribunal also rejected arguments by defence lawyers that the NCA should have applied for a TI warrant, rather than the TEI warrant, to lawfully obtain EncroChat material.

Defence lawyers argued that a TI warrant would have allowed the NCA to obtain communications intercepted in the course of transmission, and would also have permitted the interception of messages stored on EncroChat handsets.

Bulk equipment interference

During the tribunal hearings, defence lawyers questioned claims by the NCA that EncroChat phones were used solely for criminal purposes and that the intercepted material was used in a “single operation” – a key requirement of the warrant.

Defence lawyers also argued that the NCA intended to collect details of Wi-Fi networks used by EncroChat phones, which would have collected data belonging to innocent members of the public. They said that amounted to bulk equipment interference that would not have been approved under the NCA’s TEI warrant.

The tribunal found that the investigation into EncroChat could correctly be characterised as a single operation, despite it leading to hundreds of separate criminal investigations.

The judgment found EncroChat had been extensively used for criminal purposes, citing evidence that out of 7,404 UK-based EncroChat phones, 294 had not demonstrated a clear link to criminality.

Live interception – not decided

The tribunal did not decide whether the EncroChat interception carried out was in accordance with the TEI warrant obtained by the NCA.

It rejected arguments from the crime agency that any inquiry into expert evidence about the nature of the interception would undermine the protection that Parliament had intended to give to organisations executing warrants.

“It follows that we are satisfied that it will be necessary to determine whether the interception was of communications in the course of their transmission,” it said.

The tribunal said it would decide on other issues raised by defendants, including whether there had been any breaches of human rights law, once the Crown Court proceedings had resolved whether messages intercepted from EncroChat were admissible.

An NCA spokesman said following the verdict: “We will continue to work with the Crown Prosecution Service to do all we can to bring offenders to justice and protect the public from serious organised crime.”

The case can be appealed to the Court of Appeal.

Read more reports about the IPT EncroChat hearings

28 Dec 2022: NCA lawyers argue that a decision by an NCA intelligence officer to disclose notes of a key meeting after two-and-a-half years boosts her credibility as a witness.

22 Dec 2022: The National Crime Agency argued at the Investigatory Powers Tribunal that expert evidence it agreed to ‘take as read’ is limited, flawed and often based on an incorrect interpretation of the law.

16 Dec 2022: Defence lawyers claim NCA witness gave unreliable evidence on EncroChat hacking operation.

15 Dec 2022: EncroChat hacking warrant was unlawful and in breach of human rights law, the Investigatory Powers Tribunal hears.

23 Sept 2022: The National Crime Agency did not seek a written explanation of a French hacking technique before applying for a surveillance warrant to use French “intercept” in the UK, a court heard.

23 Sept 2022: Investigatory Powers Tribunal hears that the National Crime Agency made ‘serious and fundamental errors’.

Read more on Hackers and cybercrime prevention

Data Center
Data Management