TechTarget

Felipe Caparrós - stock.adobe.c

News

French supreme court dismisses legal challenge to EncroChat cryptophone evidence

Defence lawyers plan to appeal to the European Court of Human Rights after the French supreme court disallowed an appeal over the legality of EncroChat evidence

Bill Goodwin
By
Published: 06 Sep 2023 15:33

The French supreme court has dismissed a legal challenge over the lawfulness of evidence obtained by a police hacking operation into the EncroChat encrypted phone network.

The Cour de Cassation in Paris yesterday (5 September 2023) rejected claims that French prosecutors failed in their duty to provide a certificate to verify the accuracy of EncroChat data used as evidence in criminal prosecutions.

The decision is the latest in a long-running series of legal challenges to a novel operation by French and Dutch police to harvest millions of encrypted messages from the EncroChat encrypted phone network, widely used by organised crime groups.

French defence lawyers said in a statement following the court’s decision that they would launch further appeals to the European Court of Human Rights (ECHR) and the Constitutional Council, France’s highest legal authority.

“According to our analysis, this decision is contrary to European and constitutional law. We will therefore be taking our case to the ECHR and lodging a new appeal with the Constitutional Council,” lawyer Guillaume Martin wrote on X, formerly Twitter.

Details of the EncroChat hacking operation are protected from disclosure under French “defence secrecy” laws, but lawyers argue that the Gendarmerie should disclose information about how the EncroChat data was obtained, and certify its authenticity, to enable them to mount a proper defence.

French cyber experts harvested 120 million messages from EncroChat phone users in multiple countries between April and June 2020, providing intelligence and evidence on the activities of criminal groups. The operation led to 6,500 arrests of people involved in organised crime and drug trafficking and seizures of €900m over the past three years, Europol announced in June 2023.

The novel hacking operation has led to legal challenges in the UK, Germany, France and at the Court of Justice of the European Union, as the courts grapple with untested areas of law.

Defence lawyers in seven countries have claimed the “unprecedented secrecy” around the police hacking operation had made it impossible for their clients to have a fair trial – a claim that is disputed by police and prosecutors.

The Cour de Cassation’s decision follows an appeal by lawyers against a January 2023 ruling by the Court of Appeal in Metz in north-east France, which found no legal grounds for disclosing more information about the hacking operation.

The Metz court found that EncroChat messages were collected by the French police in unencrypted form. In a 30-page ruling, it said this meant there was no requirement under French law for prosecutors to provide a certificate of authenticity to verify the data, which the court found is only required under French law when data is decrypted.

The court also refused a request from defence lawyers to provide technical details of the how French police carried put the hacking operation, on the grounds that the relevant section of the criminal code requiring disclosure of technical details did not apply in the EncroChat operation.

“It cannot therefore be claimed that all the data from the EncroChat messaging was captured illegally and that its capture and exploitation would be invalid,” the court ruled.

Commenting on the supreme court’s decision to dismiss the appeal against the Metz ruling, defence lawyer Robin Binsard said in a statement that the Cour de Cassation’s conclusion that a certificate of authenticity is only required to verify data that has been decrypted appeared inaccurate.

He said this interpretation appeared contrary to the position taken by the Cour de Cassation in an earlier decision on 8 April 2022.

“This is why we intend to refer a new priority question relating to the conformity of this case law with the constitution,” said Binsard. “More broadly, it appears inconceivable, under the prism of the right to a fair trail and the rights of the defence, that the use of defence secrecy by investigators is not accompanied by any safeguards.”

In addition to appealing to the European Court of Human Rights, Binsard said he planned to raise further legal challenges relating to the French capture of data outside of French jurisdiction.

Investigations began in 2017

The French Gendarmerie began investigating EncroChat in 2017 after recovering EncroChat encrypted phones from organised crime groups involved in drug trafficking.

EncroChat phones promised users a secure, encrypted, anonymous messaging service and offered the ability to wipe the phone using a PIN code in an emergency.

The phones were based on modified Android BQ Aquaris X2 and X3 phones equipped with a SIM card supplied by Dutch phone network KPN. They were sold through a network of resellers for around €1,000 each, paid in cash or bitcoin, with a six-month contract costing a further €1,500.

Police investigations led to the discovery of EncroChat servers hosted at a datacentre run by cloud company OVH in Roubaix, France. Investigators were able to reverse engineer a network of over 70 virtual machines used by EncroChat.

Police were able to analyse tables of data containing information relating to payments, users and resellers, including the pseudonyms used by resellers linked to delivery addresses, IMEI numbers and monthly data consumption of SIM cards.

France’s internal intelligence agency, DGSI, supplied a software implant, delivered to phones as a software update, which harvested data from infected phones.

Legal challenges

The Court of Justice of the European Union (CJEU) is expected to issue an initial opinion over the coming months on whether EncroChat evidence can be lawfully used as evidence in courts in the European Union (EU).

The case could have implications for hundreds of prosecutions of people accused of drug dealing and organised crime on the basis of hacked messages from EncroChat, and another encrypted phone network Sky ECC, where there is no supporting evidence of criminality, if the CJEU ultimately finds there were breaches of EU law.

Questions about whether the use of EncroChat data in German courts is constitutional have yet to be resolved, according to a judgment by Germany’s Federal Constitutional Court on 5 September 2023. Five complaints are waiting to be heard by the court.

In the UK, the Investigatory Powers Tribunal (IPT) found in May that the National Crime Agency (NCA) lawfully obtained warrants to receive messages from the hacked EncroChat encrypted phones from Europol. The tribunal rejected claims from defence lawyers that the NCA withheld critical information when it applied to a senior judge for a warrant to obtain messages from the encrypted phone network.

The IPT referred the question of whether EncroChat is legally admissible back to crown courts to decide. Defence lawyers are challenging the evidence in a number of ongoing cases.

More than 1,100 people have been convicted under Operation Venetic, which has led to more than 3,000 arrests across the UK, and more than 2,000 suspects being charged. Police have seized nearly six-and-a-half tonnes of cocaine, more than three tonnes of heroin and almost fourteen-and-a-half tonnes of cannabis, along with 173 firearms, 3,500 rounds of ammunition and £80m in cash from organised crime groups. 

Read more about the French legal challenge to EncroChat

    Read more on Hackers and cybercrime prevention

    CIO
    Security
    Networking
    Data Center
    Data Management
    Close