GCHQ

News

Apple encryption row: Does law enforcement need to use Technical Capability Notices?

History shows that law enforcement can bring successful prosecutions without the need for the Home Office to introduce ‘backdoors’ into end-to-end encryption

By
  • Professor Peter Sommer, digital evidence expert witness
Published: 12 Jun 2025 13:50

How far are criminal investigations inhibited by the wide availability of end-to-end encryption (E2E)?

The Home Office and UK law enforcement agencies think the problem is urgent, hence the politically tricky decision to use a little-known feature of the Investigatory Powers legislation – the Technical Capability Notice – to seek to impose back-door conditions on Apple’s Advanced Data Protection (ADP) system. Most observers see this as a test case for future control over many other E2E services such as WhatsApp, Facebook Messenger, Signal and Telegram.

 But an examination of some recent high-profile cases show that successful prosecutions are possible even where apparently robust end-to-end encryption (E2E) has been deployed by suspects. What needs to be understood is that E2E communications are often only one element in a possible criminal enterprise and that other traces of criminal activity can be found by conventional investigatory techniques. 

 Moreover elsewhere in the Investigatory Powers Act (IPA) 2016 is the ability to obtain warrants to hack – referred to as Equipment Interference. Where end-to-end encryption is deployed, encryption and decryption only take place on the smartphone handset or a computer rendering data traffic unreadable even by Apple or WhatsApp and other service providers. But if you can hack the device remotely to read its contents those contents will be viewable unencrypted.

 Operation Venetic

 This is what happened in the National Crime Agency’s to date biggest investigation, Operation Venetic. The handsets in question, called EncroChat, used a variety of anti-surveillance techniques which for a while between 2016 and 2020 gave their customers, many of them involved in serious organised crime, the illusion of safety from scrutiny. E2E was used for handset-to-handset communications. The phones themselves were highly resistant to conventional forensic examination, even when seized.

The break-through technique was developed by the Dutch and French with the French in operational control and consisted of using a “tool” or “implant” to hack. The tool was uploaded covertly and enabled covert data exfiltration. Legally it fell into the category of Targeted Equipment Interference under Part 5, IPA 2016.

 Between April and mid-June 2020 vast quantities of messages and photos were downloaded and the UK-related ones ended up as evidence in UK trials. Defence lawyers and experts mounted a number of vigorous objections to the admissibility and reliability of the Venetic evidence but in the end in nearly all cases the product was admitted and in the words of the NCA, thousands of conspiracies involving wholesaling of narcotics and murder were successfully penetrated.

Covert hacking tools

There is no serious shortage of “tools” available to law enforcement to achieve covert hacking.   Among such tools that have been identified are Pegasus from the Israeli NSO Group, Hermit, Graphite and Predator. Within the Snowden files, now over 11 years old, are references to Tailored Access Operations. It is a reasonable assumption that there are other such tools which have avoided publicity.

But there were many successful prosecutions of serious criminal activity before the Dutch/French intervention. Suspects were found in possession of EncroChat phones – their contents could not be read but there was enough evidence available by conventional means.

 I acted as a prosecution expert in many of these cases brought by the NCA and Regional Organised Crime Units (ROCUs). They included Operations Tradite, Meropia, Clubman, Hammer, Sparkle and others. My role was as a supplement to already well-researched investigations – to describe the known functions of the phones and to point to their very high cost - £1500 outlay and £800 to renew after 6 months. I must have considered over 100 such phones.

Other sources of evidence

So what were the ingredients of those successful pre-Venetic EncroChat cases? Among them, simple observation of people with apparently suspiciously excessive lifestyles, open source intelligence of social media, informants, formal directed surveillance, CHIS (covert human intelligence sources), CCTV both public and private and information from other investigations. 

Once there was reasonable suspicion, warrants could be obtained for communications data. Encrophones could only communicate with other Encrophones so that everyone that had one also had a regular smartphone.

Communications data shows who is in contact with whom to discover conspiracies plus the geo-movements of the phone’s owner which might reveal county lines of drug distribution via cellsite analysis.

Financial records could be obtained. The activity of identified vehicles could be tracked by ANPR (automatic number plate recognition). In suitable circumstances a “property interference” warrant enabled audio and video bugs to be placed in buildings and vehicles. 

 Equipment Interference

 According to the Investigatory Powers Commissioners Office (IPCO), some 1100 equipment interference warrants have been issued to law enforcement annually, though most of these do not produce admitted evidence as the authorities have sought public interest immunity (PII) certificates to prevent their disclosure.

 Also possible, though only usable for intelligence not evidence, were warrants for interception of traffic in transmission.  Finally, as an investigation reached a crescendo – premises searches might produce drugs paraphernalia, weaponry, untoward quantities of cash and unfortunate items of literature.

 A particularly important ingredient has been the use of link analysis software which combines and visualises all these separate strands of evidence. They are great for investigators but also useful to produce court exhibits to show to juries.

 Examples are available from Chorus, I2, Cambridge Intelligence and others. Similar techniques can be and are used in terrorist cases and against paedophile rings.  In cybercrime and IP piracy cases “communications data” can also include IP addresses and logging activity.

 All of these techniques present few of the political challenges faced by the Home Office’s attempt to bring into the definition of the Technical Capability Notice the attempt to “break” strong encryption.

 The political challenges include the risks of weakening the legitimate use of encryption in e-commerce, online banking, health records and compliance with data protection legislation. And, more recently, US sovereign objections to UK law enforcement issuing broad-based orders to major US companies.

Professor Peter Sommer is a digital evidence expert witness

Timeline of UK government’s order for a backdoor into Apple’s encrypted iCloud service

11 June: WhatsApp seeks to join Apple in legal challenge against Home Office encryption orders -WhatsApp today applied to intervene in an Investigatory Powers Tribunal case that is considering the UK’s ability to issue a technical capability notice on Apple to ‘weaken encryption’

11 June: Government using national security as ‘smokescreen’ in Apple encryption row - Senior conservative MP David Davis says the Home Office should disclose how many secret orders it has issued against telecoms and internet companies to Parliament

5 June: US politicians are calling for Congress to rewrite the US Cloud Act to prevent the UK issuing orders to require US tech companies to introduce ‘backdoors’ in end-to-end encrypted messaging and storage

15 April: The Investigatory Powers Tribunal is a semi-secret judicial body that has made significant legal rulings on privacy, surveillance and the use of investigatory powers. What does it do and why is it important? 

7 April: Investigatory Powers Tribunal rejects Home Office arguments that identifying the ‘bare details’ of legal action by Apple would damage national security, leaving open possibility of future open court hearings

02 April: Apple has appealed to the Investigatory Powers Tribunal over an order by home secretary Yvette Cooper to give the UK access to customers’ data protected by Advanced Data Protection encryption. What happens next? 

7 February: Tech companies brace after UK demands backdoor access to Apple cloud – The UK has served a notice on Apple demanding backdoor access to encrypted data stored by users anywhere in the world on Apple’s cloud service.

10 February: Apple: British techies to advise on ‘devastating’ UK global crypto power grab – A hitherto unknown British organisation, which even the government may have forgotten about, is about to be drawn into a global technical and financial battle, facing threats from Apple to pull out of the UK.

13 February: UK accused of political ‘foreign cyber attack’ on US after serving secret snooping order on Apple – US administration asked to kick UK out of 65-year-old UK-US Five Eyes intelligence sharing agreement after secret order to access encrypted data of Apple users.

14 February: Top cryptography experts join calls for UK to drop plans to snoop on Apple’s encrypted data – Some of the world’s leading computer science experts have signed an open letter calling for home secretary Yvette Cooper to drop a controversial secret order to require Apple to provide access to users’ encrypted data.

21 February: Apple withdraws encrypted iCloud storage from UK after government demands ‘backdoor’ access – After the Home Office issued a secret order for Apple to open up a backdoor in its encrypted storage, the tech company has instead chosen to withdraw the service from the UK.

26 February: US intelligence chief Tulsi Gabbard probes UK demand for Apple’s encrypted data A secret order issued by the UK against Apple would be a ‘clear and egregious violation’ if it provides back door access to Americans’ encrypted data, says US director of national intelligence.

5 March: Apple IPT appeal against backdoor encryption order is test case for bigger targets – The Home Office decision to target Apple with an order requiring access to users’ encrypted data is widely seen as a ‘stalking horse’ for attacks against encrypted messaging services WhatsApp, Telegram and Signal.

11 March: Secret London tribunal to hear appeal in Apple vs government battle over encryption – A secret tribunal is due to meet at the High Court in London to hear tech giant Apple appeal against a Home Office order to compromise the encryption of data stored by its customers on the iCloud service worldwide.

13 March: US Congress demands UK lifts gag on Apple encryption order – Apple and Google have told US lawmakers that they cannot tell Congress whether they have received technical capability notices from the UK.

14 March: The Investigatory Powers Tribunal holds a day-long secret hearing into an appeal brought by Apple against a government notice requiring it to provide law enforcement access to data encrypted by its Advanced Data Protection service on the iCloud, despite calls for the hearing to be opened to the public.

24 March: Gus Hosein, executive director of Privacy International – Why I am challenging Yvette Cooper’s ‘secret backdoor’ order against Apple’s encryption.

31 March: Apple devices are at ‘most risk’ in UK following government ‘backdoor’ order, Lord Strasburger tells the House of Lords as a Home Office minister declines to give answers.

Read more on Privacy and data protection