EncroChat ruling has ‘far-reaching effects’ for legal role of interception in UK investigations

The computer forensic experts involved in the review of police use of data hacked from the ultra-secure EncroChat phone network assess the impact of the Appeal Court ruling on future legal use of intercept evidence  

Duncan Campbell and Dr Ian Brown were the only computer forensic expert  witnesses for the first evidence review of police use of data hacked during 2020 from the ultra secure EncroChat phone network, claimed to be dedicated for the use of serious criminals. Here they assess the impact of the appeal court verdict on future legal use of intercept evidence.

The key question considered by the Court of Appeal was the distinction between temporary, transient, random-access memory (RAM) and permanent data storage in modern digital communications systems.

In computer science and technology, the distinction between memory and storage is fundamental. Until 2021, RAM and processor registers and memory store areas were understood to be an integral part of every digital transmission system – unlike records such as voicemails left and stored when phone calls do not connect.

There now appears to be no legal distinction between temporary memory and data stores inside computing devices. The Appeal Court explained: “The 2016 Act does not use technical terms ... experts have an important role in explaining how a system works, but no role whatever in construing an Act of Parliament.”

The court said that when data in a phone call, video call or message is temporarily held in RAM as an “essential part” of a transmission system, it is “stored”. This was true even if data was stored only for nanoseconds. “Parliament has not chosen to define the ‘relevant time’ when interception takes place by reference to whether the communication is in the RAM of the device at the point of the extraction,” the court pointed out.

The UK is the only country in the common law world that bans the use of intercept evidence in legal proceedings, and has even criminalised enquiries or suggestions about whether interception has been used. Britain’s 65-year-old ban is “archaic, unnecessary and counter-productive”, according to the all-party criminal law reform group Justice.

The UK’s Investigatory Powers Act 2016 requires ISPs and CSPs secretly to install additional software and equipment to carry out authorised “lawful interception” of telecommunications. Except for some new types of “bulk interception”, this is normally done by software inside switches and routers, not by tapping into fibres or intercepting radio transmissions.

The new ruling could enable police and other agencies, when tapping computers or phone calls carried or switched digitally, to decide to bring intercepts into evidence when they choose, merely by obtaining an “equipment interference” warrant to cover the role of the software alterations installed to do lawful interception. The decision fundamentally changes UK policy on intercept evidence, based on the new legal meaning of “memory”.

When we experience “latency” in phone or video calls, meaning that information may be seen or heard or messages received seconds or even many seconds after the event, most of the delay is the time the data spends in numerous RAM stores and registers en route, including during analogue-to-digital conversions, buffering, serialisation and digital signal processing. Because of this, most data communications spend almost all of their transmission time in transient storage – so could now legally be copied using warrants for equipment interference applied at any midway point.

A call going from Birmingham to London (200km along roadside or railside routes) could, in theory, travel at just under the speed of light in air, or at two-thirds of the speed of light in a cable, so would reach a London listener in about a millisecond. If the actual delay is a hundred milliseconds (one-tenth of a second) or more, the data has been in some form of storage, and could be copied without “intercepting” during at least 99% of its journey.

The Court of Appeal verdict says that former legal understandings of when a communication starts and stops are an “obvious error”. Under previous rulings, transmission was defined to start when a microphone hears a speaker, and to end when a recipient hears loudspeaker sound from their receiver.

Previous understandings of law were irrelevant and “do not ... assist in this exercise”, the Court of Appeal said – including all its own former decisions and also the Privacy and Electronic Communications Directive. “The 2016 (Investigatory Powers) Act is a new statute ... there is no relevant authority,” it said.

This decision means that the start of transmission might be when data leaves or enters a mobile phone, or it could be when data was encrypted or decrypted. The court did not provide a replacement definition.

Experts advising Parliament in 2016 were never asked to contemplate that previous legal and technical definitions might be set aside after the law was passed. “Although a number of submissions were received suggesting revocation of the special laws making intercept material evidentially inadmissible, I did not forecast the implications of the particular methods used in Operation Venetic where data was apparently siphoned from handsets,”  said Peter Sommer, who advised the Joint Lords and Commons Select Committee carrying out the pre-legislative scrutiny, “nor that in future there would be this level of confusion between what constituted interception and what amounts to equipment interference. The Bill, now the Act, had over 200 clauses plus many schedules and Parliament did not give itself much time to consider all the consequences.”

These decisions have fundamental and far-reaching effects on the legal role of interception in future UK investigations and cases. Parliament and judges will have to address the new and unresolved uncertainties about the legal meaning of “transmission”. These questions call out for the Intelligence and Security Committee and the Investigatory Powers Tribunal to take a detailed look at the technical and legal issues raised, and to make them clear.

Read more on IT risk management

Data Center
Data Management