Over the past four years, I have handled numerous international cases involving SkyECC, Ennetcom, EncroChat, and other PGP- or crypto-phone networks. These networks were designed to guarantee privacy through end-to-end encryption and were allegedly used by criminals for secure communication, but they quickly attracted the attention of law enforcement.

What initially appeared to be an airtight weapon for prosecutors – massive hacks of encrypted messages that seemed to dismantle entire criminal networks – is becoming a legal minefield. To understand why, we first need a brief explanation of the technology. PGP (Pretty Good Privacy) and crypto-phones like EncroChat and SkyECC rely on asymmetric cryptography: messages are encrypted with public keys and can only be decrypted with private keys on the recipient’s device. This makes remote interception or cracking virtually impossible – unless the keys are intercepted or the network itself is hacked.

That is exactly what happened in the major police operations of 2019–2021. French and Dutch authorities developed advanced techniques in which they positioned themselves as a trusted party between the user and the server. Through invisible push notifications they injected malware to steal keys. This resulted in the seizure of millions of messages, which were then shared via European Investigation Orders (EIOs) with countries such as Italy, Spain, and Germany.

Now the tide appears to be turning: in various countries, defendants and their lawyers are demanding transparency about how the data was obtained. Judges across Europe can no longer ignore these requests; when access to the evidence is refused, the ultimate consequence is that the evidence can be excluded.

Let us start in France, the epicentre of these hacks. The Cour de Cassation, France’s highest court, delivered two judgments this year that pull the rug out from under the entire system. On 17 June 2025, the court ruled that intercepting or hacking phones located on the territory of an EU Member State without notification or consent is unlawful – even if the interception runs through French servers and the phone is temporarily outside France.

Questions of jurisdiction Imagine a SkyECC user in Spain for example receiving a push notification that secretly forwards keys to the police. According to this ruling, Spain must be explicitly informed; otherwise, the hack is invalid. This aligns with an earlier judgment of the Court of Justice of the European Union (CJEU) of 30 April 2024 in the case Staatsanwaltschaft Berlin v. M.N., which emphasised that Article 31 of Directive 2014/41 protects not only states but also the rights of individual users. The focus is on the defence rights of suspects, not diplomatic courtesies. Technically, this concerns sovereignty: a hack does not only affect servers in France (such as those in Roubaix) but also the physical location of the phone, where local laws on privacy and data seizure apply. Police examine Sky ECC phone Even more explosive was the judgment of 16 September 2025. In that case, the Cour de Cassation stayed proceedings and referred preliminary questions to the CJEU. The core issue: does the use of SkyECC or EncroChat data in other EU countries provide sufficient safeguards for the defence? Can the legality of the source collection (the hack itself) be left entirely to France via the European Investigation Order (EIO), without the defence in the receiving country gaining access to the French raw data or the procedure? Preliminary questions are like an alarm bell: they ask the CJEU for a binding interpretation of EU law. These questions strike at the heart of tens of thousands of ongoing cases: if the CJEU rules that the French procedure is inadequate, the evidence will collapse like a house of cards – across the whole of Europe. Technically, this revolves around “raw data”: the unprocessed capture files (such as PCAP or JSON) that include hashes and digital signatures to prove integrity. Without access to these, the defence cannot, for example, check whether data was manipulated during filtering – a process in which algorithms sort and translate messages.

Switzerland rejected Sky ECC evidence Outside the EU, a similar message is being heard. On 15 August 2025, the Obergericht des Kantons Zürich in Switzerland fully excluded SkyECC data as evidence. Reason: a blatant violation of the territoriality principle. French authorities used a technique developed in the Netherlands, in which cryptographic keys (private keys) were intercepted directly from phones on Swiss territory via invisible push notifications. No mutual legal assistance request, no consent – pure infringement of Swiss sovereignty. The Swiss high court’s ruling: all related data, transcripts, and derivative evidence are invalid. This illustrates how non-EU countries reject this evidence and undermines the French narrative that the interception took place “purely on French servers.” In reality, the hack always affects the territory where the phone is located. And then the latest news from Strasbourg: on 17 November 2025, the European Court of Human Rights (ECtHR) for the first time communicated questions in an EncroChat case (Silgir v. Germany). The ECtHR asks whether this constitutes an unlawful interference with private life (Article 8 ECHR) but, more importantly: did the defendant receive a fair trial (Article 6 ECHR)? The Court explicitly refers to its Grand Chamber judgment in Yalçınkaya v. Turkey (2023), which imposes strict requirements on the assessment of digital evidence in criminal proceedings. “Communication” by the ECtHR means that the complaint has passed admissibility and will be considered on the merits – potentially groundbreaking case law.