sas - Fotolia

UK courts face evidence ‘black hole’ over police EncroChat mass hacking

French investigators have refused to disclose how they downloaded millions of messages from a supposedly secure cryptophone network used by organised criminals – leaving UK courts to grapple with a forensic ‘black hole’ of evidence

Computer forensic and legal experts have questioned the “black hole” of evidence that surrounds intercepted communications from the encrypted phone network EncroChat used in evidence against organised crime groups across the UK.

They claim that law enforcement and prosecutors have not followed long-established forensic principles – potentially undermining evidence being used in prosecutions of people accused of using EncroChat to organise serious crimes.

French investigators broke the supposedly secure EncroChat encrypted mobile phone network which was used by 50,000 people worldwide, including 9,000 in the UK, in April last year, but have refused to disclose how they did it, citing national security.

The UK’s National Crime Agency (NCA), which received intercept evidence from the French gendarmerie through Europol, has made more than 1,550 arrests.

The NCA has refused to disclose how many people have been charged for crimes as a result of Operation Venetic, its investigation into EncroChat, but it emerged last week that about 450 defendants are challenging their prosecutions.

Duncan Campbell, who acted as a forensic expert in the first review of EncroChat evidence, told an online seminar last week that the way the cases have been brought presents “a profound challenge to long-established computer forensic evidence principles”.

The principles, laid out in the Good practice guide for computer-based electronic evidence produced by the Association of Chief Police Officers (ACPO) – now known as the National Police Chiefs’ Council – are designed to maintain the integrity and continuity of electronic evidence.

For example, they require investigating authorities to commission an independent audit covering how data was created and preserved, how it was acquired, what was done to make it secure, and to protect data from being maliciously changed.

In the case of EncroChat, however, Campbell said: “What we know about the exact mechanism, officially how the data was captured, is a large black hole. Not a single one of these principles can be applied – every one of them is breached.”

Brexit meant UK had to seek permission to work with French

As a direct consequence of Brexit, the UK was unable to take part directly in a joint operation with the French and Dutch authorities to harvest data from EncroChat.

That led to the NCA having to obtain a European Investigation Order on 11 March 2020 to request access to data obtained by the French gendarmerie.

The order allowed the NCA to receive millions of messages, photographs and notes stored on EncroChat phones that were channelled in daily batches through Europol’s Sienna computer system’s Large File Exchange (LFE).

Read more about encryption and the law

How the French extracted the information has not been disclosed in the UK courts, for “defence security” reasons, leaving a significant gap in the evidence chain.

The Court of Appeal found, in a controversial decision on 6 February 2021, that messages harvested from the EncroChat phone network through “digital phone tapping” were admissible in UK courts, overturning previous legal precedents.

Juries may now face difficult decisions when asked to decide the guilt or innocence of people based on exfiltrated messages from EncroChat phones.

Campbell, speaking at a seminar organised by FairTrials, said jurors may feel “repugnance” about convicting defendants based on claims about intercept material supplied by another country, in the absence of corroborating evidence.

Expert questions reliability of EncroChat intercept

Peter Sommer, professor of digital forensics at Birmingham City University, speaking at an earlier seminar organised by 25 Bedford Row on 3 March 2021, said there was “no continuity of evidence and no testable provenance” of the intercept material delivered by Europol to the NCA.

Guidelines on the reliability of evidence, including guidance by the UK’s forensic science regulator and the European Telecommunications Standards Institute (ETSI), have not been followed, leaving questions about the reliability of the EncroChat evidence, said Sommer.

EncroChat messages analysed by forensic experts and lawyers show “duplicated files or astonishing gaps”, messages that are bunched up in time, and in other cases defendants are saying that messages are missing, he said.

ACPO principles for digital evidence

1. No action should be taken by law enforcement that would change data.

Unknown: No information is available whether this principle has been complied with.

2. The person accessing original data must be competent and should to give evidence about their actions.

Fail: The French gendarmerie has refused to disclose how the intercept operation took place.

3. There should be an audit trail.

Fail: There is no audit trail of data passed from the French gendarmerie to the NCA.

4. The NCA gold commander in charge of the operation has responsibility to ensuring the ACPO principles are adhered to.

Fail: The gold commander accepted assurances about the data.

Source: Peter Sommer

The reliability tests are not theoretical, said Sommer, who is acting as an expert witness in a number of EncroChat cases. “You can show the anomalies quite easily – and it’s up to the prosecution to explain why they are there,” he added.

The UK had not been provided with full disclosure or detailed technical evidence from the French about how data was obtained, said Sommer. “We would like the server, we would like the handset, we would like the implant to observe what’s going on. We don’t have any of that”.

Questions have been raised about how the data was handled when the NCA passed it on to regional organised crime units.

But there are no issues with how the NCA handled the data, said the experts. “I would say they seem to have handled it according to really good principles,” said Campbell. “They make mistakes, they correct them, they tell us.”

Can phones be linked to suspects?

The success of prosecutions will depend on whether law enforcement officers can attribute incriminating messages or photographs harvested from EncroChat to individuals accused of crime.

By analysing a phone’s connections with cell towers, it is possible, for example, to identify that the owner was driving along a motorway.

“If it then turns out that, at the end of the motorway and at the beginning, there is a capture of my number plate, then the attribution becomes extremely strong,” said Campbell.

Another technique police are using is to match photographs harvested from EncroChat phones showing, for example, drugs on a table or in an outhouse, by comparing them with tables and outhouses photographed during raids.

Four standards for digital evidence that were not followed over EncroChat

Police may also have information or covert pictures from informers, or may have planted bugs in suspects’ houses, which can be matched up with the EncroChat evidence, he said.

The NCA applied for a targeted equipment interference warrant to harvest millions of messages from the EncroChat phones.

It used the assertion that EncroChat was overwhelmingly used for organised crime, money laundering and drug dealing as a legal basis for applying for a Targeted Equipment Interference (TEI) warrant.

“The police took a chance by surfing on probably incomplete evidence that every user or virtually every user of an EncroChat phone appeared to be playing a role in some kind of crime,” said Campbell.

They appear to have “lucked out” on the decision, he added, with no examples yet emerging of film stars or other privacy-concerned individuals using the phone network for non-criminal purposes.

Timeline of police action against EncroChat and Sky ECC

Read more on IT legislation and regulation