alexskopje - stock.adobe.com
Berlin court finds EncroChat intercept evidence cannot be used in criminal trials
In a major setback for police hacking operations, Berlin’s regional court has decided that intercepted data from the EncroChat phone network should not be used in criminal prosecutions
Messages intercepted by French police during a sophisticated hacking operation into the encrypted phone network EncroChat cannot be used in evidence, a German court has found.
The Berlin Regional Court ruled that data obtained in a joint operation by the French and the Dutch to harvest millions of text messages from EncroChat users was in breach of German law.
This is the first time a German court has found evidence from EncroChat to be legally inadmissible.
The Berlin public prosecutor said in an announcement on Twitter that it would appeal against the decision.
The prosecutor said the decision in Berlin was in contrast to all previous decisions by higher regional courts in Germany, which have accepted EncroChat evidence.
If the Berlin court’s decision is upheld, the trials of hundreds of suspects in Germany accused of drug trafficking could be thrown into doubt.
The decision, on 1 July 2021, came as courts in the UK, France and the Netherlands face similar legal challenges over the admissibility of evidence from the EncroChat phone network, which UK police claim was almost entirely used by organised crime groups.
Defence lawyer Oliver Wallasch told Computer Weekly that the case was “of the upmost importance” in upholding the privacy rights of German citizens.
He said the Berlin decision “shows that substantial human rights and procedural safeguards are in place, even though police and prosecution would like to focus only on getting potential criminals behind bars”.
The court released a defendant accused of 16 counts of drug trafficking after finding that the only evidence against him consisted of messages intercepted by the French police from an EncroChat encrypted phone.
The court said the use of data from EncroChat users on German territory, without any concrete grounds for suspicion against the individuals affected, was in breach of German law.
Novel hacking operation
In a novel hacking operation, the French Gendarmerie’s Centre for Combating Digital Crime (C3N) gained access to EncroChat’s servers, housed at the French datacentre provider OVH in Roubaix in April 2020.
The French, working jointly with the Dutch police and the UK’s National Crime Agency, were able to harvest encrypted messages from the EncroChat network.
More than 32,000 phone users in 122 countries were affected, regardless of whether the users were criminal or not, the Berlin court found.
Specialists at C3N collected the messages and passed them on to Europol, which packaged them up according to country of origin and shared them with police forces in Germany, the UK and other countries.
User of intercept not justified in German law
However, the Berlin court found that the interception represented a serious encroachment of individuals’ rights to privacy.
Even if the interception operation was legal under French law, the use of the data in German criminal proceedings was not justified, said Regional Court judge Behrend Reinhard.
“The Regional Court considers that the surveillance of 30,000 EncroChat users to be incompatible with the principle of proportionality in the strict sense. This means that the measures were unlawful,” Reinhard wrote in a 22-page judgment.
The court found that the French had not provided information on how they had intercepted data from the EncroChat handsets, and that French authorities were unwilling to provide further information.
EncroChat phones – Android phones with modified hardware and software – were sold through a network of dealers for between €1,000 and €2,000 for a typical six-month contract.
French police began preliminary investigations into EncroChat in 2016 and 2017 after recovering a number of EncroChat phones in the possession of drug traffickers.
Law enforcement investigators were able to trace the servers used by EncroChat to a datacentre run by OVH in Roubaix, France.
In January 2020, a court in Lille authorised the installation of a software implant that targeted BQ Aquaris X2 Android phones used by more than 32,000 EncroChat users in 122 countries.
The implant, supplied by French intelligence agency DGSE, initially harvested historic data from the phones’ memory, including stored chat messages, address books, notes and each phone’s unique IMEI number.
In stage two, the implant intercepted incoming and outgoing chat messages, probably by taking screenshots or logging keys, and transmitted them to a server run by C3N.
German police received daily downloads of data from the phones from Europol between 3 April 2020 until the operation against EncroChat was discontinued on 28 June 2020.
A French court in Lille approved a European Investigation Order (EIO), issued by the Germany prosecutors on 13 June 2020, authorising German courts to use EncroChat data in criminal proceedings.
But the Berlin court found that the intercepted data was obtained in breach of EU law governing the use of European Investigation Orders.
No grounds for suspicion
Grounds for suspicion did not exist when the EIO was ordered and implemented, according to the judgment.
Under EU law, member states are required to notify the German authorities before intercepting telecommunications of people on German territory.
This includes providing all the necessary information, including a description of the interception operation to assess whether the interception would be authorised under German law, and whether the material can be used in legal proceedings.
Judge Reinhard said: “According to the information that has become known so far, it is to be assumed that there was no such request by the French state and no review by the competent Germany authority in this case.”
There was no concrete suspicion that criminal offences had been carried out by the users of EncroChat phones targeted, the court found.
“At the time of the order and implementation, there was no suspicion of a crime against the users of the terminal equipment [handsets] that would have justified the surveillance,” the judgment said.
Criminals often prefer communications channels that are difficult to monitor, such as voice over IP telephones or the secure Tor browser.
But the mere use of an encrypted phone, even one with a high level of security, is not in itself a reason to conclude that criminal conduct had taken place, said the court.
Bolt cutters
Using an analogy, the mere possession of tools used in burglaries, such as crowbars or bolt cutters, does not provide sufficient grounds for a search warrant, it added.
The German federal government is actively encouraging the use of cryptography, through its digital agenda, and has been reluctant to oblige telecoms and internet companies to implement “back doors”.
Encryption technologies have also been supported by the Council of the European Union, which backs the technology to protect the digital security of governments, industry and society.
“A behaviour that is fundamentally desired by a state – protection of one’s own data from foreign access – cannot become the starting point for coercive measures under criminal law,” said the Berlin court.
Use of EncroChat was not criminal
The court found that although EncroChat’s security features made it particularly attractive to criminals, it was no different from any other encrypted service.
EncroChat was equally attractive to journalists, political activists who feared state persecution or employees of companies who wanted to protect themselves from state persecution, it said.
The high cost of EncroChat phones does not justify the conclusion that they can only be paid for through criminal activity, the court found, and there was no concrete evidence that the 60,000 users of EncroChat phones worldwide were part of a “criminal network”.
According to German police, EncroChat customers contacted dealers anonymously by email, who handed phones over for cash during meetings in public places.
“This procedure fits in with the particularly high security standards claimed by EncroChat and a correspondingly particularly pronounced need for security on the part of the customers,” the court found. “But it does not allow any conclusion to be drawn about the purpose of criminal use.”
Retrospective justification
Among French users, the proportion suspected of criminality was only 67.3%, equivalent to 317 individuals out of 417 identified as of 12 June 2020 – a vanishingly small number compared to the 60,000 users registered with EncroChat.
The subsequent discovery of criminal activities after the surveillance began cannot be used to retrospectively justify the interception operation, the court said.
The large quantities of drugs seized during investigations into EncroChat messages worldwide – and the spectacular discovery of a torture chamber used by drug dealers in the Netherlands – cannot be used to justify the presumption that the network was predominantly used by criminals, it added.
According to a communication from the European Commission, by 14 April 2021 – almost a year after the operation had ended – only 1,500 investigations had been initiated and 1,800 people had been arrested – equivalent to just 5.4% of the EncroChat users placed under surveillance.
German law does not allow for surveillance of telecommunications to establish the suspicion of a crime. Vague suspicions and general indications are not sufficient to justify “blanket spying” on all users of the chat service, the court found.
Tobias Singelnstein, chairman of criminology at the Ruhr-Universität Bochum, told Computer Weekly that the Berlin court’s decision was significant, being the first to take into account the serious legal problems inherent in the acquisition of evidence from EncroChat.
Higher courts in Hamburg, Bremen and Rostock have found EncroChat evidence admissible, according to Tagesspiegel.
German prosecutors said they would appeal against the Berlin decision.
Read more about EncroChat
- Defence lawyers claim that investigators had access to a “master encryption key” that allowed them to decrypt millions of messages from the EncroChat encrypted phone network
- French lawyers claim that investigators are unlawfully withholding details of a cryptophone hacking operation in a case that could impact UK prosecutions
- Lord David Anderson QC warned prosecutors that there were formidable arguments against the lawfulness of a police operation to infiltrate the encrypted phone network, EncroChat
- French lawyers are challenging the legality of a French police operation to harvest tens of thousands of messages from the EncroChat encrypted phone network in a move that could overturn criminal prosecutions in the UK
- The Dutch Public Prosecution Service claims Britain has damaged confidence by disclosing details of an international investigation into the EncroChat encrypted phone network to the courts
- Lawyers claim that public interest immunity certificates may have been used to withhold information on UK intelligence agencies’ ability to decrypt encrypted communications
- Court hearings precipitated by police cracking the EncroChat secure mobile phone network have been delayed after defence lawyers request further disclosures on police decryption capabilities.
- Cops take out encrypted comms to disrupt organised crime: In July 2020, after French and Dutch authorities had gained access to the encrypted EncroChat network, the NCA and its counterparts worked to disrupt the serious and organised criminal networks using the platform.
- Appeal court finds ‘digital phone tapping’ admissible in criminal trials: On 6 February 2021, judges decided that, despite UK law prohibiting law enforcement agencies from using evidence obtained from interception in criminal trials, communications collected by French and Dutch police from EncroChat using software “implants” were admissible evidence in British courts.
- Belgian police raid 200 premises in drug operation linked to breach of encrypted phone network: On 9 March 2021, Belgian police raided 200 premises after another encrypted phone network with parallels to EncroChat, Sky ECC, was compromised, in what prosecutors described as one of the biggest police operations conducted in the country.
- Arrest warrants issued for Canadians behind Sky ECC cryptophone network used by organised crime: Following the international police operation to penetrate the Sky ECC network and harvest “hundreds of millions” of messages, a federal grand jury in the US indicted Sky Global’s Canadian CEO, Jean-François Eap, along with former phone distributor Thomas Herman, for racketeering and knowingly facilitating the import and distribution of illegal drugs through the sale of encrypted communications devices.
- Judges refuse EncroChat defendants’ appeal to Supreme Court: In early March, judges refused defendants leave to challenge the admissibility in UK courts of message communications collected by French cyber police from the encrypted phone network EncroChat. Computer forensic experts working on EncroChat cases said that decision should trigger a wider review of the “far-reaching effects” the legal decision by the Court of Appeal would have on the role of communications interception in future cases.
- UK courts face evidence ‘black hole’ over police EncroChat mass hacking: Forensic experts say that French investigators have refused to disclose how they downloaded millions of messages from the supposedly secure EncroChat cryptophone network used by organised criminals – leaving UK courts to grapple with a forensic ‘black hole’ of evidence.
Read more on Privacy and data protection
-
![]()
Germany: European Court of Justice ruling on EncroChat could lead to new legal challenges
By: Bill Goodwin
-
![]()
Dutch Supreme Court approves use of EncroChat evidence
By: Bill Goodwin
-
![]()
Germany: European Court opinion kicks questions over EncroChat back to national courts
By: Bill Goodwin
-
![]()
French supreme court dismisses legal challenge to EncroChat cryptophone evidence
By: Bill Goodwin
