French Supreme Court raises constitutional questions over EncroChat hacking secrecy

Conseil Constitutionnel to decide whether ‘defence secrecy’ over state EncroChat cryptophone hacking breaches French constitution

The Supreme Court in Paris has referred a secret state hacking operation which has led to the arrests of thousands of organised criminals worldwide to France’s highest constitutional authority.

France’s highest court found on 1 February that the French-led operation to infiltrate the encrypted phone network EncroChat in 2020 raised new and serious questions that could affect the rights and freedoms of individuals under the French constitution.

The decision follows a legal challenge by lawyers in the Supreme Court in Paris, who argued that prosecutors’ claims of “defence secrecy” left defendants unable to properly challenge the evidence against them.

France’s Constitutional Council, which includes former prime ministers Laurent Fabius and Alain Juppé among its members, now has three months to decide whether the secrecy measures surrounding the hacking operation were compatible with the French constitution.

Novel hacking operation

The French Gendarmerie harvested more than 120 million supposedly encrypted messages from EncroChat phone users in 121 countries, in a novel interception operation in 2020, which caused widespread disruption to crime groups and drugs gangs in Europe and the UK.

The UK’s National Crime Agency, working in partnership with other police forces, had made 1,550 arrests, seized 5.8 tonnes of class A and B drugs, £57m in cash, 115 firearms and 2,879 round of ammunition by May last year as part of Operation Venetic, which made use of EncroChat messages intercepted by the French.

Distribution of EncroChat phones across Europe

A finding that the secrecy provisions surrounding the EncroChat hacking operation – conducted by specialists at the C3N digital crime unit in Pointoise – could require French prosecutors to release evidence about the interception operation has so far been withheld from courts in France and in other countries.

Speaking after the Supreme Court’s decision, lawyer Robin Binsard said only a small percentage of constitutional arguments raised in the Supreme Court are referred to the Constitutional Court. “It is a very good decision,” he said.

“We are arguing that there are no criteria and no recourse to contest defence secrecy, so the law is not compatible with the constitution”

Robin Binsard, lawyer

“We are arguing that there are no criteria and no recourse to contest defence secrecy, so the law is not compatible with the constitution,” said Binsard.

The Supreme Court has asked the Paris-based Conseil Constitutionnel to decide whether the laws relied on by French prosecutors to extract data from the EncroChat cryptophone network affected the rights and freedoms guaranteed by the French constitution.

New constitutional issues raised

The Supreme Court found that articles in the Code of Criminal Procedure relied on in the EncroChat case could be properly considered by the Constitutional Council, as they raised a new constitutional question.

“The question raised is of a serious nature,” the decision released this week found. The public prosecutor or examining magistrate made a choice to invoke national defence secrecy for the entire EncroChat operation and “not only for decryption of data collected”, it said.

That may have had the consequence that “a great deal of information useful for checking the regularity of the operation cannot be submitted to the adversarial debate, which may constitute an excessive infringement of the rights and freedoms invoked”.

Effective remedy

The nine-member council has been asked to decide, among other issues, whether the criminal code used by prosecutors failed to provide “sufficient and adequate legal guarantees”, and whether it failed to offer “adequate [legal] recourse” to EncroChat defendants.

The council will also decide whether there was an adequate prior review of the decision to collect unencrypted messages from the EncroChat phone network by an independent court.

At issue is whether France’s code of criminal procedure affected the rights of people charged with EncroChat-related crimes to a legal defence, affected the principle of “equality of arms” in court proceedings, and impacted their right to an effective legal remedy.

The council will determine whether the legal codes used in the EncroChat operation “unjustifiably and disproportionately” infringed the constitution.

EncroChat phone users received an anonymous message warning them that the network had been compromised and advising them to dispose of their handsets immediately

Three possible outcomes

French prime minister Jean Castex is expected to be represented during the hearing. Lawyers and other interested parties, such as associations, can also make written representations.

The council’s decision has three possible outcomes. Firstly, it can find that existing law is compatible with the French constitution.

If the council finds that the law is incompatible, it can decide either to invalidate the law covering historic cases, which would require prosecutors to release documents to defence lawyers describing technically how the EncroChat hack was carried out.

Alternatively, the council could revoke the law for future cases, which would make it more difficult for French prosecutors to invoke defence secrecy during future hacking operations.

French Supreme Court to hear arguments over legality of EncroChat

Separately, the French Supreme Court is due to hear arguments over the legality of the French operation against EncroChat at a hearing next month.

The case, which is expected to go to the European Court of Human Rights, could affect prosecutions in the UK, the Netherlands and Sweden, if the court finds the operation unlawful.

The decision comes after Paris-based lawyers Robin Binsard and Guillame Martine, founders of law firm Binsard Martine, brought a legal claim to the French Supreme Court that the interception operation against the EncroChat phone network breaches French law and the French constitution.

Binsard and Martine are challenging the French Gendarmerie’s refusal to provide defendants with information on the hacking operation on the grounds of “defence secrecy”.

They claim that for defendants to have a fair trial, the French police should explain how they obtained intercept evidence from EncroChat phones and provide a certificate to authenticate the intercepted data and messages.

The lawyers claim that French computer crime specialists went beyond the legal authority granted to them by judges in a court in Lille.

The disputed court orders include one requiring French cloud computing service provider OVH, which hosted the servers used by EncroChat at its Roubaix datacentre, to modify its network to enable the interception to take place.

Lawyers argue that court orders, such as the one preventing cloud service provider OVH from taking any action that could affect the operation of EncroChat’s infrastructure, were unlawful

Gendarmes based at the C3N digital crime unit in Pointoise, with the assistance of Dutch investigators, were able to covertly take copies of the servers and upload a “software implant” that was able to extract plain text messages sent over the supposedly secure phones in April 2020.

Forensics experts in the UK have argued that the French Gendarmerie’s refusal to release information on the hacking has led to an “evidential black hole” that has broken accepted principles that evidence should be properly acquired and secured before being used in legal cases.

Legal arguments before the French Supreme Court over EncroChat

1. Failure to specify duration of interception authorised by a court order

A court order authorising investigators to re-route EncroChat traffic to a capture device run by the French Gendarmerie does not specify the duration of the measure. This is in breach of article 706-102-3 of the Code of Criminal Procedure.

Defence lawyers are calling for the order to be declared null and void.

2. Cancellation of further court orders

Defence lawyers argue that annulment of one court order for failing to specify a duration must lead to the cancellation of three subsequent court orders granting extensions to the intercept operation.

They are calling for the destruction of intercepted messages gathered during this period.

3. Network modifications were unlawful

Court orders taken out to prevent the two domain name service companies and French software-as-a-service company OVH from carrying out any operation that interfered with the Encrochat.ch domain names were unlawful.

Article 706-102-1 of the Code of Criminal Procedure allows law enforcement to intercept data, but does not allow “blocking” orders against the domain name service providers. Other court orders that required “modification of network routing rules” also fell outside the Code of Criminal Procedure.

Defence lawyers argue that six court orders authorising the operation against EncroChat should be cancelled because they “very clearly” exceed the provisions of the Code of Criminal Procedure.

4. Interception should have been limited to phones in use on French territory

Defence lawyers argue that interception of messages on EncroChat phones should have been limited to phones in use on French territory.

They say the interception of EncroChat phones was “massive and indiscriminate” and went beyond the investigation authorised by the Lille court into the illegal import of encrypted EncroChat devices into France.

The capture method should be considered “illegal and void”.

5. Defence secrecy

The Gendarmerie has refused to disclose any technical details of the interception operation against EncroChat or to provide a certificate of authenticity of the seized data, required by French law.

Defence lawyers argue that the data capture was therefore illegal and should be declared void.

Read more on Hackers and cybercrime prevention