alexskopje - stock.adobe.com

French Supreme Court rejects EncroChat verdict after lawyers question secrecy over hacking operation

France’s Supreme Court has sent a case back to the court of appeal after police failed to disclose technical details of EncroChat hacking operation

France’s Supreme Court has referred a criminal case that relies on evidence from the hacked EncroChat encrypted phone network back to the court of appeal after finding that prosecutors failed to disclose sufficient information about the hacking operation.

The Cour de Cassation in Paris found that French investigators and prosecutors had failed to supply a certificate to authenticate intercepted phone data and messages obtained from EncroChat phones as required by French law. There was also an absence of technical data about the hacking operation, the court found.

French police and prosecutors refused to disclose how a joint Dutch and French operation to hack EncroChat, which led to thousands of arrests of suspected organised criminals around the world, was undertaken – citing defence secrecy.

Defence lawyer Robin Binsard, co-founder of law firm Binsard Martine, which took the case to the Supreme Court, said last night that the case would be re-heard by the court of appeal to determine whether adequate legal guarantees were in place.

“The Supreme Court stated that, in the absence of a certificate of truthfulness, the evidence covered by defence secrecy could not be legal. The case will be sent to another court to see if the certificate exists. In the meantime, there is no guarantee of validity of evidence from EncroChat,” he wrote on Twitter.

“The Supreme Court stated that in the absence of a certificate of truthfulness, the evidence covered by defence secrecy could not be legal. The case will be sent to another court to see if the certificate exists. In the meantime, there is no guarantee of validity of evidence from EncroChat”

Robin Binsard, Binsard Martine

The hearing follows an operation by French cyber experts to harvest 120 million messages from EncroChat phone users in multiple countries, in a novel interception operation that provided a rich source of intelligence and evidence on the activities of criminal groups in 2020.

In the UK, the National Crime Agency (NCA), working with regional organised crime units, the Metropolitan Police and other law enforcement agencies, made more than 2,600 EncroChat-related arrests using the French data by December last year.

More than 1,380 people were charged with offences and 260 were convicted under Operation Venetic, the NCA’s response to EncroChat. Police also seized 165 firearms, 3,400 rounds of ammunition, 5,600kg of Class A drugs and £75m in cash.

Yesterday’s French Supreme Court decision set aside an earlier ruling by the court of appeal in Nancy that found the police operation against EncroChat was legal under French law.

The case will now be heard again by a second chamber of the appeal court in Metz in north-east France, which will decide whether the procedural guarantees required to invoke defence secrecy have been followed.

Supreme Court argument

Binsard Martine argued in submissions to the Supreme Court that the secrecy around the EncroChat hacking operation infringed the rights of defendants to a fair trial by depriving them of information about how the evidence against them was obtained.

The Supreme Court rejected claims that French computer crime specialists went beyond the legal authority granted to them by judges in the Lille court by blocking internet companies from redirecting domain name services to EncroChat and ordering the redirection of EncroChat messages.

Read More about the French legal challenge to EncroChat

It also rejected claims that the data interception and capture operation was unlawful as it interfered with the right of individuals to a private life without a specific and precise legal framework to do so.

But the Supreme Court agreed that the French police should explain how they obtained intercept evidence from EncroChat phones and should provide a certificate to authenticate the intercepted data and messages in order to comply with French law.

The hacking operation

French court documents reveal that investigators asked France’s security service, DGSI, to carry out a surveillance operation on EncroChat after the French Gendarmerie seized phone handsets in police drug raids from 2017 onwards.

The French security agency, DGSI, provided technology to spy on users of EncroChat

By the end of 2018, Gendarmes based at the C3N digital crime unit in Pontoise had sent a report on the suspected criminal use of EncroChat phones to the Interregional Specialised Prosecution Service (JIRS) in Lille, according to court papers.

French police identified servers used by EncroChat, registered to Eric Miguel of Virtue Imports in Vancouver Canada, at a French datacentre run by OVH in Roubaix, and received court permission to copy and analyse the data.

Investigations revealed a network of virtual machines, which were used to manage encryption keys, analyse event logs, monitor the use of SIM cards and to assign them to the right device, configure new phones and manage voice calls, customer services and a file exchange server.

Police were able to analyse tables of data relating to payments, users and resellers, including the pseudonyms of traders linked to delivery addresses, IMEI numbers on the mobile phones and monthly data consumption of SIM cards.

A joint investigation team of French and Dutch police, assisted by Europol, was able to extract messages and photographs from EncroChat phones infected by an “implant” through an update server from April to June 2020, when administrators warned users that the network had been compromised.

Lawyers plan to continue legal case

In a statement after the decision, Binsard and Guillaume Martine, founders of law firm Binsard Martine, said defence lawyers in other countries should appeal against the use of EncroChat evidence in court hearings.

“We invite our colleagues across Europe to pursue their appeals and to argue that the evidence from EncroChat is illegal, since it is not accompanied by the required attestation of sincerity, as admitted today by the Court of Cassation”
Robin Binsard and Guillame Martine, Binsard Martine

We invite our colleagues across Europe to pursue their appeals and to argue that the evidence from EncroChat is illegal, since it is not accompanied by the required attestation of sincerity, as admitted today by the Court of Cassation,” the lawyers said.

They said they would continue their legal fight to obtain an annulment of the data collected from EncroChat “in breach of the most fundamental principles of criminal law”.

“It will be for the court to determine whether the procedural guarantees provided for in respect of national defence secrecy have been complied with and that attestation exists,” they said.

In a similar case, the Italian Supreme Court ruled that encrypted messages obtained by an international police operation to hack a second phone network used by organised crime groups cannot be used in a pre-trial hearing unless prosecutors explain how the evidence was obtained.

Italy’s Corte di Cassazione found that a defendant should not only have the ability to ask questions about the contents of messages police obtained from the Sky ECC phone network, but also to question how the investigative process was carried out.

The French Supreme Court verdict – key points

Ground 1 – rejected 

Right to private life: The data interception and capture operation was unlawful as it interfered with the right of individuals to a private life. Such interference must be subject to a specific and precise legal framework. 

Network modifications were unlawful: The provisions of article 706-102-1 of the French Code of Criminal Procedure only allow a technical device to be used to capture computer data.

Court orders taken out to prevent internet service companies and French software-as-a-service company OVH from carrying out any operation that interfered with the Encrochat.ch domain names were unlawful.

Other court orders that required “modification of network routing rules” by redirecting the flow of data in EncroChat also fell outside the Code of Criminal Procedure.

Court orders permitting the interception of data in transit were also outside the code.

Supreme Court’s response: Article 706-102-1 makes no distinction between different types of computer data. The operations to block and redirect data flows on EncroChat were technical operations to enable the collection of computer data and were therefore lawful. The modifications to the EncroChat network were a necessary part of the data capture operation, required to prevent EncroChat administrators from blocking the data capture operation.

Ground 2 – rejected

Failure to consider documentation from judicial proceedings against EncroChat: The Court of Appeal in Nancy failed in its verdict in July 2021 to consider documentation from proceedings in the Lille court, which oversaw preliminary investigations into EncroChat. This broke the principle that all actions taken by prosecutors that could affect the outcome of a trial must be subject to adequate control by the court. The failure breached Article 6 of the European Convention of Human Rights, which gives the right to a fair trial, and articles 591 and 593 of the French Code of Criminal Procedure, which require courts to give sufficient reasons for their decisions.

Supreme Court response: The documents from the Lille proceedings placed into the court file allowed defendants and examining magistrates to assess the fairness of the evidence collected in initial investigations without any infringement of fundamental rights.

Ground 3 – upheld in part

Defence secrecy: Articles 706-102-1 and 230-1 of the French Code of Criminal Procedure infringe on the rights of defendants, the right to equality of arms and the right to an effective remedy. By subjecting data capture operations to “national defence secrecy” the code fails to provide adequate legal guarantees and fails to lay down criteria for the use of data capture techniques. Prosecutors can authorise data capture operations without prior review by an independent court, causing disproportionate infringements of rights and freedoms.

The criminal code requires the state to give technical details of the data capture operation and a certificate signed by the head of the technical body certifying the accuracy and authenticity of data used in evidence. French digital crime unit C3N gave no certificate of authenticity.

Supreme Court response: There was an absence of technical information about the data capture procedure. In addition, the Court of Appeal in Nancy did not address claims by the defendant that the head of the technical body had not certified the authenticity of the data used in evidence. On these grounds, the Supreme Court annulled the decision by the court of appeal in Nancy. It referred the case to be re-heard at the court of appeal in Metz.

Read more on Hackers and cybercrime prevention