orpheus26 - stock.adobe.com

Germany: European Court of Justice asked to rule on legality of hacked EncroChat phone evidence

Berlin’s Regional Court has asked the European Court of Justice to answer questions about whether the use of hacked EncroChat phone evidence complies with European law

Europe’s supreme court has been asked to decide whether communications obtained in an international police operation to hack encrypted phones can be lawfully used as evidence in courts in the European Union (EU).

In what lawyers described as a major legal development, a German court referred a series of questions to the Court of Justice of the European Union (CJEU) asking whether France’s sharing of hacked EncroChat messages with Germany was lawful under European law.

Following a serious of legal challenges, Germany’s Supreme Court ruled in March that evidence from EncroChat could be lawfully used in criminal trials.

But if the CJEU found that evidence from the hacked phone network was obtained and shared in breach of European laws, defence lawyers believe the result could undermine hundreds of prosecutions of people accused of drug dealing and organised crime on the basis of the content of hacked messages where there is no other supporting evidence.

Christian Lödden, a defence lawyer, described the decision by the Berlin Regional Court to ask the CJEU for a decision of legal basis in European law for the EncroChat operation as “historic”.

He said courts in other European countries were now expected to seek clarification from the CJEU. “The flood is coming,” he said.

The case is one of a number of legal challenges in Europe and the UK to a novel and unprecedented police hacking operation that has led to clashes between defence lawyers and prosecutors and has seen some courts re-interpret existing laws on interception.

German police have conducted 3,200 preliminary investigations into EncroChat, an encrypted phone network that was used by organised crime groups, and have issued 1,400 arrest warrants, according to Germany’s Federal Criminal Police Office, the BKA.

German investigators had recovered 6.2 tonnes of cannabis, more than 1,100kg of cocaine, 73kg of heroin, 590kg of synthetic drugs, and over 150,000 ecstasy tablets, based on evidence from hacked EncroChat messages.

Provenance of EncroChat evidence

A judge at the Landgericht Berlin Regional Court made the referral to the CJEU after hearing testimony from investigators and senior prosecutors involved in the EncroChat operation in a series of hearings that lasted over a week.

The questions centre on whether defendants in EncroChat cases can receive fair trials in Germany without having full access to files explaining how the data was obtained and its evidential provenance, according to a judgment published on Friday.

France, which conducted the hacking operation with the Netherlands in 2020, has refused to disclose information about the operation, which was conducted by the French internal security service, DGSI, citing “national defence secrecy”.

In Germany, according to the court ruling, prosecutors have disclosed only 120 pages of over 1,800 pages in the legal files to defence lawyers in a case before the Berlin Regional Court.

“The most important question is whether there is a European version of criminal procedural law, which could include an unwritten law, which says that if evidence is not disclosed to defendants, can it be used as evidence in court,” said Lödden.

The case concerns a defendant, currently released on bail, charged with dealing in marijuana and cocaine between April and May 2020 on the basis of evidence intercepted by police from the EncroChat encrypted phone network.

The court has submitted a series of urgent questions to the CJEU to clarify whether German investigators have infringed European law in obtaining hacked messages from German EncroChat phones intercepted in France.

The Berlin court also seeks to establish, if there has been a breach of European law, whether that would prevent evidence from EncroChat phones being used in criminal proceedings in EU countries.

The impact of the CJEU’s findings on hundreds of prosecutions under way in the UK is uncertain, because the UK is no longer under the jurisdiction of the CJEU following Brexit.

EncroChat hacking operation

Germany’s BKA began investigating EncroChat encrypted phones after discovering organised criminals were using the phones in Germany in 2018.

The French and Dutch team retrieved decrypted text messages, photographs and other communications data from EncroChat phones used around the world after accessing the EncroChat servers in France and using an updated server to infect phones with a software “implant”.

The implant, uploaded on 1 April 2020, affected 32,477 out of 66,134 users of EncroChat phones registered in 122 countries, including 380 users in France and 4,600 users in Germany.

It enabled the French authorities to identify the IMEI numbers of handsets, email addresses, date and time of communications and the location of radio masts used by the phones.

The BKA argued that the use of an EncroChat phone was grounds for suspicion of criminal activity because the encryption capabilities of the phone, coupled with its high cost – €1,000-€2,000 for a six-month contract – meant it was unlikely to be used for legal purposes. Police had also identified 300 EncroChat devices that had been used in crimes.

Map showing distribution of EncroChat phones across Europe

European project

The Berlin Regional Court argued in its verdict, dated 19 October 2022, that the hacking operation against EncroChat, known by the French as Operation Lemont and the Dutch as Operation Emma, was not a purely French operation but a “European project” subject to EU law.

The investigation carried out by the French and the Dutch since 2018 had been co-ordinated by Eurojust, the European agency for corporation in criminal justice, and had technical and financial support from Europol.

According to the 30-page decision, because of the secrecy over Europol’s and Eurojust’s communications with German police and prosecutors, German courts have assumed that France “spontaneously” transmitted EncroChat data to Germany without German involvement in operation.

Germany’s Supreme Court, the Federal Court of Justice (BGH), ruled on 2 March 2022 that EncroChat evidence provided by France to Germany could be used as evidence in Germany for investigating serious criminal offences.

The Federal Court found that the failure by the French authorities to inform Germany about a surveillance operation carried out on German territory cannot lead to the exclusion of improperly obtained evidence.

However, the Berlin Regional Court argues in the latest decision that the CJEU did not have access to relevant documents that were obtained later by defence lawyers and is now seeking clarification from the CJEU.

European Investigation Orders

The Berlin Regional Court has raised questions whether European Investigation Orders (EIOs) issued by Germany to France to obtain evidence and data from French investigators were properly carried out.

The court found that the German authorities should have issued an EIO to the French before the EncroChat operation began, which would have had to have been approved by a German court.

Alternatively, the French should have notified the German authorities that French police intended to obtain data from EncroChat phones in Germany.

The German authorities would have been required to notify France if the operation could not have been authorised under German law within 96 hours, and if so, to require France not to carry out the interception.

“The fact that the French authorities had failed to provide this information was known to the German investigative authorities from the outset and they did not raise any objections,” the court found.

Suspicion of offences

The Berlin Regional Court said it did not want to follow the line of argument of the Federal Court of Justice that “unspecified suspicions” of the “multiple offences” were sufficient to comply with the law on issuing EIOs.

The Federal Court of Justice had decided that EncroChat was used by criminals on the basis of findings that EncroChat phones were used in a “very small” number of criminal proceedings compared to the total number of EncroChat users.

To the extent that EncroChat operators were targeting EncroChat to criminals, this only allowed conclusions to be drawn about criminal activity by “some” but by no means “all or most of the users”, the Berlin court said.

German domestic law requires investigators to show “specific suspicion” against individuals targeted for secret telecommunications surveillance – and “vague indications” or “mere conjectures” of general sets of experiences are not enough.

The “non-specific suspicions” given before the start of the hacking operation against EncroChat and the “list of various alternative possible offences” that could be committed by users of EncroChat phones “would not have been permitted” under German law.

Right to a fair trial

The Berlin Regional Court said that the right to a fair trial requires defendants to be given a “genuine opportunity” to give an opinion on the evidence.

The BKA has refused to hand over to German courts information provided by France to Germany before the EncroChat operation began, according to the Berlin court decision.

German investigators have testified that they understood that the French police would extract EncroChat messages from a server in France. But the details of what exactly they understood and what their assessment was based on remained “vague and unconvincing”.

A message sent to the BKA on 27 March 2020 referred to methods used by the French to obtain data from telephone handsets in German jurisdiction, according to the Berlin court.

Summary of questions to the European Court of Justice

  • Must an EIO be issued by a judge in order to obtain evidence if the taking of evidence in a similar domestic case should have been ordered by a judge?
  • What effect would it have if the telecommunications interception carried out extended to all handsets in the territory, and there are no concrete indications that serious criminal offences have been committed by an individual user, in particular if the integrity of the data cannot be verified due to extensive secrecy?
  • To what extent is a data skimming measure from terminal equipment of an internet-based communications service surveillance of telecommunications traffic within the meaning of the European Investigation Order Directive and what information obligations exist for which institutions, if the measure could only be ordered by a judge under national law?
  • What is the effect if the measure underlying the data collection would have been inadmissible in a comparable domestic case?
  • If evidence is obtained by an EIO that is contrary to EU law, does a ban on the use of evidence result immediately or to what extent is such a consideration to be taken into account in the context of a balancing decision, especially if the seriousness of the crime is justified by the evaluation of the evidence obtained?

Source: Christian Lödden, defence lawyer at Lödden & Barczyk Rechtsanwälte

“The German investigative authorities were either aware from the start that the surveillance measure would not be limited to French territory and that end devices [handsets] on German territory were to be infiltrated,” said the court verdict. “Or they closed their eyes to this legal possibility.”

The use of defence secrecy by the French authorities to protect the hacking method means it is not possible for defendants in Germany to use an IT expert to understand and assess potential sources of error in the data.

“The expert would need various information on the technical basis of the surveillance measure and the transfer of data to the Europol server, but these would not be communicated by the French authorities on the basis of military secrecy,” it said.

“The technical methods used to intercept, extract, store and finally to download the EncroChat data, sorted by country, on the Europol server, raise a number of complex questions,” the Berlin court judgment states.

These include questions over the integrity of the data, “its accuracy, completeness and consistency”, it said, adding: “The possibility of examining these issues is essential for an effective defence.” 

The French security agency, DGSI, provided technology to spy on users of EncroChat

Forum shopping

Under European law, member states can only issue EIOs to require another country to undertake a surveillance operation if the same action would have been approved by a domestic court.

The Federal Court of Justice said in its decision on 2 March 2022 that this principle does not apply to the transfer of evidence to Germany when France had already obtained the data.

But the Berlin Federal Court said this would mean the EIO scheme would not respect the national minimum required to protect individuals’ rights and would not protect investigators from “forum shopping” by law enforcement agencies.

It said Germany and France co-operated on the EncroChat operation informally until June 2020, but that that does not eliminate the need for actions undertaken by France on behalf of Germany to comply with German law.

Wire-tapping law

Under German law, wire-tapping carried out without a judicial order cannot be used in evidence. Evidence can also be banned if the legal conditions for ordering surveillance are not met.

Decisions in German courts on EncroChat have given weight to the interests of law enforcement because of the seriousness of the offences committed when considering whether there were breaches of EU law.

The Berlin Regional Court judgment said it was not clear that this approach was compatible with EU law, however.

It said any breaches could be dealt with either by prohibiting the use of evidence or by giving it less weight or taking the breaches into account in sentencing.

But it said that under EU case law, any infringement almost always results in the exclusion of evidence. “There is a strong case for adopting ‘a ban on exploitation’ under the principles of EU law,” it said.

Principles for fair trials undermined

The Berlin Regional Court said principles required for a fair trial had been undermined in several ways, including the fact that the data requested by an EIO cannot be verified by a technical expert acting for the court because of French confidentiality.

There were “multiple violations” under the EU agreement of EIOs “for which German prosecuting authorities are directly responsible or to which they have turned a blind eye”, it said.

“If all these requirements of EU law had been complied with, the data of the German users would not have been collected or stored by Europol and certainly not transmitted to the German authorities for the purpose of prosecution,” it added.

European agencies and German prosecutors have “further complicated matters” by refusing to disclose material elements of the prosecution file to defence lawyers and by refusing to disclose any procedural documents.

The refusal to include messages sent by Europol to German police on the SIENA messaging system are particularly serious, the Berlin court said.

The inability of defendants to verify the EncroChat data means that courts should consider giving it “a reduced probative value” and that convictions should not be based on the data alone.

No date has been set for the CJEU to answer the questions from the Berlin court.

Chronology

2017: French investigators establish that EncroChat encrypted phones were used in a number of drugs related offences.

21 December 2018: French investigators copy data from an EncroChat server at the OVH datacentre in Roubaix, France. The server data reveals that over 66,000 SIM cards are registered on EncroChat. Investigators are able to decrypt 3,500 files included encrypted notes made by phone users.

2018: The German Federal Criminal Police Office (BKA) discovers that EncroChat phones are being used in Germany in serious crimes.

30 January 2020: A court in Lille, France, approves the use of a data interception device on the EncroChat server and on EncroChat handsets.

2020: The German Federal Criminal Police Office (BKA) and the Central Office for Combating Cyber Crime (ZIT) located at the Public Prosecutor’s Office in Frankfurt (GSta), begin discussions on an investigation into EncroChat.

9 March 2020: The German Federal Criminal Police Office (BKA) and the Central Office for Combating Cyber Crime (ZIT) in Frankfurt (GSta) take part in video conference organised by Eurojust in the Hague with representatives of other countries to discuss how to exploit EncroChat data with the French and Dutch Joint Investigation Team working on the hacking operation.

13 March 2020: The BKA begins a preliminary investigation into unknown users of the EncroChat service, on suspicion that EncroChat phone users were in small-scale trafficking of narcotics and organised crime.

20 March 2020: The Lille court in France approves an order to redirect data streams on the EncroChat server to enable the capture of EncroChat data.

27 March 2020: The BKA receives a message in English from the French and Dutch Joint Investigation Team (JIT) through Europol’s SIENA communications systems inviting police authorities in other countries to receive messages from EncroChat. The note asked participating countries to confirm they had been informed of the methods used to obtain data from devices in their jurisdiction. Participating countries could only use the intercept material in investigations after being granted permission by the JIT.

27 March 2020: The BKA issues the approvals and confirmations requested by Europol after consulting with GSTa Frankfurt.

1 April 2020: The French and Dutch Joint Investigation team (JIT) install ‘Trojan Horse’ or ‘implant’ software on an EncroChat server hosted in the OVH data centre in Roubaix, France, which goes live.  

3 April 2020:  The German Federal Criminal Police Office (BKA) began downloading EncroChat data supplied by France, through Europol.

7 April 2020: The French investigation is expanded from an investigation into the illegal supply of encryption technology in France to include illegal trade in drugs and weapons offences.

1 May 2020: The Lille court in France extends permission to continue technical measures against EncroChat’s infrastructure for one month.

13 May 2020: The BKA writes to the French public prosecutor asking for permission to make judicial decisions on the collection of location data and other investigative measures on suspects, without disclosing the French investigation into EncroChat.

1 June 2020: The Lille court extends permission to continue technical measures against EncroChat’s infrastructure for a further four months.

2 June 2020: The German public prosecutor’s office of Frankfurt issues a European Investigation Order formally requesting permission to use the EncroChat data obtained by France in prosecutions.

13 June 2020: The Lille court approves Germany’s European Investigation Order, giving consent to the use of the data by Germany for judicial investigations and prosecutions.

28 June 2020: EncroChat administrators succeed in closing down the EncroChat network after having discovered the hacking operation.

9 September 2020:  The Public Prosecutors Office in Frankfurt issues a further European Investigation order for additional data from the French EncroChat operation.

2 July 2021: The Public Prosecutors Office in Frankfurt issues a third further European Investigation order for additional data from the French EncroChat operation.

1 July 2021: The Berlin Regional Court finds that EncroChat messages cannot be used in German criminal proceedings.

5 July 2021: The Berlin public prosecutor’s office issues a complaint seeking to overturn the Berlin Regional Court’s decision and requesting the reopening of criminal proceedings against the defendant.

31 August 2021: The Superior Court in Berlin rules that messages intercepted by French police from the EncroChat encrypted phone network can be used as evidence.

2 March 2022: Germany’s Supreme Court, the Federal Court of Justice (BGH) rules that EncroChat evidence provided by France to Germany could be used as evidence in Germany for investigating serious criminal offences.

Read more on Hackers and cybercrime prevention