Was the evidence from the Encrochat hack lawfully obtained?

Legal question: The hack of the messaging service Encrochat allowed the police to watch live encrypted communication for months with criminals. This is thanks to Dutch/French collaboration in which a backdoor was installed unseen on the phones of all 50,000 Encro customers via the Encrochat server . AI has also gone through those messages . But how useful is this as evidence in a criminal case?

Answer: The Encrochat hack does not go as far as the American FBI trick in which the police department sold supposedly safe telephones (Anom) and then read along at your leisure. There was actually a police break-in on the servers of the company behind the Encrochat service. Encrochat once started as a secure service for celebrities who were afraid of hacking (a real risk, especially in England) but was also widely used by criminals.

The precise details of the hack is still unclear, but it boils down to the French Justice in collaboration with the Dutch police inside managed to penetrate the infrastructure Encrochat and from there malware on the phone was able to push. At least, malware for the criminals – for the police, of course, it was a legitimate eavesdropping and copying tool. Thus, many, many criminal transactions and consultations were captured, leading to a wave of arrests and criminal cases.

But is that legal, such an action? The operation was approved by the investigative services and examining magistrate, but that is of course no argument for a little lawyer . First of all, the point is that the action was brought as an investigation against Encrochat's company, and why are you allowed to read users' chats? That's outside of that investigation, you might say. And secondly, why is the French justice allowed to read chats of German figures who are plotting evil in Germany?

In the Netherlands this was the first time that a verdict was made at the beginning of July . Eight suspects were on trial in a major criminal case, including objections to the use of Encrochat data as evidence against them. The first objection was that in that French/Dutch cooperation there was no order from the Dutch examining magistrate. But that is not necessary, according to the judge: the actual invasion of privacy was committed by the French authorities, not (also) by the Dutch.

You then have to test under French law, and that turned out to have gone well:

The file contains (translations of) six French official reports from which it can be deduced that a French judge has given permission for the interception of Encrochat data and that periodic judicial checks have taken place.

The German court therefore saw it differently: it demands that when it comes to German citizens, the German court must be asked for permission.

But what about that 'by-catch' argument? Why was it allowed to read users' chats if the investigation was against the company and not against suspicious users?

Prior to the interception, the prosecution said, it was recognized that an invasion of the privacy of Encrochat users was foreseeable, but necessary to gather evidence against the Encrochat company. The defense counters that the Encrochat hack was in fact intended to obtain evidence against individual users of the Encrochat phones and sees this suspicion confirmed in the so-called British documents. The court considers this statement of the defense to be insufficiently substantiated as the British documents are not in themselves incompatible with the view of the Public Prosecution Service that the investigation focused on the company Encrochat.

So the argument behind that is that if you are legitimately investigating a company, and you find evidence against users, that it can simply be used as 'by-catch'. It would be weird if you had to leave that alone, when you didn't break a rule in finding it. Bycatch is legally obtained evidence. That will be different if that research was not really into that company, but an excuse to actually be able to follow the users.

It is not apparent from the English documents that the French/Dutch cooperation was aimed at this. Okay, I think, but pushing a backdoor on all those phones doesn't feel like a very logical action when investigating the company.

Another problem was that the defense finds it difficult to investigate all those messages. This is always a problem in criminal law: the Public Prosecution Service can theoretically conduct technical investigations with unlimited resources and bring in experts, and the defendant's lawyer just has to hope that he finds someone who is willing to do it for a nice amount of money.

The judge here is willing:

Now that the defense in this file is largely dependent on the official reports drawn up by the Public Prosecution Service by public prosecutors known under number, the court is of the opinion that in the light of a fair trial the defense should be given the opportunity to exercise more direct control. For that reason, the court will decide that the request to hear the public prosecutor of the national prosecutor's office known as LAP 0797 will be granted.

Apparently, most of the documents are secret, which is of course logical given the enormous scope of the capture, but it conflicts with the idea of ​​openness in criminal justice. "We have evidence but you should not look at it too long because then other investigations will fail" is not really the intention.

In the meantime, the NFI is working on more thorough reports about the functioning of Encrochat and the hack, and these documents will also be shared with the suspects. So we have to wait and see anyway, and I think there is a good chance that we will get an appeal (just like in Germany). I am very curious.

Arnoud Engelfriet is an ICT lawyer specializing in internet law, which he has been involved in since 1993. He works as a partner at legal consultancy ICTRecht . His site Ius mentis is one of the most extensive sites in the Netherlands on internet law, technology and intellectual property. He wrote two books, The Internet Law and Security: Expert and Practical Legal Advice.

Previous Post Next Post