mosaic bluered GettyImages 1438178994

Cops have hacked into thousands of phones. Was it legal?

Months earlier, police from all over Europe, led by French and Dutch forces, revealed had compromised the EncroChat network. The malware that the police secretly inserted into the encrypted system stole more than 100 million messages, exposing the inner workings of the underground crime. People were talking openly about drug deals, organized kidnappings, planned homicidesit’s worse.

The hack, one of the largest ever carried out by the police, was an intelligence bonanza, with hundreds of arrests, house searches and the seizure of thousands of kilograms of drugs. But that was just the beginning. Fast forward two years and thousands of EncroChat users across Europe, including the UK, Germany, France and the Netherlands, they are in prison.

However, a growing number of legal disputes are challenging the hacking operation. Lawyers say the investigation is flawed and the hacked messages shouldn’t be used as evidence in court, saying data-sharing rules were violated and the secrecy of the hack means the suspects didn’t get fair trials. In late 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals across Europe. And experts say the fallout has implications for end-to-end encryption around the world.

“Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” says Lödden. “We are not defending criminals or defending crimes. We are defending the rights of the accused persons”.

EncroChat hacking

About 60,000 people signed up for the EncroChat phone network, which was established in 2016, when it was busted by police. Subscribers have paid thousands of dollars to use a custom Android phone that could, according to EncroChat’s company website, “ensure anonymity.” The phone is security features included encrypted chats, notes and phone calls, using a Signal protocol version, as well as the ability to “panic wipe” everything over the phone and live customer support. Its camera, microphone and GPS chip could all be removed.

The police who hacked the telephone network did not appear to be breaking its encryption, but instead compromised the EncroChat servers in Roubaix, France and eventually delivered malware to the devices. While little is known about how the hack occurred or the type of malware used, 32,477 of EncroChat’s 66,134 users were affected in 122 countries, according to judicial documents. Documents obtained from Motherboard showed that all data on the phones could potentially be recovered by investigators. This data was shared among law enforcement agencies involved in the investigation. (EncroChat claimed to be a legitimate company and shut down after the hack.)

Across Europe, legal challenges are piling up. In many countries, law courts they ruled that EncroChat messages can be used as evidence. However, these decisions are now under dispute. The cases, many of which have been reported in detail Of Computer weekly, are complex: each country has its own legal system with separate rules on the types of evidence that can be used and the processes that prosecutors must follow. For example, the UK largely doesn’t allow it “intercepted” evidence for use in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.

The most high-profile challenge so far comes from lawyers in Germany. In October, a regional court in Berlin sent an EncroChat appeal to the Court of Justice of the European Union (CJEU), one of the highest courts on the continent. The judge asked the court to make decisions on 14 points on how data was transferred across Europe and as it was used in criminal cases. The Berlin court highlighted the secret nature of the investigation. “Technical details about the function of the trojan software and the storage, allocation and filtering of data by the French authorities and Europol are not known,” said a says the automatically translated version of the court ruling. “The operation of Trojan software is basically subject to French military secrecy.”

Lödden, who is not involved in the case that reached the CJEU but is coordinating with about a dozen other lawyers involved in EncroChat’s European cases, says people were offered good deals and served reduced sentences in some of the earliest cases for pleading guilty he worked. Since then, he’s used different lines of defense. His challenges often concern the question of what legal basis has been used to justify the acquisition of data from people’s devices. Another approach involves questioning the data itself. “You don’t know how the French got the data,” he says. “The only clear thing is that it’s not the complete data, because there are gaps and the data they got is not fully decrypted.”

There is no fixed date for the European Court to review the case; though in another high-profile legal challenge, two British EncroChat users brought their case The most important European court for human rights. However, a French case, which is expected to be decided this month, could make a difference to other cases across Europe. In October, France’s Court of Cassation questioned EncroChat’s previous legal decisions and said they should be reviewed. “The judge who authorized this measure was not responsible for 60,000 investigations, but only for one, and therefore ordered a disproportionate act,” say lawyers Robin Binsard and Guillaume Martine, who contest the data collection. “We have to defend our clients without knowing how the investigators have acted,” they say.

Despite the legal challenges, police forces across Europe have praised the EncroChat hack and how it has helped put criminals in jail. When the hack was announced in June 2020, hundreds of people were arrested in massive coordinated police operations. Discovered the police in the Netherlands shipping containers that were used as “torture chambers” from criminals.

Since then, there has been a stream of EncroChat cases reaching the courts and people incarcerated for some of the most serious crimes. EncroChat data has been a real boon for law enforcement – arrests for organized crime in Germany rose 17% following police arrests, and at least 2,800 people have been arrested in the UK.

Cases in the UK have seen two men plotting a revenge shooting sentenced to 18 years in prison eacha drug dealer incarcerated for 14 years for supplying 8 kilograms of cocaine and heroinand six men jailed a total of 140 years after plotting smuggling ecstasy internationally within the arm of a digger. And in June of last year, the police in the Dominican Republic reportedly arrested the alleged masterminds behind the EncroChat system itself.

France’s National Gendarmerie military police, the UK’s National Crime Agency and Germany’s federal investigation police agency, Bundeskriminalamt, declined to comment on the ongoing legal cases. Jan Op Gen Oorth, spokesman for Europol, says the investigation was carried out as part of a joint investigation team which involved multiple EU bodies and national police forces. “The data in the case was acquired on the basis of the provisions of French law and with judicial authorization, through the frameworks for international police and judicial cooperation,” says Oorth.

Encryption fights

EncroChat isn’t the only encrypted phone network that the police have hacked or taken down. Law enforcement operations against Enet com, Heaven ETCand Anom: the The FBI secretly took over the latter and ran the network– highlight wider tensions around encryption. For years, police have complained that encryption prevents them from accessing the data, while still having multiple alternative ways to bypass encryption. In Europe and the United States, the laws are in force proposed that could weaken the encryption as the technology becomes the default.

The disruption of telephone networks billed as encrypted and highly secure (some may be legitimate, while others are more shady) raises questions about law enforcement tactics and transparency. “What we are seeing is that police authorities and law enforcement agencies are effectively normalizing a policing practice that sets a really dangerous precedent in terms of surveillance,” says Laure Baudrihaye-Gérard, legal director for Europe at the non-profit criminal justice organization Fair Trials.

Adam Jackson and Cerian Griffiths, law professors at the UK’s Northumbria University who have been analyze EncroChat legal issues, they say there is a “judicial appetite” to use the collected data to convict criminals, but that the correct processes must be followed, as more cases like this could arise in the future. “You want bad people prosecuted for seriously bad things they are about to do,” they say. “You just want to make sure it’s done correctly, in a way that’s obviously valid. And that means they don’t get any across-the-board appeals that undermine those beliefs.”

A Finnish court has already established such data collected by the FBI from Anom could not be used— the seriousness of the alleged crimes did not justify the way the data was being accessed, local reports said. Meanwhile, Italy’s Supreme Court said the the methods used to access Sky ECC messages should be disclosed.

More than 100 Dutch lawyers have warned that the lack of transparency around the hacks could lead to a slippery slope. In the future, the wrote the lawyers in an open letter, Signal or WhatsApp could be targeted. “Even these services are either already in a suspicious corner or are likely to get there, while that suspicion is based only on using strong encryption and protecting your privacy.”

Jessica Shurson, a law professor at the University of Sussex and a former US attorney, says the hacking cases should be included in broader debates about the importance of cryptography for people’s security. “They’re finding ways to access encrypted systems, through hacking, through their own malware,” Shurson says. “Can we really say that law enforcement agencies are ‘blacking out’ on encrypted data when we see these cases coming up every couple of years proving that they can, in fact, access encrypted systems?”