A German court has found that messages intercepted by French police during a sophisticated hacking operation into the encrypted phone network EncroChat cannot be used in evidence. The Berlin Regional Court ruled that data obtained by a joint operation by the French and the Dutch to harvest millions of text messages from EncroChat users was in breach of German law. The court’s decision, subject to appeal, is the first time a German court has found evidence from EncroChat legally inadmissible.
If the Berlin court’s decision is upheld, the trials of hundreds of suspects in Germany accused of drug trafficking could be placed in doubt. Defense lawyer Oliver Wallach told Computer Weekly that the case was “of the utmost importance” in upholding the privacy rights of German citizens. The decision on 1 July 2021 comes as courts in the UK, France, and Holland face similar legal challenges over the admissibility of evidence from the EncroChat phone network, which organized crime groups almost entirely used British police claim.
The Berlin decision “shows that substantial human rights and procedural safeguards are in place even though police and prosecution would like to focus only on getting potential criminals behind bars,” he said. The court released a defendant accused of 16 drug trafficking offenses after finding that the only evidence against him consisted of messages intercepted by the French police from an EncroChat encrypted phone. The court said that the use of data from EncroChat users on German territory, without any concrete grounds for suspicion against individuals affected, was in breach of German law.
Novel hacking operation
In a novel hacking operation, the French Gendarmeries’ Centre for Combating Digital Crime (C3N) gained access to EncroChat’s servers, housed at the French datacentre provider OVH in Roubaix in April 2020.
Working jointly with the Dutch police and the UK’s National Crime Agency, the French can harvest encrypted messages from the EncroChat network.
The Berlin court found that more than 32,000 phone users in 122 countries were affected, regardless of whether the users were criminal or not.
Specialists at C3N collected the messages, passed them on to Europol, packaged them up according to country of origin, and shared them with police forces in Germany, the UK, and other countries.
The user of intercept is not justified in German law
However, the Berlin court found that the interception represented a severe encroachment of individuals’ privacy rights. According to regional court judge Behrend Reinhard, even if the interception operation was legal under French law, using the data in German criminal proceedings was not justified.
“The Regional Court considers the surveillance of 30,000 EncroChat users to be incompatible with the principle of proportionality in the strict sense. This means that the measures were unlawful,” he wrote in a 22-page judgment.
The court found that the French had not provided information on how they intercepted data from the EncroChat handsets and that French authorities were unwilling to give more details.
EncroChat phones – Android phones with modified hardware and software – were sold through a network of dealers for between €1,000 and €2,000 for a typical six-month contract.
French police began preliminary investigations into EncroChat in 2016 and 2017 after recovering several EncroChat phones in possession of drug traffickers.
Law enforcement investigators could trace the servers used by EncroChat to a data center run by OVH in Roubaix, France.
In January 2020, a court in Lille authorized the installation of a software implant that targeted BQ Aquaris X2 Android phones used by more than 32,000 EncroChat users in 122 countries.
The implant, supplied by the French intelligence agency DGSE, initially harvested historical data from the phone’s memory, including stored chat messages, address books, notes, and each phone’s unique IMEI number.
In stage two, the implant intercepted incoming and outgoing chat messages, probably by taking screenshots or logging keys, and transmitted them to a server run by C3N.
German police received daily downloads of data from the phones from Europol between 3 April 2020, and the operation against EncroChat was discontinued on 28 June 2020.
In Lille, a French court approved a European Investigation Order issued by German prosecutors on 13 June 2020, authorizing German courts to use EncroChat data in criminal proceedings.
The Berlin court found that the intercepted data was obtained in breach of EU law governing the use of European Investigation Orders.
No grounds for suspicion
According to the judgment, grounds for suspicion did not exist when the EIO was ordered and implemented.
Under EU law, member states must notify the German authorities before intercepting people’s telecommunications on German territory.
This includes providing all the necessary information, including a description of the interception operation to assess whether the interception would be authorized under German law and whether the material can be used in legal proceedings.
“According to the information that has become known so far, it is to be assumed that there was no such request by the French state and no review by the competent German authority in this case,” said Reinhard.
The court found no concrete suspicion that the users of the EncroChat phones targeted had committed criminal offenses.
“At the time of the order and implementation, there was no suspicion of a crime against the users of the terminal equipment [handsets] that would have justified the surveillance,” the judgment said.
Criminals often prefer communications channels that are difficult to monitor, such as Voice over IP telephones or the secure Tor browser.
But the mere use of an encrypted phone, even one with a high level of security, is not a reason to conclude that criminal conduct had occurred.
Bolt cutters
Using an analogy, the mere possession of tools used in burglaries, such as crowbars or bolt cutters, does not provide sufficient grounds for a search warrant.
The German Federal Government actively encourages cryptography through the Federal Government digital agenda and has been reluctant to oblige telecoms and internet companies to implement “back doors”.
The Council of the European Union has also supported encryption technologies, which supports the technology to protect the digital security of governments, industry, and society.
“A behavior fundamentally desired by a state – protection of one’s data from foreign access – cannot become the starting point for coercive measures under criminal law,” the court said.
The use of EncroChat was not criminal.
The court found that although EncroChat’s security features made it particularly attractive to criminals, it was no different than any other encrypted service.
EncroChat was equally attractive to journalists, political activists who feared state persecution, or employees of companies who wanted to protect themselves from state persecution.
The high cost of EncroChat phones does not justify the conclusion that they can only be paid for through criminal activity.
There was no concrete evidence that the 60,000 users of EncroChat phones worldwide were part of a “criminal network,” the court found.
EncroChat customers contacted dealers anonymously by email, who handed phones over for cash during meetings in public places, according to German police.
“This procedure fits in with the particularly high-security standards claimed by EncroChat and a correspondingly particularly pronounced need for security on the part of the customers,” the court found. “But it does not allow any conclusion to be drawn about the purpose of criminal use.”
Retrospective justification
Among French users, the proportion of suspected criminality was only 67.3%, equivalent to 317 individuals – a vanishingly small number compared to the 60,000 users registered with EncroChat.
The subsequent discovery of criminal activities after the surveillance began cannot be used to justify the interception operation retrospectively.
The large quantities of drugs seized during investigations into EncroChat messages worldwide – and the spectacular discovery of a torture chamber used by drug dealers in the Netherlands – cannot be used to justify the presumption that criminals predominantly used the network.
By 14 April 2021, according to a communication from the European Commission, almost a year after the end of the operation, only 1,500 investigations had been initiated, and 1,800 people had been arrested – equivalent to just 5.4% of the EncroChat users placed under surveillance.
German law does not allow telecommunications surveillance to establish the suspicion of a crime. The court found that vague fears and general indications are insufficient to justify “blanket spying” on all chat service users.
Tobias Singelnstein, chair of criminology at the Ruhr-Universität Bochum, told Computer Weekly that the Berlin Court’s decision was significant. It is the first to take into account the severe legal problems inherent in the acquisition of evidence from EncroChat, he said. German prosecutors said that they would appeal the decision.
