Law Enforcement Hack Of Encrypted Chat Service Involving 30,000 Phones Being Challenged In European Courts

For at least 3 months in early 2020, France-based EncroChat wasn't in sole control of its communication services. Its servers had been compromised by European law enforcement - a joint effort involving law enforcement agencies located in France, the UK, and the Netherlands.

Authorized by a single court order from a French court, the Joint Investigative Team (JIT) infiltrated EncroChat servers and began intercepting text messages and recording lock screen passwords. The encryption EncroChat provided was never compromised. Instead, malware deployed via the compromised servers allowed law enforcement to extract data and communications from infected devices and, in some cases, disable remote wipe features.

The fallout from the three-month bulk harvesting of data and communications from nearly 60,000 phones was immense. More than 100 million messages were intercepted, leading to hundreds of raids, thousands of arrests, and thousands of kilograms of drugs seized.

The fallout continues, with hundreds of criminal prosecutions underway in several nations. And hundreds of cases means dozens of evidentiary challenges, especially when it appears the entire operation was authorized by a single court order issued by one judge in only one of the nations where prosecutions are currently occurring.

Matt Burgess of Wired has taken an in-depth look at the ongoing battles over the legality of this hacking and the ensuing massive data haul. Complicating matters for prosecutors is the fact that the data was harvested in France but passed on to law enforcement in other countries, possibly in violation of recipient countries' laws.

Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn't allow intercepted" evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.

The unknown aspects of the remote access malware is one of the issues being discussed in German courts. Another concern being raised is how the data was shared by European law enforcement, including the German beneficiaries of this France-based infiltration.

There are multiple cases now headed to European Union courts, thanks to questions raised at the local level by defense lawyers. And, as Burgess points out, there's one major case on the docket that could alter the evidentiary attack plans of others challenging this three-month, 100 million message search" by the JIT.

In October, the French Court of Cassation questioned previous EncroChat legal decisions and said they should be re-examined. The judge who authorized this measure was not in charge of 60,000 investigations, but only one, and therefore ordered a disproportionate act," say lawyers Robin Binsard and Guillaume Martine, who are challenging the collection of the data. We have to defend our clients without knowing how the investigators acted," they say.

The issues of these cases are reminiscent of the FBI's Playpen" investigation. After compromising a dark web server hosting CSAM, the FBI deployed malware to users connecting to the site, allowing it to harvest device IDs, lP addresses, and other information it could use to identify investigation targets. The FBI's search was authorized by a single court in Virginia but its malware was distributed to 8,000 computers in 120 countries.

In almost every case, the search performed by the FBI's NIT (Network Investigative Technique) occurred outside of the jurisdiction it was supposed to be limited to. In almost every case, the FBI came away with a win, with judges deciding the extraterritorial searches violated the law but awarding good faith to the FBI because the (illegal) searches were authorized by a judge.

The same problems are evident in the EncroChat cases, only on a much more massive scale and with dozens of different countries and their laws implicated. And just like in the FBI NIT cases, prosecutors are refusing to hand over information about the malware deployed by law enforcement. We'll have to see if they're as willing to dump criminal cases if courts rule this information must be handed over to defendants. It's going to take a long time to sort this all out. European law enforcement agencies are currently basking in the glow of successful, multi-national disruption of organized crime. But that glow will fade fast if courts begin ruling too much was done with too little judicial oversight - oversight that appears may have been misled about the breadth and depth of the search effort it authorized.