Defence lawyers claim that investigators had access to a “master encryption key” that allowed them to decrypt millions of messages from the EncroChat encrypted phone network.
The claim is the latest challenge to more than 250 prosecutions that are under way in the UK following a joint operation by French and Dutch police to infiltrate the EncroChat network used by organised criminals.
The defence theory comes amid what experts have described as a “black hole” of evidence over how French investigators obtained and decrypted messages from the EncroChat network.
Despite repeated requests from the Crown Prosecution Service, representatives from the French Gendarmerie have refused to give evidence about the interception of EncroChat in UK courts, citing defence secrecy.
“We suggest that a court could only ever make a finding to a criminal standard if the prosecution were able to call direct evidence from the French and the Dutch,” said one defence lawyer.
Prosecutors argue that investigators for the French Gendarmerie’s digital crime unit, C3N, in Pontoise on the outskirts of Paris, were able to bypass the encryption of the EncroChat phones by taking messages directly from the phones before they had been encrypted.
The claim was supported by the Court of Appeal, which found on 5 February 2021 that material gathered by French and Dutch investigators and passed to the UK’s National Crime Agency (NCA) had been lawfully obtained through “targeted equipment interference” warrants.
But defence lawyers have used the same evidence to develop an alternative scenario, which they claim is more persuasive than the prosecution theory. Prosecution experts have agreed that the theory is possible.
According to the defence theory, French technical experts were able to replace the encryption mechanism used in EncroChat phones to enable them to decrypt messages as they passed through EncroChat’s server.
Experts at the Gendarmerie’s Centre for Combating Digital Crime (C3N) were able to gain access to EncroChat’s servers, housed at French datacentre provider OVH in Roubaix.
They were able to reverse engineer them and build a replica of EncroChat servers using a large network of virtual machines, according to the defence hypothesis. Messages were redirected to C3N infrastructure by a “load balancer” installed by French investigators.
Defence lawyers claim that C3N used an update on 1 April 2020 to replace the random number generator, which was used in the phone app to create secure encryption keys, with a corrupted random number generator.
This had the effect of compromising EncroChat’s encryption mechanism, which was based on the Signal Protocol used in applications such as WhatsApp and the Signal messaging app.
French investigators were able to download “ratchet” values used in the Signal Protocol, from the memory of infected phones to enable them to decrypt messages when they arrived on the EncroChat server.
A press release issued by the Netherlands Forensic Institute in April 2021 claimed French cyber experts were able to “read messages on the EncroChat server”.
Sky ECC and An0m
The defence theory has parallels with a Belgian and Dutch operation against another encrypted phone network, Sky ECC, in March this year.
Belgian and Dutch police told a press conference on 10 March 2021 that they had intercepted more than one billion encrypted messages from the Sky ECC cryptophone network and had decrypted half of them.
In June, it emerged that the FBI and the Australian Federal Police had access to the “master encryption key” for another encrypted phone network, known as An0m or Anom.
Police investigators covertly distributed the app to organised crime groups who were unaware that the FBI could read encrypted messages sent by 9,000 encrypted devices for at least 18 months.
No evidence to support defence hypothesis
Experts have differing opinions on whether police hacked EncroChat in the same way, however.
Jonathan Kinnear QC, who is prosecuting 250 EncroChat cases, told a preparatory hearing that the defence arguments were “nothing more than a theory or hypothesis”.
He added: “There is little or no evidence to support that hypothesis in the way there is a huge weight of evidence supporting the Crown’s position.”
Prosecutors argue that because EncroChat messages were encrypted, the only way they could have been obtained was by exfiltrating them from the handset before encryption, rather than decrypting them from a server.
Miasma of hearsay
Defence lawyers claim that evidence cited by the prosecution on the way the implant worked is based on a “miasma” of hearsay.
They claim that decrypting messages from the server, as proposed in the defence hypothesis, is a more “elegant” technical solution that offered greater security.
Under the prosecution scenario, messages would have to be sent three times, rather than once, increasing the risk that the hacking operation would be discovered.
“If text messages were sent in clear text and metadata were being sent in parallel to the C3N server, then someone with technical knowledge would be able to see that,” said one lawyer.
“It is certainly not the defence case that the prosecution inferences are impossible; just that they can’t be proved.”
A defence lawyer said the prosecution has criticised the defence for not being able to point to evidence, adding: “Of course we can’t – we haven’t been given the implant of the server images and the prosecution don’t have the post-implant server images, so it is no surprise we can’t point to specified evidence.”
Also at issue is whether the collection of data from EncroChat phones was lawful.
The NCA obtained a thematic warrant to obtain messages from 9,000 phones in the UK, but defence lawyers say the warrant was wrongly used for bulk collection of encrypted messages.
“It was casting a drift net as opposed to using a harpoon,” they claim.
It was only after obtaining the warrant that prosecutors were able to justify harvesting messages from 9,000 phones by arguing that the users of EncroChat were largely limited to organised crime groups, it is claimed.
“Although the prosecution can clearly now provide a retrospective justification and base that upon what they found, I would accuse the prosecution of Jesuitical sophistry in relation to that,” said the defence lawyer.
“What happened in relation to this case was completely outside what was meant to be a more limited scope of a targeted equipment interference warrant.”
Is EncroChat admissible?
Defence lawyers are also challenging arguments over the Investigatory Powers Act (IPA) 2016, which regulates surveillance.
Historically, the UK has prevented the use of intercepted communications as legal evidence in court and has restricted its use to intelligence-gathering in order to protect the secrecy of surveillance methods.
Defence lawyers claim it is not clear why Parliament would use the IPA – also know as the snoopers’ charter – to prohibit intercept evidence being used in court if the material was obtained during transmission, but not if it were obtained when stored on an electronic device just before transmission.
As a result, material intercepted as storage just before transmission should not be admissible as evidence, say lawyers.
This would avoid the conclusion that “Parliament did not want to countenance disclosure obligations in one context but were able to do it in another context just because it was stored rather than in transmission”.
The NCA has made more than 1,550 arrests under Operation Venetic working with regional organised crime units and regional police forces.
No date has been set for a verdict.