Julian Richards, Partner and Head of Complex Crime, provides information about the Encrochat Hack and what to do if you are caught up in it.
BACKGROUND: The beginning of the arms race
Our mobile phones: from dusk till dawn they are with us, charting our movements, communications and daily lives. But what is their role in Serious and Organised Crime, and how has that role evolved over time?
Anyone who has watched the successful HBO series “The Wire” will know the importance of phones to those actively involved in criminal activity. In the series, the term “burners” was used to refer to phones; phones that could be used by criminals without being linked to individual subscribers in a way that our contract phones can.
How does it work? The drug dealer obtains a burner that cannot be traced back to the user; the number of the phone would be known only to those involved in the supply of drugs and, once it had been used for a fairly short period, it would be disposed of. A new burner would then be acquired and the whole process would start again. In this way, the police are never given enough time to compromise the phone and gather information about the illegal activities of the user.
However, this strategy has some obvious flaws. Most notably, it is extremely inconvenient to change your phone number on such a regular basis. Each time the user would have to tell dozens of people the new number, thus complicating and delaying their criminal activities. Delay means loss of money and opportunity.
There were also issues with the security of burners. They were typically cheap, disposable phones, but also, and most importantly from a security perspective, rudimental. They could easily be accessed by law enforcement agencies. For this reason, the vast majority of professional criminals, particularly those involved in the upper echelons of organised crime, ultimately rejected the use of burners.
Instead they looked to the iPhone or Android phones. These types of phones are far more sophisticated and therefore more secure. For example, the user can set the phone up to require a PIN for access, and as such law enforcement agencies have often struggled to examine these devices. It also helped that these huge global companies, with a perfectly legitimate incentive to ensure that their customers were guaranteed privacy, were able to challenge access to their systems. As long as the user refused to provide the PIN code for their phone, their device was safe from investigation by the police. That is, until the law changed.
The introduction of the Regulatory of Investigatory Powers Act 2000 (RIPA) in the UK made it an offence for those who were suspected of illegal activity to fail to disclose the PIN to their phone, if a properly made request were made by the State for it to be provided. RIPA was the first step towards addressing the additional security measures adopted by the phone providers.
Then, some time after this legislation was introduced, it became clear that the investigative authorities had developed a capacity to access these devices despite the security measures introduced by these companies. To add to this, security of these devices is only ever as good as the security level of the weakest link in the communication chain: it doesn’t matter that the sender has unbreakable security on their phone if the recipient has none. If the police access a rudimental phone and see evidence of drugs supply, all they need is to find the smartphone user. If it is a contract phone, this is no hard task. With the phone number and subscriber information, coupled with other developments in investigative techniques including ANPR (number pate recognition), cell site and surveillance, the police can find and arrest the user.
So how did some of those involved in organised crime react? As usual, they looked for an alternative.
Encrypted phones appeared to be the answer. Remember Blackberry phones? They, and other companies, began to implement “Pretty Good Privacy”, or PGP, in their devices. PGP is an encryption program that provides cryptographic privacy for data communication, and as a result devices which used PGP became a useful defence against police investigation in the world of organised crime. However, as investigating agencies developed more and more sophisticated technics to break encryption, so began an arms race between them and the organised crime groups (OCGs) they were investigating. Every time the police found a way to break into a system used by the criminal fraternity, eventually something would pop up to put the criminals once again out of their reach.
EncroChat
Enter EncroChat, a European communication network and service provider. EncroChat offered its users the ability to send encrypted messages, make encrypted call (EncroTalk) and write encrypted notes (EncroNotes). This is achieved through specially modified Android phones running the Encro software which not only provided high levels of encryption on the device, but also routed all data through a central server located in France which provided end-to-end encryption of calls and messages. In addition an EncroChat phone includes a panic button on the phone which when pressed causes the contents of the phone to be immediately wiped, and a user can also send a “kill pill” to self-destruct the contents of the phone.
EncroChat made it relatively straightforward to acquire a “Military Grade” encrypted phone (or so they were marketed). While initially developed and marketed to celebrities wanting a higher level of privacy, the service was quickly adopted by the criminal fraternity and by 2017, EncroChat phones were widely regarded by law enforcement as the device of choice for OCGs. OCGs using the EncroChat service were able to make encrypted phone calls, send encrypted messages that disappeared from both sender and recipient within a set amount of time, and completely wipe a phone by the very action of the police entering a PIN number provided to them by the user. Using the EncroChat service OCGs were able to operate with complete privacy, and the police found their attempts to investigate criminal activity frustrated at every turn.
EncroChat breached
And then law enforcement agencies cracked EncroChat wide open.
In 2019, a joint operation between UK, French and Dutch police broke into EncroChat’s service, putting a piece of malware on to the French server and potentially the carbon units themselves, allowing them to interrupt the panic wipe feature, access messages sent between users and record lock screen PINs. By April 2020 European agencies, including the NCA in the UK, had access to millions of text and hundreds of thousands of images. Under the codenames Operation Venetic (NCA) and Eternal (Metropolitan police) agencies began to analyse the huge amount of data that had been gathered and began to make hundreds of arrests, seizing millions of pounds of drugs, cash and weapons in the process.
there will be more to come
Dame Cressida Dick, the Metropolitan Police Commissioner, said: “this is just the beginning. We will be disrupting organised criminal networks as a result of these operations for weeks and months and possibly years to come.”
Nikki Holland, director of investigations at the NCA, said: “this is the broadest and deepest ever UK operation into serious organised crime.” There is every reason to believe that the number of arrests arising out of the hack of EncroChat will rise as the police work their way through the evidence that they have obtained.
Whilst the current target is serious organised crime, it is thought that the NCA is sharing its intel with various other government agencies, such as HMRC, and so we would expect the scope of the investigations spawned by the EncroChat hack to widen over the coming months and years.
EncroChat shuts down
In June 2020 EncroChat, realising that it had been compromised, sent a message to its users advising that they dispose of their devices immediately. The service has since been permanently shut down. However, the European agencies had had access to the service for months, and the damage had already been done. It is now just a matter of time as these agencies sift through the enormous amount of data at their fingertips.
Was the EncroChat hack legal?
However, that is not necessarily the whole story. As a defence solicitor tasked with defending my clients arrested because of information accessed via EncroChat’s French server, I must first ask whether the accessing of the server itself was legal. This is not a question that can be answered with any certainty at the moment as we do not yet know the specifics of the hack, but there is some information out there, and we can use it to begin to consider potential defence strategies.
In 2016 the Investigatory Powers Act 2016 came into force. It provides a new framework to govern the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies.
Section 56(1) of the Investigatory Powers Act 2016 (IPA 2016) states that no interception evidence (i.e. ongoing communication that is monitored as it happens) can be relied on, as long as the interception is carried out in the UK and at least one of the parties to the communication is in the UK.
The question will be whether the hack took place in the UK. Information about the nature of the hack is scarce, and we are unlikley to get the full picture until the first cases go through the court system and the police are forced to disclose the methodology. On the information that we have right now, it appears that the hack itself took place on a French server by French authorities, and so on the face of it s.56(1) IPA 2016 would not apply. However, there is also suggestion that the malware was detected on the carbon units themselves, and it was this malware that provided access to the messages rather than access to the server itself. If this is correct, then there might be an argument that the relevant interception took place in the UK and as such s.56(1) IPA 2016 should apply.
We must also carefully consider whether the prosecution are able link the individual with the phone given the high level privacy; the EncroChat service was marketed with ‘guaranteed anonymity’, and there was supposed to be no way of associating a device or SIM with a customer account. This question will only be answered on a case by case basis, and may well turn on whether the phone was found in the possession of the individual or the police have photographs or other evidence of the device being used by the individual. It is the job of the defence to make the prosecution prove this beyond reasonable doubt.
We are told by the investigating agencies that they had “a lawfuly authorised capability” to undertake the hack. We do not yet have the full picture of the nature of the hack, and there appears to be some conflicting information out in the public domain, but we do know that the hack itself was initiated by a non-UK government agency (we believe the French). It could be that the hack was indiscriminate, targeting as many carbon units as possible, irrespective of the identity of the user and the purpose for which they were using the EncroChat service.
It is admitted that a proportion of the 60,000 EncroChat userbase were not OCGs. It is not illegal to own and use an EncroChat phone, and there are many reasons that someone might wish to do so, from extra-marital affairs to celebrities wary of their phones being hacked and photos uploaded to the web. EncroChat, and the other services like that, is a perfectly reasonable way of obtaining a lawfully required level of privacy.
Thus, if it comes to light that the hack indiscriminately swept up all users it touched, criminal and lawful alike, then there must be at least the potential for challenge. It is hard to accept that an English Court would ever agree to admit evidence obtained by unfiltered, indiscriminate access to a userbase on the basis that some users may be involved in criminal activity. If so, does this mean that law enforcement agencies are entitled to view every single message that any of us ever sends just to try to catch those who are involved in criminal activities? There must be a balance, a balance of the need to protect our citizens from harm but also the balance of protecting our privacy and individual and collective freedoms.
I say this knowing that the rules of evidence in this jurisdiction differ from those in others. We have all seen cases, particularly in US dramas or films, where terribly damning evidence such as bodies or drugs being found in a house has been ruled inadmissible because the police had “no warrant”. All of us who practice criminal law in this jurisdiction know that this does not apply here; there is no “fruit of the poisonous tree” doctrine in English Law. If the police enter your house unlawfully and find damning evidence, then they can generally use what they find.
Given this, the question will be whether the evidence obtained from the hack is the sole evidence relied on by the prosecution, or whether that phone evidence led the police to discover additional evidence. For example, those who have been caught in possession of large quantities of drugs, money or firearms as a result of the police obtaining information from the EncroChat hack are unlikely to be able to argue that these items seized should not be admissible in court due to the illegality of the hack.
However, there will be those arrested and charged who were not found in possession of such damning items. There will be some for whom the entire prosecution case rests of the evidence obtained from the EnrcoChat hack. These individuals will only be linked to crimes by the allegation that they have been using a phone that was used to plan the commission of crimes, and this will be where the question of the legality of the hack itself will be susceptible to challenge and inevitably will be.
What to do now?
What is certain is that we are going to be seeing prosecutions arise based on EncroChat evidence for months and potentially years to come. While we see the more serious crimes brought before the court at first, the information gathered by the hack will eventually make its way to the different government agencies responsible for prosecuting criminal offences. For example, the potenital involvement of HMRC means it is likely that we will start seeing arrests in respect of tax evasion and money-laundering offences.
If you were an EncroChat user then the most important action you can take is to assess the risk of being caught up in an investigation, determine the likely nature of that investigation and then create a plan of action for each eventuality. This can only be done with the help of an experienced professional with specific subject matter knowledge in this area of law and with EncroChat phones.
Preparation is an important part of any defence, and the more time spent getting the right advice before you are arrested, the better prepared you will be.
Please contact Julian Richards of Reeds Solicitors if you would like further advice on this issue or in contesting evidence obtained pursuant to the accessing of “Enrochat”.
Julian Richards is a partner at our Oxford office who regularly deals with complex crime, including large scale national/international drug and money laundering conspiracies, and is ranked by the Legal 500 as a “Leading individual” in Crime.
He can be contacted through our contact us page, which can be found by following this link.