French legal challenge over EncroChat cryptophone hack could hit UK prosecutions

French police unlawfully intercepted text messages from tens of thousands of encrypted phones in an operation that led to thousands of arrests across Europe, lawyers claim.

Investigators from France’s digital crime unit infiltrated the EncroChat encrypted phone network in April 2020, capturing 70 million messages.

The operation, supported by Europol, led to arrests in the UK, Holland, Germany, Sweden, France and other countries of criminals involved in drug trafficking, money laundering and firearms offences.

Paris-based defence lawyers Robin Binsard and Guillaume Martine, founders of the French law firm Binsard Martine, have filed claims in French courts arguing that the interception is unlawful under the French Code of Criminal Procedure and other French laws (see box: Legal grounds against French EncroChat operation).

The lawyers say the investigators went beyond the legal authorisation given by a court in Lille by carrying out “massive data collection involving tens of thousands of mobile phones and tens of millions of messages”.

They are also questioning the lawfulness of the Gendarmerie’s refusal to disclose any details of the hacking operation – on the grounds of defence secrecy – under the French Constitution. And they are questioning the validity of orders made by the Lille court authorising the investigation.

If the challenge is successful, it is likely to raise questions about more than 250 prosecutions currently underway in the UK which make use of text messages, photographs and notes harvested from EncroChat phones by the French Gendarmerie.

The NCA has made around 1,550 arrests in the UK based on EncroChat evidence

Britain’s National Crime Agency (NCA), working with regional police forces, has made around 1,550 arrests in the UK, based on the EncroChat evidence supplied by French computer experts.

“If we have a decision saying the way the French collected the EncroChat messages was illegal, most other judges worldwide should reach the same conclusion. That evidence was collected by French authorities and under French law,” Binsard told Computer Weekly.

French investigators began intercepting unencrypted messages from EncroChat handsets on 1 April 2020, and by 27 April had amassed 68,750,000 messages from 32,477 phones in 121 countries, according to French legal documents.

Defence secrecy

Binsard and Martine are challenging the Gendarmerie’s refusal to reveal any details of how it carried out the interception of the EncroChat phones on the grounds of defence secrecy.

Forensic experts in the UK have argued that the Gendarmerie’s silence has led to an evidential “black hole” that has broken long-established principles which ensure that evidence is properly acquired and secured before being used in legal cases.

“We need [documents from the Gendarmerie] even if it is a defence secret. We have to have access to them. If we don’t, we cannot have a fair trial”

Robin Binsard, Binsard Martine

Under French law, the Gendarmerie is obliged to provide an explanatory note on the techniques used to obtain the intercept evidence and a certificate to authenticate the intercepted phone data and messages obtained from EncroChat phones.

“We need those documents even if it is a defence secret. We have to have access to them. If we don’t, we cannot have a fair trial,” said Binsard.

The French lawyers applied to the court of appeal in Nancy, in north-eastern France, in February, seeking further disclosure of evidence about how the hacking was carried out.

A judge has asked the Gendarmerie to provide further technical details of the hacking operation.

Hacked phones outside jurisdiction of French courts

The lawyers also argue that investigators at the French National Gendarmerie’s centre for the fight against digital crime, C3N, went beyond the legal authority granted by judges in a court in Lille.

The Lille court gave authorisation to the Gendarmerie to investigate the activity of EncroChat in France, which was accused of illegally importing encrypted devices into the country.

EncroChat phone users received an anonymous message warning them that the network had been compromised and advising them to dispose of their handsets immediately

A judge authorised an investigation into the role of the company’s representative, identified as Eric Miguel, who leased servers for EncroChat through Virtue Imports, a company registered in Vancouver Canada, that were hosted by French software-as-a-service company OVH at its datacentre in Roubaix.

According to legal documents, only 380 of the 32,477 phones hacked by C3N were on French territory, putting nearly 98% of phones outside French legal jurisdiction.

The operation was “clearly a massive and indiscriminate capture of computer data unrelated to the alleged association of criminals led by Eric Miguel or even any criminal activity”, the lawyers said in a legal opinion.

“Almost all of the hacked phones, and therefore intercepted communications, thus do not, in reality, fall within the jurisdiction of the French judge,” it says.

Distribution of EncroChat phones across Europe, not many of which were in France

Court order authorising data capture invalid

Binsard and Martine argue that a court order to divert EncroChat messages to a “capture device” controlled by the French Gendarmerie on the eve of the interception operation was also unlawful.

The order failed to specify a duration for the operation, required under article 706-102-3 of the French Code of Criminal Procedure, and should therefore be declared “null and void”.

Subsequent court orders extending the interception operation are also unlawful and should be voided by the court, they claim.

“We will ask them to destroy all of the messages,” said Binsard.

Court orders that prevented technology companies providing services for EncroChat from taking any action that could affect the operation of EncroChat’s infrastructure also face legal challenges.

Lawyers argue that court orders, such as the one preventing cloud service provider OVH from taking any action that could affect the operation of EncroChat’s infrastructure, were unlawful

They include an order to prevent domain name registrar Gandhi SAS and hosting company DNS Made Easy from taking any action that impacted the EncroChat.ch internet domain and related subdomains.

Another order required the cloud service provider OVH not to take any action that would impact the network infrastructure, virtual machines and IP addresses associated with EncroChat. 

Although French law allows for the interception of data, it does not permit “blocking” or “modification” orders, according to the law firm.

EncroChat has become politicised

Binsard said EncroChat had become politicised and that it was not clear how the courts would react to legal challenges in France.

“All of the judges want to protect this investigation, so it is difficult to predict. According to the law, we should win, but the judge may try to protect the use of EncroChat traffic, even if they have to do so illegally,” he said.

Binsard said defence lawyers may refer the case to France’s constitutional council to decide whether the French Constitution has been breached, if they are not granted access to more details about how the French Gendarmerie carried out the hacking on EncroChat.

The case may ultimately go to the European Court of Human Rights as a potential breach of Article 8 of the European Convention on Human Rights, which protects the right to privacy.

The case of Big Brother Watch and Liberty v UK in 2018 found that the UK’s mass surveillance programmes did not “meet the quality of law” and were not capable of limiting “interference” to that “necessary in a democratic society”.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter