Messages intercepted by French police during a sophisticated hacking operation into the encrypted phone network EncroChat, cannot be used in evidence, a German court has found.
The Berlin Regional Court ruled that data obtained by a joint operation by the French and the Dutch to harvest millions of text messages from EncroChat users was in breach of German law.
The court’s decision, which is subject to appeal, is the first time a German court has found evidence from EncroChat to be legally inadmissible.
If the Berlin court’s decision is upheld, the trials of hundreds of suspects in Germany accused of drug trafficking could be placed in doubt.
The decision on 1 July 2021 comes as courts in the UK, France and Holland face similar legal challenges over the admissibility of evidence from the EncroChat phone network, which British police claim was almost entirely used by organised crime groups.
Defence lawyer, Oliver Wallasch told Computer Weekly that the case was “of the upmost importance” in upholding the privacy rights of German citizens.
The Berlin decision “shows, that substantial human rights and procedural safeguards are in place even though police and prosecution would like to focus only on getting potential criminals behind bars,” he said.
The court released a defendant accused of 16 counts of drug trafficking offences after finding that the only evidence against him consisted of messages intercepted by the French police from an EncroChat encrypted phone.
The court said that that the use of data from EncroChat users on German territory, without any concrete grounds for suspicion against individuals affected, was in breach of German law.
Novel hacking operation
In a novel hacking operation, the French Gendarmeries’ Centre for Combating Digital Crime (C3N) gained access to EncroChat’s servers, housed at the French datacentre provider OVH in Roubaix in April 2020.
The French, working jointly with the Dutch police and the UK’s National Crime Agency were able to harvest encrypted messages from the EncroChat network.
More than 32,000 phone users in 122 countries were affected, regardless of whether the users were criminal or not, the Berlin court found.
Specialists at C3N collected the messages, passed them on to Europol, which packaged them up according to country of origin and shared them with police forces in Germany, the UK, and other countries.
User of intercept not justified in German law
The Berlin court found however, that the interception represented a serious encroachment of individuals right to privacy.
Even if the interception operation was legal under French law the use of the data in German criminal proceedings was not justified, regional court judge Behrend Reinhard said.
“The Regional Court considers that the surveillance of 30,000 EncroChat users to be incompatible with the principle of proportionality in the strict sense. This means that the measures were unlawful,” he wrote in a 22-page judgment.
The court found that the French had not provided information on how they intercepted data from the EncroChat handsets, and that French authorities were unwilling to provide further information.
EncroChat phones – Android phones with modified hardware and software – were sold through a network of dealers for between €1,000 and €2,000 for a typical six month contract.
French police began preliminary investigations into EncroChat in 2016 and 2017 after recovering a number of EncroChat phones in the possession of drug traffickers.
Law enforcement investigators were able to trace the servers used by EncroChat to a data centre run by OVH in Roubaix, France.
In January 2020 a court in Lille authorised the installation of a software implant that targeted BQ Aquaris X2 Android phones used by more than 32,000 EncroChat users in 122 countries.
The implant, supplied by the French intelligence agency, DGSE, initially harvested historic data from the phone’s memory, including stored chat messages, address books, notes and each phone’s unique IMEI number.
In stage two, the implant intercepted incoming and outgoing chat messages, probably by taking screenshots or logging keys, and transmitted them to a server run by C3N.
German police received daily downloads of data from the phones from Europol between 3 April 2020 until the operation against EncroChat was discontinued on 28 June 2020.
A French court in Lille, approved a European Investigation Order, issued by the Germany prosecutors on 13 June 2020, authorising German courts to use EncroChat data in criminal proceedings.
The Berlin court found that the intercepted data was obtained in breach of EU law governing the use of European Investigation Orders.
No grounds for suspicion
Grounds for suspicion did not exist when the EIO was ordered and implemented, according to the judgment.
Under EU law, member states are required to notify the German authorities before intercepting telecommunications of people on German territory.
This includes providing all the necessary information, including a description of the interception operation to assess whether the interception would be authorised under German law, and whether the material can be used in legal proceedings.
“According to the information that has become known so far, it is to be assumed that there was no such request by the French state and no review by the competent Germany authority in this case,” said Reinhard.
There was no concrete suspicion that criminal offences had been carried out by the users of EncroChat phones targeted, the court found.
“At the time of the order and implementation, there was no suspicion of a crime against the users of the terminal equipment [handsets] that would have justified the surveillance,” the judgment said.
Criminals often prefer communications channels that are difficult to monitor, such as Voice over IP telephones or the secure Tor browser.
But the mere use of an encrypted phone, even one with a high level of security, is not in itself a reason to conclude criminal conduct had taken place.
Bolt cutters
Using an analogy, the mere possession of tools used in burglaries, such as crow bars or bolt cutters, does not provide sufficient grounds for a search warrant.
The German Federal Government is actively encouraging the use of cryptography, through the Federal Government digital agenda, and has been reluctant to oblige telecoms and internet companies to implement “back doors”.
Encryption technologies have also been supported by the Council of the European Union, which supports the technology to protect the digital security of governments, industry and society.
“A behaviour that is fundamentally desired by a state – protection of one’s own data from foreign access – cannot become the starting point for coercive measures under criminal law,” the court said.
Use of EncroChat was not criminal
The court found that although EncroChat’s security features made it particularly attractive to criminals, it was no different than any other encrypted service.
EncroChat was equally attractive to journalists, political activists who feared state persecution or employees of companies who wanted to protect themselves from state persecution.
The high cost of EncroChat phones does not justify the conclusion that they can only be paid for through criminal activity.
There was no concrete evidence that the 60,000 users of EncroChat phones worldwide were part of a “criminal network,” the court found.
EncroChat customers contacted dealers anonymously by email, who handed phones over for cash during meetings in public places, according to German police.
“This procedure fits in with the particularly high security standards claimed by EncroChat and a correspondingly particularly pronounced need for security on the part of the customers,” the court found. “But it does not allow any conclusion to be drawn about the purpose of criminal use.”
Retrospective justification
Among French users, the proportion of suspected of criminality was only 67.3%, equivalent to 317 individuals – a vanishingly small number compared to the 60,000 users registered with EncroChat.
The subsequent discovery of criminal activities after the surveillance began cannot be used to retrospectively justify the interception operation.
The large quantities of drugs seized during investigations into EncroChat messages world-wide – and the spectacular discovery of a torture chamber used by drug dealers in the Netherlands – cannot be used to justify the presumption that the network was predominantly used by criminals.
By 14 April 2021, according to a communication from the European Commission, almost a year after the end of the operation, only 1,500 investigations had been initiated and 1,800 people had been arrested – equivalent to just 5.4% of the EncroChat users placed under surveillance.
German law does not allow for surveillance of telecommunications to establish the suspicion of a crime.
Vague suspicions and general indications are not sufficient to justify “blanket spying” on all users of the chat service, the court found.
Tobias Singelnstein, chair of criminology at the Ruhr-Universität Bochum told Computer Weekly that the Berlin Court’s decision is significant.
It is the first to take into account the serious legal problems inherent in the acquisition of evidence from EncroChat, he said.
German prosecutors said that they would appeal the decision.