New constitutional issues raised
The Supreme Court found that articles in the Code of Criminal Procedure relied on in the EncroChat case could be properly considered by the Constitutional Council, as they raised a new constitutional question.
“The question raised is of a serious nature,” the decision released this week found. The public prosecutor or examining magistrate made a choice to invoke national defence secrecy for the entire EncroChat operation and “not only for decryption of data collected”, it said.
That may have had the consequence that “a great deal of information useful for checking the regularity of the operation cannot be submitted to the adversarial debate, which may constitute an excessive infringement of the rights and freedoms invoked”.
The nine-member council has been asked to decide, among other issues, whether the criminal code used by prosecutors failed to provide “sufficient and adequate legal guarantees”, and whether it failed to offer “adequate [legal] recourse” to EncroChat defendants.
The council will also decide whether there was an adequate prior review of the decision to collect unencrypted messages from the EncroChat phone network by an independent court. At issue is whether France’s code of criminal procedure affected the rights of people charged with EncroChat-related crimes to a legal defence, affected the principle of “equality of arms” in court proceedings, and impacted their right to an effective legal remedy. The council will determine whether the legal codes used in the EncroChat operation “unjustifiably and disproportionately” infringed the constitution.
Three possible outcomes
French prime minister Jean Castex is expected to be represented during the hearing. Lawyers and other interested parties, such as associations, can also make written representations. The council’s decision has three possible outcomes. Firstly, it can find that existing law is compatible with the French constitution.
If the council finds that the law is incompatible, it can decide either to invalidate the law covering historic cases, which would require prosecutors to release documents to defence lawyers describing technically how the EncroChat hack was carried out. Alternatively, the council could revoke the law for future cases, which would make it more difficult for French prosecutors to invoke defence secrecy during future hacking operations.
French Supreme Court to hear arguments over legality of EncroChat
Separately, the French Supreme Court is due to hear arguments over the legality of the French operation against EncroChat at a hearing next month. The case, which is expected to go to the European Court of Human Rights, could affect prosecutions in the UK, the Netherlands and Sweden, if the court finds the operation unlawful.
The decision comes after Paris-based lawyers Robin Binsard and Guillame Martine, founders of law firm Binsard Martine, brought a legal claim to the French Supreme Court that the interception operation against the EncroChat phone network breaches French law and the French constitution. Binsard and Martine are challenging the French Gendarmerie’s refusal to provide defendants with information on the hacking operation on the grounds of “defence secrecy”. They claim that for defendants to have a fair trial, the French police should explain how they obtained intercept evidence from EncroChat phones and provide a certificate to authenticate the intercepted data and messages.
The lawyers claim that French computer crime specialists went beyond the legal authority granted to them by judges in a court in Lille. The disputed court orders include one requiring French cloud computing service provider OVH, which hosted the servers used by EncroChat at its Roubaix datacentre, to modify its network to enable the interception to take place.
Gendarmes (police) based at the C3N digital crime unit in Pointoise, with the assistance of Dutch investigators, were able to covertly take copies of the servers and upload a “software implant” that was able to extract plain text messages sent over the supposedly secure phones in April 2020.
Evidence Black hole
Forensics experts in the UK have argued that the French Gendarmerie’s refusal to release information on the hacking has led to an “evidential black hole” that has broken accepted principles that evidence should be properly acquired and secured before being used in legal cases.
Legal arguments before the French Supreme Court over EncroChat
1. Failure to specify duration of interception authorised by a court order
A court order authorising investigators to re-route EncroChat traffic to a capture device run by the French Gendarmerie does not specify the duration of the measure. This is in breach of article 706-102-3 of the Code of Criminal Procedure. Defence lawyers are calling for the order to be declared null and void.
2. Cancellation of further court orders
Defence lawyers argue that annulment of one court order for failing to specify a duration must lead to the cancellation of three subsequent court orders granting extensions to the intercept operation. They are calling for the destruction of intercepted messages gathered during this period.
3. Network modifications were unlawful
Court orders taken out to prevent the two domain name service companies and French software-as-a-service company OVH from carrying out any operation that interfered with the Encrochat.ch domain names were unlawful. Article 706-102-1 of the Code of Criminal Procedure allows law enforcement to intercept data, but does not allow “blocking” orders against the domain name service providers. Other court orders that required “modification of network routing rules” also fell outside the Code of Criminal Procedure. Defence lawyers argue that six court orders authorising the operation against EncroChat should be cancelled because they “very clearly” exceed the provisions of the Code of Criminal Procedure.
4. Interception should have been limited to phones in use on French territory
Defence lawyers argue that interception of messages on EncroChat phones should have been limited to phones in use on French territory. They say the interception of EncroChat phones was “massive and indiscriminate” and went beyond the investigation authorised by the Lille court into the illegal import of encrypted EncroChat devices into France. The capture method should be considered “illegal and void”.
5. Defence secrecy
The Gendarmerie has refused to disclose any technical details of the interception operation against EncroChat or to provide a certificate of authenticity of the seized data, required by French law. Defence lawyers argue that the data capture was therefore illegal and should be declared void.
27 lawyers from around the world have said in a open letter to the European commission. “The lack of disclosure over the Encrochat hack breaches EU standards on procedural safeguards & international Human Rights alliance” Furious Lawyers- several from the UK have said French police not disclosing details of how they “hacked” Encrochat means their clients can’t get a fair trial. They demand a complete halt of all future prosecutions are demanded in the letter and a complete review of evidence.
EncroChat was a secure communications network. Participants obtained Encro-phones from agents; a subscription would be paid in order to receive a handset and the user would be assigned a unique ‘handle’ or username. The phone used a SIM card capable only of handling data, which was issued by the Dutch telecommunications company KPN. EncroChat devices could not connect to the telephone network; users could only communicate with other EncroChat users.
Since 2016, law enforcement agencies across Europe have suspected that EncroChat was used as a communications platform for organised criminal activity. It is understood that the French Gendarmerie managed to develop a way of obtaining EncroChat handle communications (and other data) by interception and/ or hacking. On 1st April 2020 and data was harvested and transmitted to a data hub controlled by the French Gendarmerie. The data was then transferred to Europol, which organised the processing and transfer of data to the relevant law enforcement agencies across Europe through EU police and judicial cooperation mechanisms. As a result, thousands of people across Europe have been arrested and prosecuted based on evidence obtained during the hack.The French police managed to harvest 100 million supposedly encrypted messages from the EncroChat phones, along with details of users’ contacts, notes, videos and voice messages, their pseudonyms or handles, and the phone IMEI numbers.
Support of appeal
Fair Trials- a independent outfit has joined lawyers from seven European countries to denounce the use of evidence obtained from the infiltration of the secure communications network ‘EncroChat’. In an open letter to the European Commission and the European Parliament, we call out the lack of oversight and transparency surrounding the investigation, which poses serious risks for fundamental rights and the rule of law.
Thousands of people across Europe have been arrested, detained and prosecuted based on evidence obtained during the hack of EncroChat. The data obtained by the French police authorities was sent to Europol, which transferred the data to law enforcement agencies in other EU countries. However, details about how the network was infiltrated and what underlying data was retrieved have been suppressed by the French authorities on the grounds of ‘defence secrecy’.
We wish to draw our concerns to the EU institutions, in view of the roles of two EU agencies, Europol and Eurojust, in this operation including by way of a joint investigation team (see e.g. here1). As the EU is set to further expand Europol’s mandate pursuant to the European Commission’s proposal of December 20202, we urge the EU to integrate safeguards and oversight mechanisms to help prevent fundamental rights violations. Therefore, we call on the European Commission and the European Parliament to implement the following measures as a matter of urgency:
- Ask all concerned Member States to impose a moratorium on (new) prosecutions until evidence is duly disclosed, as required to safeguard the right to a fair trial;
- Require Europol to provide explanations in the related ongoing national proceedings on its role in processing and analysing the data; and in sharing the data (including which countries were involved and when), with a view to supporting the courts’ oversight role;
- Demand that the European Parliament to set up an inquiry committee pursuant to Article 226 of the Treaty on the Functioning of the EU to look into breached of EU law in the context of the EncroChat investigation;
- As law makers, adopt appropriate safeguards to ensure that data processed and shared via EU police and judicial cooperation mechanisms cannot be subject to a blanket assertion of national defence secrecy as done by the French authorities, which undermines EU defence rights, starting with the proposal to revise Europol’s mandate.
In the EU legal framework, it is recognised that the fundamental rights of all people, including suspects and accused persons, must be upheld and protected. We are very concerned that the current handling of the EncroChat issue threatens the Rule of Law and fundamental rights protected by EU law that, if it is allowed to pass unchecked, this sets a worrying precedent.
The lawyers call on the European Parliament and the European Commission to require European policing body Europol to fully explain its involvement in the EncroChat operation.
The go on to say Europol should explain its role in processing, analysing and sharing the EncroChat data, including which countries were involved and when, to the national courts dealing with EncroChat cases, say the lawyers. They also call for the European Parliament to set up an enquiry into what they describe as breaches of EU law during the EncroChat investigation.
The lawyers say in the letter that the hack may have involved an exercise of “extraterritorial jurisdiction” by the French Gendarmerie which breached the sovereignty of individual EU member states.
“The likelihood is that the hack involved the fundamental rights of thousands of individual citizens of member states, including at least the right to respect for private and family life, the right to freedom of expression and the right to protection of personal data, while an adequate review by an independent judicial authority is completely absent in this regard,”
Appeal court finds ‘digital phone tapping’ admissible in criminal trials: On 6 February 2021, judges decided that, despite UK law prohibiting law enforcement agencies from using evidence obtained from interception in criminal trials, communications collected by French and Dutch police from EncroChat using software “implants” were admissible evidence in British courts.