Court hearings into the EncroChat encrypted phone network compromised by French police have been delayed after lawyers requested prosecutors to disclose further evidence on law enforcement’s capabilities to decrypt communications.
The National Crime Agency (NCA) has made more than 1,550 arrests under Operation Venetic after the French Gendarmerie harvested millions of supposedly secure messages from the EncroChat cryptophone network, which police say was used by criminal groups.
Defence lawyers have argued that the disclosure of evidence has been made more difficult because disclosure officers do not understand the technical detail in documents relating to police hacking of the EncroChat encrypted phone network.
The courts are preparing to hear up to a dozen preparatory hearings that will decide on the lawfulness, admissibility and reliability of material retrieved from the EncroChat network – the decisions in which will be binding on future prosecutions.
The NCA has not disclosed details of how many people have been charged under Operation Ventetic, the UK’s response to the takedown of EncroChat, but it is understood that around 450 defendants are contesting their prosecutions across the UK.
Issues impact on multiple cases
Jonathan Kinnear QC is overseeing the national strategy for all 250 prosecution cases in the UK – including dealing with legal challenges to the admissibility of EncroChat evidence – for the Crown Prosecution’s Organised Crime Division.
Speaking at a preparatory hearing, he said prosecution lawyers were working to process requests for discovery from defence lawyers.
He told a court that defence lawyers had submitted documents from public websites, some of which were marked “top secret” or “top secret strap one” in evidence.
“We have been working on a response to defence disclosure requests and re-reviewing the disclosure position over the course of last week and this weekend,” he said.
“Given the complexity of the issues, including the technical nature of them and the sheer volume of the material involved, we have not yet completed that review. These are important issues that have an impact not just on this case, but on a significant number of other cases.”
New questions after second cryptophone hack
Defence lawyers raised new questions about the capabilities of law enforcement to decrypt live communications after Belgian and Dutch police announced they had infiltrated a second secure cryptophone network, Sky ECC.
Belgian and Dutch police disclosed during a press conference on 10 March 2021 that they had intercepted more than one billion encrypted messages from the Sky Cryptophone network, and had decrypted half of them.
Defence lawyers have raised questions over whether the joint operation between the UK, France and Holland had the ability to decrypt messages from EncroChat. If true, they argue, that would undermine facts presented in earlier court hearings.
“If it turns out there have been investigations with the NCA or other British agencies, and that involves decryption of messages whilst in transmission, this is clearly disclosable and goes to the heart of the case,” one defence lawyer told a judge the day after the announcement.
Experts are divided over how the French Gendarmerie obtained the decrypted messages, notes and photographs from the EncroChat network.
Snowden documents reveal US and UK encryption attacks
Classified documents leaked by former CIA whistleblower Edward Snowden show that the US and the UK have invested heavily in highly sensitive programmes to break the encryption of online communications.
The NSA and GCHQ developed capabilities to break the encryption web mail, encrypted chat, encrypted voice over IP (VoIP), virtual private networks (VPNs) and the encryption used by 4G mobile phone services.
Snowden documents reveal that the NSA’s mission was to weaken encryption technologies by influencing encryption standards, forming partnerships with telecommunications companies and inserting vulnerabilities into commercial encryption systems.
Both EncroChat and Sky ECC phones use a form of encryption known as elliptical curve cryptography (ECC), which is suited to mobile applications as it offers small faster and more secure cryptographic keys than other forms of encryption.
Secure encryption relies on the ability of software to generate secret prime numbers randomly, often using pseudo-random number generators, to calculate encryption keys which are difficult for intelligence agencies to predict.
Internal NSA memos reported by The New York Times suggest that the NSA had compromised at least one random number generator, called the Dual EC ERBG, which was adopted by the US National Institute of Standards and Technology and the International Standard Organisation.
Security company RSA, which used Dual EC ERBG by default in some of its security products, subsequently advised its customers to switch to alternative pseudo-random number generators.
Court found messages were intercepted before encryption
A judgment by the Court of Appeal on 5 February 2021, however, found that French police had been able to use a software implant to access messages from phone handsets before they had been encrypted. They were automatically forwarded to a server set up by the French digital crime unit, C3N.
Defence lawyers said in a preliminary hearing that they suspected that disclosure officers do not understand a lot of the technical details in documents related to Operation Venetic.
“There is far more likely to be a reliable disclosure exercise if there is an expert assisting a disclosure officer or even an expert appointed as a disclosure officer who can understand the significance of the material,” one lawyer said.
The lawyer said the defence team had requested prosecution disclosure in November last year, but that it was making further reactive requests for disclosure following the takedown of Sky ECC in Belgium.
French investigators broke the supposedly secure EncroChat encrypted mobile phone network, used by 50,000 people worldwide, including 9,000 in the UK, in April 2020, after gaining access to the EncroChat servers discovered in a datacentre run by OVH in Roubaix.
Investigators installed software “implants” on tens of thousands of mobile phone handsets which, according to the court of appeal, retrieved supposedly secure messages, photographs and notes from the phones before they were encrypted.
The French have refused to disclose any details to the courts in the UK and European countries bringing prosecutions against EncroChat users about how the implants work, citing national defence reasons.
Further hearings have been put back to late April or early May.