The hacking of Encrochat, one of the world’s most secure communication networks, has caused people to question whether information obtained can be used in legal proceedings in England and Wales.
EncroChat’s ultimate USP was that it guaranteed anonymity for its customers. Devices that supported EncroChat had hardware and software modifications, for example, the camera, microphone, GPS and USB data ports were removed. The devices, which have a dual Operating System, are also encrypted as soon as they are turned on. Users can launch either a standard Android Operating System or the EncroChat Operating System. The messaging protocol allows two users of EncroChat to have what is described as “a regular conversation between two people in an empty room”.
It is difficult, if the police manage to seize a device, to definitively say whether or not it has EncroChat on it. The police are often only able to identify that there is a password-secured encrypted partition on the device (which may or may not contain access to EncroChat) and they may also make inferences from the SIM card present in the phone (many have Dutch network sims).
The devices have emergency functions: an autodestruct feature allows a sender to force wipe their own messages from a recipient’s phone by using a timer countdown; the user can set a number of failed password attempts before the device will wipe all of its data; and the user can also set a “self-destruct” PIN/password that once entered will instantly wipe clean all of the data on the device. Some devices are even set to automatically wipe if not used in a 24-hour period. Devices using the EncroChat service were considered to have impenetrable military grade PGP encryption.
That was until a security notice was allegedly circulated by EncroChat on 12 June 2020 that read:
“Today we had our domains seized illegally by government entities. They repurposed our domain to launch an attack to compromise carbon units. With control of our domain they managed to launch a malware campaign against the carbon to weaken its security. Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device. We took immediate action on our network by disabling connectivity to combat the attack. You are advised to power off and physically dispose of your device immediately. Period of compromise was about 30 minutes and the best we can ascertain was about 50% of the carbon devices in Europe (due to the Updater schedule).”
News outlets reported that a large number of organised criminal operations appeared to be compromised shortly after the breach. The Dutch authorities are alleged to have driven the breach.
This has led to concerns from many EncroChat users. There are worries that hacked communications may be used in criminal proceedings. The BBC reported that there were 746 arrests in the UK after messages on EncroChat were intercepted and decoded.
The Irish Times reported that in Northern Ireland four people had appeared in court as a result of the breach. Michael O’Loughlin appeared in Newry court sitting in Lisburn.
It was stated that the “main evidence in the case is an encrypted mobile phone”. The detective claimed that the hack was “lawfully authorised” and led to the police being able to “access the content of the encrypted phone”.
In the UK there are strict rules about the admissibility of intercepted communication. Information that has been obtained by interception in the UK cannot be relied upon by either the prosecution or defence.
‘Interception’ is defined under section 4 of the Investigatory Powers Act 2016 (IPA 2016).
A person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if
- the person does a relevant act in relation to the system; and
- the effect of the relevant act is to make any content of the communication available, at a relevant time, to a person who is not the sender or intended recipient of the communication.
The ‘relevant act’ essentially amounts to hacking a device. Relevant act is described as:
- modifying, or interfering with, the system or its operation
- monitoring transmissions made by means of the system
- monitoring transmissions made by wireless telegraphy to or from apparatus that is part of the system.
Interception evidence cannot be relied on in criminal courts, section 56(1) IPA 2016 reads:
“No evidence may be adduced, question asked, assertion or disclosure made or other thing done in, for the purposes of or in connection with any legal proceedings or Inquiries Act proceedings which (in any manner) –
- Discloses, in circumstances from which its origin in interception-related conduct may be inferred –
- Any content of an intercepted communication, or
- Any secondary data obtained from a communication, or
- Tends to suggest that any interception-related conduct has or may have occurred or may be going to occur.”
Importantly, this rule prohibiting reliance on intercepted evidence only applies to interception carried out in the UK. There are two limbs:
- The relevant act (the ‘hack’) must be carried out by conduct within the UK
- The communication must be intercepted by a public telecommunication system or a private telecommunication system where the sender or intended recipient is in the UK.
Users of EncroChat in the UK satisfy the second limb but the first limb is problematic. If the Dutch authorities carried out the relevant act, the hacking, then the interception evidence is not automatically inadmissible under UK law.
It is important to identify whether the intercepted evidence was seized on a lawful basis.
In R v Aujla , the defendants were convicted of conspiracy to facilitate the illegal entry of persons into the UK. The evidence included tapes of telephone conversations, recorded by means of a telephone intercept that had been applied for by the Dutch police and granted by the appropriate judicial authority in Holland. The intercepted phone calls were made by the Dutch offenders to the appellants. It was argued at appeal that the judge was wrong not to exclude the taped telephone evidence. The Court of Appeal decided that the interception of the telephone calls in Holland did not represent a breach of UK law (at the time, the Interception of Communications Act 1985) because the intercept occurred in Holland.
In this case, the court also considered whether the material should nevertheless be excluded by the court under s.78 PACE 1984. The court noted that the evidence had been obtained in accordance with Dutch law and Dutch procedure. It was deemed significant that Holland subscribes to the European Convention on Human Rights and it was presumed that Dutch law meets the requirements of both Article 8 and 13 of that convention. The Court was not satisfied that the material should be excluded.
In R v P and Others , three defendants were charged with assisting in the UK in the commission of drug offences in European Union countries A and B. The Public Prosecutor in country ‘A’ had lawfully obtained (in country A) an order authorising the interception of X’s telephone calls. The authorities in country A were able to record telephone calls made or received by X anywhere in the world. The defendants in this case had conversations with X that were recorded. The Prosecutor in country A authorised the police to seek the assistance of the UK authorities, which led to the arrests of the defendants. The admissibility of the recordings was raised as an issue.
The case reached the House of Lords (HoL). The defendants argued their appeals on the basis that although the intercept evidence was properly obtained in accordance with the Convention and law of country A, it’s use in an English trial would be contrary to the police of English law and to the Convention. The defendants advanced arguments under both Article 8 (right to a private and family life) and Article 6 (right to a fair trial).
The HoL accepted that the use of an intercept can amount to an “interference” for the purposes of Article 8. However, in this case, the relevant information had been lawfully obtained for to assist the prosecution of alleged drug smugglers. It was not used for any other purpose and was not kept for longer than necessary for that purpose. They found that there was no breach of Article 8.
The HoL also found that there was no breach of Article 6. They concluded that the fair use of intercept evidence at a trial is not a breach of Article 6 even if the evidence was unlawfully obtained. Relying on an ECHR case, the court added that an important factor in the admission of intercept evidence is that one of the parties to the conversation will be a witness at trial and will give evidence of what is said.
Given the outcome of R v Aujla and R v P and Others, the key question for these cases will be: have the authorities properly applied for and been granted the appropriate judicial authority to hack the EncroChat platform?
In Mr O’Loughlin’s case, in Northern Ireland, an officer told the court that the evidence:
“has been obtained by lawfully authorised clearance that has been enabled access to his encrypted mobile phone content.”
At the moment there is no further information about the powers the Dutch authorities were exercising. If, as claimed, the hack of EncroChat was lawfully authorised, then the evidence is likely to be admissible unless it can be excluded under s.78 PACE or there is an effective abuse of process argument.
If the content of these encrypted mobile devices is admissible in UK courts, the next point to consider will be whether or not the communication can be attributed. The devices give users anonymity and the devices, if found, are likely to be wiped clean. However, attribution is likely to be made on the basis of finding an encrypted phone with a suspect; photographs of suspects with these phones; identification information given during conversations on the platform; or any other circumstantial evidence discovered. Given that these devices cost approximately £1,500 for a 6-month contract, any evidence of such payments may also strengthen the Crown’s case. Attribution is likely to be the key issue at any upcoming trial.
The issue of whether or not a device and the associated messages obtained from a hacked server can be attributed to a suspect is likely to be a key point in successfully arguing that evidence should be excluded under s.78 PACE. If the authorities are relying solely on evidence obtained from a hacked server, there will be real arguable concerns about the reliability, accuracy and authenticity of the evidence that is being relied upon. It will not be farfetched to assert that an authority capable of hacking and penetrating a military grade PGP encrypted server is capable of altering the evidence being relied upon. This is likely to be a concern for anyone suspected to be involved in serious organised crime. A systematic request for disclosure of the step by step processes used to obtain and gather the evidence and material must be made by any lawyer who is defending a suspect where such evidence is being relied upon by the prosecution.
Alexandra specialises in both criminal and family law. In her criminal law practice she represents a variety of clients charged with serious matters and specialises in young and vulnerable clients. Her family law practice includes private children, public children, domestic abuse and finance cases.
 A system in the UK that facilitates the transmission of communications by any means involving the use of electrical or electromagnetic energy.
 Any time while the communication is being transmitted, and any time when the communication is stored in or by the system (whether before or after its transmission).
 Interception-related conduct is defined as:
- conduct by a person* that is, or in the absence of any lawful authority would be, an offence of unlawful interception
- a breach of the restriction on requesting interception by overseas authorities
- a breach of the restriction on requesting assistance under mutual assistance agreements
- the making of an application by any person for a warrant, or the issue of a warrant under Chapter 1
- the imposition of any requirement on any person to provide assistance in giving effect to a targeted interception warrant or mutual assistance warrant
*A person includes:
- any person who is an intercepting authority
- any person holding office under the Crown
- any person deemed to be the proper officer of Revenue and Customs
- any person employed by, or for the purposes of, a police force
- any postal operator or telecommunications operator
- any person employed or engaged for the purposes of the business of a postal operator or telecommunications operator
 The communication must be intercepted in the course of its transmission by means of a public telecommunication system or a private telecommunication system in a case where the sender or intended recipient of the communication is in the UK.
 They relied on R v Preston  2 AC 130 and Morgans v DPP  2 WLR 386
 Schenk v Switzerland (10862/84) 13 EHRR 242