It remains unclear at the moment whether or not the hacking of EncroChat is best considered as ‘interception’, defined under section 4 of the Investigatory Powers Act 2016 (‘IPA 2016’). It may be ‘equipment interference’ under section 5 of the IPA 2016. The acts may also fall outside of the scope of the IPA 2016, given that there has been ‘intelligence sharing’.

An update as to how EncroChat was ‘hacked’

It seems that the French National Gendarmerie put a “technical device” on EncroChat’s servers in France. One of the theories reported in Vice is that the “technical device” appears to be a form of malware, which allowed them to read instant messages before they were sent and also to record lock screen passwords. It allowed the authorities to monitor the conversations of thousands of people.

The chief of the Dutch National Police Force, Jannine van den Berg, described the malware as being like “sitting at the table where criminals were chatting among themselves.”

The French National Gendarmerie joined the Dutch police in forming a Joint Investigation Team (JIT) in April. This team were said to cooperate through Eurojust and were supported by Europol. The JIT distributed the obtained data to other European partners, including the UK, Sweden and Norway.

The UK’s National Crime Agency, upon receiving the information, began to build data analysis technology to “identify and locate offenders by analysing millions of messages and hundreds and thousands of images.”

Equipment interference

Equipment interference is also known as computer network exploitation (CNE). It can be carried out either remotely or by physically interfering with the equipment. This may include using someone’s login details to access information on a device or covertly downloading the contents of a device when unattended. More complex equipment interference may include remote access to computers and other electronic equipment, which may involve exploiting vulnerabilities in software. The latter technique can be used to control devices or networks and enable the ‘interferer’ to extract material or monitor the device.   

Legality of Equipment Interference

In the UK, equipment interference requires a warrant.

The Secretary of State may issue a targeted equipment interference (TEI) warrant, on an application made by or on behalf of the head of an intelligence service (holding office under the Crown) if:

  1. The warrant is “necessary”:
    1. In the interests of national security, or
    2. For the purpose of preventing or detecting serious crime, or
    3. In the interests of the economic well-being of the UK so far as those interests are also relevant to the interests of national security (only if the interference is necessary for the purpose of obtaining information relating to the acts or intentions of persons outside the British Islands)
  2. The conduct authorised is proportionate to what is sought to be achieved
  3. Satisfactory arrangements (safeguards relating to disclosure etc.) are in force
  4. The decision to issue the warrant has been approved by a Judicial Commissioner, unless the need to issue the warrant is urgent[10]

The secretary of state may also issue a TEI warrant, on an application made by or on behalf of the Chief of Defence Intelligence if:

  1. The warrant is “necessary” in the interests of national security
  2. The conduct authorised is proportionate to what is sought to be achieved
  3. Satisfactory arrangements (safeguards relating to disclosure etc.) are in force
  4. The decision to issue the warrant has been approved by a Judicial Commissioner, unless the need to issue the warrant is urgent[11]

The decision to issue warrants under these sections (s.102 and 104 IPA 2016) must be taken personally by the Secretary of State.[12]

A law enforcement chief[13] (LEC) may also issue a TEI warrant, on an application made by a person who is an appropriate enforcement officer in relation to the chief, if:

  1. The warrant is “necessary for the purpose of preventing or detecting serious crime,
  2. The conduct authorised is proportionate to what is sought to be achieved
  3. Satisfactory arrangements (safeguards relating to disclosure etc.) are in force
  4. The decision to issue the warrant has been approved by a Judicial Commissioner, unless the need to issue the warrant is urgent[14]

A LEC (part 1 only)[15] may also issue a TEI warrant, on an application made by a person who is an appropriate enforcement officer in relation to the chief, if:

  1. The warrant is “necessary for the purpose of preventing death or any injury or damage to a person’s physical or mental health or of mitigating any injury or damage to a person’s physical or mental health,
  2. The conduct authorised is proportionate to what is sought to be achieved
  3. Satisfactory arrangements (safeguards relating to disclosure etc.) are in force
  4. The decision to issue the warrant has been approved by a Judicial Commissioner, unless the need to issue the warrant is urgent[16]

A TEI warrant authorises any conduct necessary to do what is expressly authorised or required by the warrant. This includes conduct for securing the obtaining of communications, equipment data or other information. Importantly, a TEI warrant also authorises any conduct by any person which is in pursuance of a requirement (imposed by or on behalf of the person to whom the warrant is addressed) to be provided with assistance in giving effect to the warrant.[17]

Unlike ‘intercept’ evidence, material acquired under these warrants will be admissible in court. Whilst the equipment interference did not take place in the UK, the information obtained through authorised equipment interference may be used as evidence in criminal proceedings in the UK.

As I set out in my previous article, an important consideration in these EncroChat cases will be ascertaining whether the evidence has been seized on a lawful basis. If the activity is deemed to be equipment interference that was properly authorised, it is likely to be admissible unless it can be excluded under s.78 PACE or there is an effective abuse of process argument.

The Concern

Equipment interference raises concerns as to the reliability of the evidence. The obvious worry for most defence lawyers will be whether this evidence is reliable and whether it can be properly assessed. Disclosure will need to be sufficient so as to allow an expert to be able to properly analyse the data in relation to its reliability, continuity and the attribution of communications. This may prove to be difficult particularly in relation to attribution. For example, many platforms use multiple IP addresses or hide users’ IP addresses. If, through a person is able to control a device, it is reasonable to assume that they have the unfettered ability to alter or delete any information on that device.

Intelligence sharing

‘Intelligence sharing’ refers to the arrangements between countries to share information obtained via their national intelligence work.

The French and Dutch authorities have supplied the UK authorities with the relevant information they obtained by ‘hacking’ EncroChat.

If the UK authorities claim they played no role in the hacking, these cases may fall outside the scope of the IPA 2016. Whilst under the IPA 2016 the UK the authorities would need a warrant for any interception or equipment interference, they can receive the same information through intelligence sharing from abroad.

There is a structure for UK authorities needing a warrant for equipment interference, but intelligence sharing as far as it is regulated would fall outside of the IPA.

Legality of Intelligence Sharing

In Liberty v GCHQ[18] the Investigatory Powers Tribunal stated the following:

“In relation to any material intercepted abroad it would always be unlawful for the Intelligence Services to use the absence of a warrant as a device deliberately to circumvent the requirements of UK law by procuring another State to do what they could not lawfully do themselves.”

An argument under the European Convention of Human Rights was raised. The IPT noted that Article 8 ((the right to respect for private and family life) and Article 10 (the right to freedom of expression) ECHR rights may be limited if those limitations are “in accordance with the law” or “prescribed by law” and are necessary in a democratic society”. Importantly, they held that GCHQ’s disclosure of paragraphs from an internal policy document stating that they will not “deliberately circumvent” the relevant stature satisfied the “prescribed by law” requirement. This has also been litigated in Strasbourg in Big Brother Watch & Others v The UK[19] , which didn’t require further legal framework for intelligence sharing. The court found that obtaining intercepted communications from foreign governments under intelligence sharing arrangements did not breach Articles 8 and 10 of the ECHR. Interesting, the court found that Article 8 was only interfered with in receiving and storing intercepted material (not in the interception by foreign authorities).

The Strasbourg decision has been challenged in a cross-appeal in the Grand Chamber and the parties are awaiting judgment.

The Concern

One of the important questions in relation to intelligence sharing is whether or not the UK authorities circumvented the requirements of UK in law in order to obtain the information from EncroChat.

The NCA openly state that they have been working with international law enforcement agencies to target EncroChat since 2016. They admit that “unbeknown to users the NCA and the police have been monitoring their every move since then under Operation Venetic – the UK law enforcement response.”

Concluding remarks

There remain two real issues in EncroChat cases.

The first is the legal basis on which the information has been obtain by UK authorities; the question is whether or not these acts were carried out legally.

The second issue, for some cases, will be reliability and attribution. The information already appears to have been used by authorities to make arrests. Whether the information is reliable and what conclusions can be drawn from it are issues that are likely to be highly contested and subject to expert evidence.

Alexandra specialises in both criminal and family law. In her criminal law practice she represents a variety of clients charged with serious matters and specialises in young and vulnerable clients. Her family law practice includes private children, public children, domestic abuse and finance cases. 

Read Alexandra's first article here on The hacking of Encrochat and the admissibility of evidence in legal proceedings. 

References

[10] Section 102

[11] Section 104

[12] Section 105

[13] Described in Part 1 or 2 of the table in Schedule 6 of the IPA 2016

[14] Section 106

[15] A LEC described in Part 1 of the table in Schedule 6 of the IPA 2016

[16] Section 106

[17] Section 99(5)(b) IPA 2016

[18] [2014] UKIPTrib 13_77-H

[19] (Apps nos. 58170/13, 62322/14 and 24960/15)