Digital space law

(JUDICIAL JURISPRUDENCE, THE COURT OF APPEAL, Royal Courts of Justice, [2021] EWCA Crim 128, judgment of 5 February 2021, EncroChat case)

The data collected by the French gendarmerie, in the context of the EncroChat case, is deemed admissible by the British courts. Therefore, the British judges ruled that the French active implant did not constitute a lawful interception and did not contravene the legal provisions set out in the UK Investigatory Powers Act 2016.

Reminder

EncroChat was one of the largest encrypted communication services in the world with approximately 60,000 users, 95% of whom were criminals and 20% British users. The EncroChat messaging service was discovered in 2017 by the French ‘Institut de recherche criminelle de la gendarmerie nationale’ (IRCGN) during forensic investigations against organised crime. The investigation intensified as of 10 April 2020 as the Joint Investigation Team (JIT) was put together between the French, Dutch and British judicial authorities, under the aegis of Eurojust and with Europol support. Eventually, intelligence and international technical collaboration gained access to EncroChat users’ decrypted messages through the installation of an active technical device on EncroChat phones, whose servers were located in France. The malware (implant) allowed them to read several millions of encrypted messages and record the phones’ encryption passwords. In the end, law enforcement agencies around the world made almost 1,100 arrests, seized more than 35 tons of drugs and more than €169 million.

Under French law

In the French law, the technique developed by the gendarmerie falls within the legal framework of the capture of computer data as a special investigation technique, provided for in Article 706-102-1 of the Code of Criminal Procedure: “The installation of a technical device may be used for the purpose of accessing, recording, storing, and transmitting computer data anywhere, without the consent of the interested parties, as stored in a computer system, as displayed on a screen for the user […], as entered by the user through character input or as received and transmitted by peripheral devices.” This measure is strictly regulated throughout the judicial investigation by the examining magistrate after consulting the public prosecutor (Article 706-95-12 of the Code of Criminal Procedure). Therefore, the data collected by the French gendarmerie in the EncroChat case is admissible to the French courts.

Under British law

During a press conference, the French authorities explained that they had developed a technical device, called an implant, which allowed them to access crucial information that was then shared with the United Kingdom’s National Crime Agency (NCA). As part of Operation Venetic, the NCA was able to collect thousands of messages before the security breach was discovered and the EncroChat network shut down its service. The French operation, described by the NCA’s Director of Investigations as “the largest ever operation against organised crime,” has already led to 750 arrests in the United Kingdom and to the seizure of over £55 million. However, under British law, evidence intercepted during message transfers cannot be used in court and must only be used for intelligence purposes (Part 2, Interception of communication, Investigatory Powers Act 2016, Parliament of the United Kingdom, 29 November 2016) after approval by the Secretary of State and the Judge (“the act introduced a double lock that requires interception warrants to be authorised by a secretary of state and approved by a judge“). As a result, the lawyers of four defendants appealed the validity of the technical device used by France and requested that all data collected in the EncroChat case be deemed inadmissible by the UK courts (R v Director of Public Prosecutions [2020] EWHC 2967 Admin). The main argument was that the French device was a form of data interception between the phone and the EncroChat server.

However, the Investigatory Powers Act 2016 explicitly allows the content of communications directly and/or physically retrieved from a phone or computer to be used as evidence in court (Part 5, Equipment Interference, Investigatory Powers Act 2016, Parliament of the United Kingdom, 29 November 2016). The article applies to cases where the content is physically extracted from the phone (e.g. in the case of forensics carried out after the phone has been seized) but also to cases where software is installed on the phone and allows indirect extraction of data (” Equipment interference warrants may authorise both physical interference […] and remote interference (e.g. installing a piece of software on to a device over a wired and/or wireless network in order to remotely extract information from the device.”)

Hence, on 5 February 2021, the judgment of the Court of Appeal in A & Others [2021] EWCA Crim 128 was delivered, thus closing the debate. The judgement did reject the arguments to put an end to the use of data extracted from the EncroChat communication network in judicial proceedings. To put it simply, the judges stated that the data retrieved by French and Dutch law enforcement agencies did not constitute an interception but a direct intervention on the phone and therefore did not violate the legal provisions set out in the Investigatory Powers Act 2016.

The judges ruled that the data was actually first stored temporarily in clear text in the memory of the devices and then encrypted by the phone before being transmitted in its encrypted form to the EncroChat server. The judges stated that the French active agent allowed messages to be copied from the phone before they were encrypted (directly from the phone’s memory) and that these messages were sent unencrypted to a French gendarmerie server. The judges pointed out that this case did not involve any interception during transmission (which is not permitted under UK law) and therefore did not constitute an interception. The judges stated that this was all the more justified since the message was encrypted during the actual transmission and therefore could not be used by the French gendarmerie. Moreover, they claimed that the metadata retrieved by the gendarmerie (e.g. the user’s name) was only present in the phone’s memory and not during transmission, which is evidence that the data was retrieved from the phone’s memory and not during its transmission.

In the judgment, the judges compared the process to that of sending a letter: “The process consists in writing the letter (writing the unencrypted message), putting it in an envelope (encryption), affixing a stamp (recipient) and then posting the letter in the post office box (sending it to the EncroChat server)”. Thus, an interception takes place only if the message is retrieved during transmission, not during the first steps of the process. As the French implant retrieved the message before it was sent, this did not constitute an interception under British law. The judges therefore concluded that the communications transmitted to the United Kingdom had not been extracted during their transmission, but during their storage in the phone’s memory. The judgment also clarified that the interception argument can only be upheld if the alleged interception takes place directly during the transmission of data via a radio signal, cable, or optical fibre, but not if the data is copied from the target device’s memory.

Many cases based on evidence retrieved by the French authorities are being tried in the British courts; all judicial objections to the legality of the means by which this evidence was obtained by law enforcement agencies have been rejected thanks to the Court of Appeal’s judgment in [2021] EWCA Crim 128.