For a week in October 2020, Christian Lödden’s potential clients wanted to talk about only one thing. Every person whom the German criminal defense lawyer spoke to had been using the encrypted phone network EncroChat and was worried their devices had been hacked, potentially exposing crimes they may have committed. “I had 20 meetings like this,” Lödden says. “Then I realized—oh my gosh—the flood is coming.”
Months earlier, police across Europe, led by French and Dutch forces, revealed they had compromised the EncroChat network. Malware the police secretly planted into the encrypted system siphoned off more than 100 million messages, laying bare the inner workings of the criminal underground. People openly talked about drug deals, organized kidnappings, planned murders, and worse.
The hack, one of the largest ever conducted by police, was an intelligence gold mine—with hundreds arrested, homes raided, and thousands of kilograms of drugs seized. But it was just the beginning. Fast-forward two years, and thousands of EncroChat users across Europe—including in the UK, Germany, France, and the Netherlands—are in jail.
However, a growing number of legal challenges are questioning the hacking operation. Lawyers claim investigations are flawed and that the hacked messages should not be used as evidence in court, saying rules around data-sharing were broken and the secrecy of the hacking means suspects haven’t had fair trials. Toward the end of 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals around Europe. And experts say the fallout has implications for end-to-end encryption around the world.
“Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” Lödden says. “We’re not defending criminals or defending crimes. We are defending the rights of accused people.”
Around 60,000 people were signed up to the EncroChat phone network, which was founded in 2016, when it was busted by cops. Subscribers paid thousands of dollars to use a customized Android phone that could, according to EncroChat’s company website, “guarantee anonymity.” The phone’s security features included encrypted chats, notes, and phone calls, using a version of the Signal protocol, as well as the ability to “panic wipe” everything on the phone, and live customer support. Its camera, microphone, and GPS chip could all be removed.
Police who hacked the phone network didn’t appear to break its encryption but instead compromised the EncroChat servers in Roubaix, France, and ultimately pushed malware to devices. While little is known about how the hacking took place or the type of malware used, 32,477 of EncroChat’s 66,134 users were impacted in 122 countries, according to court documents. Documents obtained by Motherboard showed all data on the phones could potentially be hoovered up by the investigators. This data was shared between law enforcement agencies involved in the investigation. (EncroChat has claimed it was a legitimate company and shut itself down after the hack.)
Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn’t allow “intercepted” evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.
The most high-profile challenge so far comes from lawyers in Germany. In October, a regional court in Berlin sent an EncroChat appeal to the Court of Justice of the European Union (CJEU), one of the continent’s highest courts. The judge asked the court to make decisions on 14 points about how the data was transferred across Europe and how it was being used in criminal cases. The Berlin court highlighted the secretive nature of the investigation. “Technical details on the function of the trojan software and the storage, assignment, and filtering of the data by the French authorities and Europol are not known,” a machine-translated version of the court ruling says. “The functioning of the trojan software is fundamentally subject to French military secrecy.”
Lödden, who is not involved in the case that has reached the CJEU but is coordinating with around a dozen other lawyers involved in European EncroChat cases, says people were offered good deals by judges and took reduced sentences for pleading guilty in some of the first cases he worked on. Since then, he has used several lines of defense. His challenges often involve questioning what legal basis was used to justify capturing the data from people’s devices. Another approach involves questioning the data itself. “You don’t know how the French got the data,” he says. “The only thing that is clear is that it’s not the full data, because there are gaps, and the data they got is not fully decrypted.”
There is no set date for the European Court to review the case; although in another high-profile legal challenge, two British EncroChat users have taken their case to Europe’s top human rights court. However, a French case, which is set to be decided this month, could make a difference to other cases across Europe. In October, the French Court of Cassation questioned previous EncroChat legal decisions and said they should be re-examined. “The judge who authorized this measure was not in charge of 60,000 investigations, but only one, and therefore ordered a disproportionate act,” say lawyers Robin Binsard and Guillaume Martine, who are challenging the collection of the data. “We have to defend our clients without knowing how the investigators acted,” they say.
Despite the legal challenges, police forces across Europe have lauded the EncroChat hack and how it has helped put criminals in jail. When the hack was announced in June 2020, hundreds of people were arrested in huge coordinated policing operations. Police in the Netherlands discovered shipping containers that were being used as “torture chambers” by criminals.
Since then, there has been a stream of EncroChat cases reaching courts and people being jailed for some of the most serious crimes. The data from EncroChat has been a real boon to law enforcement—organized crime arrests in Germany soared by 17 percent following the police busts, and at least 2,800 people have been arrested in the UK.
Cases in the UK have seen two men who planned a revenge shooting sentenced to 18 years in jail each, a drug dealer jailed for 14 years for supplying 8 kilograms of cocaine and heroin, and six men jailed for a combined 140 years after plotting to smuggle ecstasy internationally inside the arm of a digger. And in June last year, police in the Dominican Republic reportedly arrested the alleged masterminds behind the EncroChat system itself.
France’s National Gendarmerie military police, the UK’s National Crime Agency, and Germany’s federal investigative police agency, Bundeskriminalamt, declined to comment on the ongoing legal cases. Jan Op Gen Oorth, a spokesperson for Europol, says the investigation was conducted as part of a joint investigation team that involved multiple EU bodies and national police forces. “The data in the case was captured on the basis of the provisions of French law and with judicial authorization, through the frameworks for international judicial and law enforcement cooperation,” Oorth says.
EncroChat isn’t the only encrypted phone network police have hacked or dismantled. Law enforcement operations against Ennetcom, Sky ECC, and Anom—the FBI covertly took over the latter and ran the network—highlight broader tensions around encryption. For years, police have complained that encryption stops them from accessing data, while at the same time having multiple alternative ways to get around encryption. In Europe and the US, laws are being proposed that could weaken encryption as the technology becomes the default.
Breaking phone networks billed as encrypted and highly secure—some may be legitimate, while others are shadier—raises questions about law enforcement tactics and transparency. “What we’re seeing is that policing authorities and law enforcement authorities are effectively normalizing a policing practice that sets a really dangerous precedent in terms of surveillance,” says Laure Baudrihaye-Gérard, the legal director for Europe of criminal justice nonprofit Fair Trials.
Cerian Griffiths and Adam Jackson, law professors at the UK’s Northumbria University who have been analyzing EncroChat legal issues, say there is a “judicial appetite” to use the collected data to convict criminals, but that the correct processes must be followed, as more cases like this may happen in the future. “You want bad people to be prosecuted for the seriously bad things that they’re going to do,” they say. “You just want to make sure that it’s done properly, in a way that is evidentially sound. And that means that they don’t get appeals down the line that undermine those convictions.”
One court in Finland has already ruled that data gathered by the FBI from Anom couldn’t be used—the severity of the alleged crimes did not justify the way the data was accessed, local reports claimed. Meanwhile, Italy’s Supreme Court has said the methods used to access Sky ECC messages should be disclosed.
More than 100 Dutch lawyers have warned that the lack of transparency around the hacks could create a slippery slope. In the future, the lawyers wrote in an open letter, Signal or WhatsApp could be targeted. “These services are also already placed in a suspicious corner or are likely to get there, while that suspicion is only based on the use of strong encryption and the protection of one’s own privacy.”
Jessica Shurson, a lecturer in law at the University of Sussex and a former US prosecutor, says the hacking cases should be included in broader debates about the importance of encryption for people’s security. “They’re finding ways to access encrypted systems, through hacking, through their own malware,” Shurson says. “Can we really say that law enforcement is ‘going dark’ because of encrypted data when we see these cases coming up every couple of years showing that, actually, they can access the encrypted systems?”
