What if law enforcement had the power to take down an entire phone network? How comfortable would you feel if your messages were exposed and viewed at length? When the EncroChat network was compromised by French law enforcement in 2020, questions were raised not only about the capability to access highly secure information, but also how the presumption of innocence is afforded to criminal suspects pre-trial. For current Utrecht LLM student Suzanne Flynn, as trends in law enforcement progress towards detection rather than reaction, the takedown of the EncroChat network encapsulates a sea change in the area of encryption and the law enforcement response thereto.
Day to Day Encryption – How it works
Encryption is something we have all become accustomed to as a necessary safeguard accompanying the use of communications technology. Simply defined, encryption is a process to secure information from unwanted access. Through cryptography, information that can be read (plaintext) is changed so that it becomes illegible (known as ciphertext). Encryption is an integral component of our daily online communication with Meta platforms Facebook and Whatsapp offering automatic end-to-end encrypted (E2EE) messages and calls.
On the encrypted phone network EncroChat, however, devices ran on a private encrypted communications network which offered services such as instant messaging, voice calling and encrypted text storage on the Android operating system. In terms of specific encryption technology, EncroChat ran on the Off-The-Record operating system, which provides both authentication and end-to-end encryption. E2EE prevents service providers as well as unassociated third parties from reading messages as only the recipient and sender of the messages have the “keys” to access the content of the correspondence.
What was the EncroChat investigation?
In 2017, the French Gendarmerie began an investigation into EncroChat. The rationale for the investigation was based on evidence obtained in the course of other investigations which pointed towards criminals using the network extensively to communicate amongst themselves. During the investigation, EncroChat’s layer of end-to-end encryption was bypassed and the content of EncroChat users’correspondence became available for law enforcement to peruse at their leisure. (See map here for a timeline of the investigation). The result of the European-wide cross border investigation resulted in 800 arrests globally as of June 2021 with arrests as recently as February 2022.
What does the compromise of the EncroChat network mean for law enforcement and the presumption of innocence?
The capability of law enforcement to take down an entire phone network presents various concerns – not just in relation to the power of law enforcement to compromise digital communication infrastructures, but also from a human rights perspective, specifically regarding privacy and the presumption of innocence. Considering the facts of the investigation, the joint investigation team (JIT) which included the French Gendarmerie and Dutch Law enforcement, didn’t concentrate on hacking into phones of people who were known criminals. Instead, they decided to hack an entire phone network, arguably disregarding the presumption and assuming all EncroChat users were criminally affiliated or convicted.
Evidence from EncroChat has raised procedural questions at trial stage in countries such as the UK, the Netherlands, Germany and France, particularly in relation to the admissibility of evidence obtained from intercepted communication. It also should be noted that as recently as February 2022, a group of lawyers in association with the criminal justice watchdog Fair Trials published an open letter to the European Parliament and European Commission citing that the EncroChat hack had prevented their clients from having access to a fair trial. In considering these aspects, the presumption of innocence in EU law will be focused on in the context of the EncroChat investigation below.
The Presumption of Innocence in EU Law
It is important to acknowledge that the presumption of innocence in EU Law has several bases. The presumption is explicitly provided for in the EU Charter of Fundamental Rights (CFR) in Article 48 and Article 6(2) ECHR. In addition, Directive (EU) 2016/343 is also relevant as the purpose of the directive as per Recital 9 is to enhance the right to a fair trial in criminal proceedings by laying down common minimum rules regarding certain aspects of the presumption of innocence and the right to be present at the trial. Many EU member states either explicitly or implicitly protect the presumption in national constitutions.
In terms of EncroChat, the European Convention on Human Rights (ECHR) is arguably the most important source of law as its scope extends to members of the Council of Europe (which includes the United Kingdom) and is therefore wider in scope than EU Law bases alone. This is significant, considering many cases involving information obtained from the EncroChat investigation as evidence have been taken in UK jurisdiction. In addition, the applicability of the CFR is narrower than that of the ECHR, as the CFR’s scope is limited to the actions of EU institutions and bodies in addition to national authorities when they are implementing EU law.
Applying the Presumption of Innocence to EncroChat
Although some contend that the presumption of innocence is a safeguard afforded only at trial stage, in the context of EncroChat and the presumption of innocence, I would argue that the presumption should be viewed more broadly and hold merit particularly regarding the French Gendarmerie’s interception of communications.
This view of a broader form of the presumption of innocence has been supported by Campbell and Treschel. Interestingly, Jackson has also contended that particular “official actions do not comport with the ethos underpinning the presumption which includes protecting the individual against the coercive power of the state.” This mirrors the circumstances in EncroChat as the justification for the interception of the network was on the basis that French authorities had knowledge criminals were using the encrypted phones. It has been stated that most users of the network were “presumably criminals”, with the UK National Crime Authority going a step further by stating the network was used exclusively by criminals. This, particularly in the absence of sufficient evidence is arguably not a definitive enough standard to justify a malware attack on an entire system, as there may have been legitimate users of EncroChat, whose privacy was infringed.
The ECHR is a “living instrument”. In 2011, the UK Supreme Court recognised as much in its judgment in R v Adams which looked directly at the interpretation of the Convention in relation to the reputational aspect of the presumption of innocence, implying potential for changes in the ECHR’s application. This could serve as an argument for the proceedings in the EncroChat investigation to be examined in line with the presumption and the right to privacy under Article 8 ECHR in tandem. Further, in the case of Allen v the UK the ECtHR held in 2013 that “the presumption of innocence imposes requirements in respect of… premature expressions, by the trial court or by other public officials, of a defendant’s guilt.”
Considering these arguments in light of the EncroChat investigation, when French law enforcement monitored the correspondence of EncroChat users, it had not been definitively established that all users were active criminals or had prior convictions or arrests. The interception of communications on the network, therefore, does not align with the interpretation of Article 6(2) ECHR as per Allen. In addition, I would also argue that a “premature expression of a defendant’s guilt” as per the wording in Allen was articulated in the hacking of the EncroChat network. This does not seem to be either justified or proportionate in line with the presumption. MEP Cornelia Ernst’s comments complement this issue from a state surveillance angle. Ernst raised a particular issue with the mass data collection as a result of the EncroChat investigation, bringing a data protection perspective to the saga. This further corroborates the stance that although law enforcement may argue the network was used exclusively by criminals, whether this basis justifies the compromise of the network is questionable, especially because the criminal status of users has not been concluded beyond a reasonable doubt.
It has also been noted by Sommer that at least in English and Welsh jurisdiction, information obtained from interception (known as intercept evidence) during investigation stage by law enforcement is generally inadmissible as evidence at trial stage. This issue arose in the context of the use of EnrcoChat as evidence against alleged criminals in the English Crown Court. The defence argued that correspondence via the encrypted network was intercepted and accordingly should not be admissible as evidence, as is usually the case. This argument however, was ultimately unsuccessful as the point of law hinged on the fact that the messages were not being transmitted when intercepted, but were stored “in or by” the telecommunications system as per the Investigatory Powers Act 2016, therefore permitting the inclusion of EncroChat correspondence in evidence. Interestingly, had the court decided that interception had occurred during transmission, this would have meant that French authorities would have committed a crime under UK Law.
The End of an Encryption Era?
The EncroChat investigation has uprooted many preconceived ideas of the capability of law enforcement. The concerns surrounding the presumption of innocence and therefore, the admissibility of evidence are in my opinion, well founded. Although EncroChat has ceased operations, new replacements such as Sky ECC have already entered the market only to be subsequently compromised by law enforcement, further confirming the proactive response of law enforcement regarding encrypted networks supposedly used by criminals. Instead of exercising this proactive approach, I would recommend that law enforcement authorities focus on developing encryption as a tool for law enforcement correspondence. Using encrypted text messages between different parties could allow civilians to give anonymous tips for example, or enable those in witness protection to communicate with law enforcement without fear of their communications becoming intercepted.
Crucially, it should be mentioned that the questions mentioned in the present claims before the ECtHR regarding EncroChat relate primarily to Article 8 ECHR (the right to privacy) and not Article 6(2). However, Article 6(1) ECHR, which focuses on the right to a fair trial, is mentioned in the preliminary questions to the Strasbourg court. In my view, the absence of reference to Article 6(2) represents a lost opportunity to firmly assess a potential violation of the presumption of innocence in the context of EncroChat. Reference to Article 6(2) ECHR could have facilitated a broader discussion on how the presumption is to be interpreted where interception of communications by law enforcement is undertaken. There is still the possibility that the presumption may be mentioned in the ultimate proceedings, perhaps in complementing Article 6(1) ECHR. Nonetheless, the anticipated judgment of the ECtHR could prove pivotal in formulating a global response to law enforcement intervention in encrypted communications going forward.