Hacking, Phone Intercepts and Encryption

The question of the legality of law enforcement approaches to encrypted devices has become very topical following the considerable fanfare that went alongside the National Crime Agency and various police forces arrests in connection with the Encrochat service on 12 June 2020 as part of Operation Venetic. This resulted in :

776 arrests

£54m in cash seized

77 firearms recovered

Over 2 tonnes of drugs seized

The use of encryption on our devices, for both lawful and unlawful purposes has widespread, and indeed most IT professionals world recommend it to safeguard privacy and protect from hacking. Encrochat, for example, in the UK, it is said to have a database of approx. 10,000 users.

We at Clarke Kiernan LLP have extensive experience and knowledge from acting in cases involving digital crime, and encrypted devices like EncroChat and Sky ECC. We have defended many clients in cases where they feature, and advised many more before a case even makes it to criminal charges.

We leave no stone unturned in looking at all the issues, and more importantly our team are ‘tech geeks’ who are well placed to not only understand the law but how the technology works. As a firm we embrace technology. We also instruct only the best barristers and leading technology experts in their fields. Too often we find clients telling us they have been given poor advice from well-meaning lawyers at other firms that simply do not understand the evolving technological picture, or by those who have charged vast sums to make arguments that were never likely to succeed in the interest of being seen to ‘do something’. We specialise in given proper, practical and accurate advice on the issues and what legal arguments may be open to clients.

That is perhaps the reason why we are have been ranked as one of the leading expert criminal defence firms in the South East by the independent Legal 500 guide for many years and our Daniel Bonich, Managing Partner is recognised as a ‘Leading Lawyer’ in the field in the South East.

Over many years there has been a significant shift away from protecting individual rights of citizens to pursuing criminality no matter the methods. Unlike the sort of cases you might have seen on TV such as the American system, our courts have moved towards a system where the ends is said justify the means, even where the means cross the line of lawfulness.

In general for this type of operation see the Courts are anxious to uphold the methods deployed by the state as it is keen to avoid any suggestion that cases of this type, which involve the uncovering of seriously violent conspiracies, could collapse due to what might be seen by the public as being mere ‘technicalities’.

That having been said, that is not a reason to not scrutinise the evidence and how it has been obtained. There are strict rules about the admissibility of intercepted communications. The general rule has, for some time, been that information that has been obtained by interception in the UK cannot be relied upon by either the prosecution or defence.

It is defined by Section 4 of Investigatory Powers Act [IPA] 2016 as:

A person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if:

the person does a relevant act in relation to the system; and
the effect of the relevant act is to make any content of the communication available, at a relevant time, to a person who is not the sender or intended recipient of the communication.

The ‘relevant act’ essentially amounts to hacking a device.

Relevant act is described as:

modifying, or interfering with, the system or its operation
monitoring transmissions made by means of the system
monitoring transmissions made by wireless telegraphy to or from apparatus that is part of the system.

By virtue of Section 56(i) of IPA 2016, interception evidence cannot be relied on in criminal courts:

“No evidence may be adduced, question asked, assertion or disclosure made or other thing done in, for the purposes of or in connection with any legal proceedings or Inquiries Act proceedings which (in any manner) –

Discloses, in circumstances from which its origin in interception-related conduct may be inferred –
1. Any content of an intercepted communication, or
2. Any secondary data obtained from a communication, or
Tends to suggest that any interception-related conduct [5]has or may have occurred or may be going to occur.”

Importantly, AND, particularly relevant in the context of proceedings arising out of hacking from outside the jurisdiction, the ambit of Section 56(i) only extends to the prohibition of relying on intercepted evidence if the interception has been carried out in the UK.

Often, as in the Encrochat case, the servers are based outside of the UK. With Encrochat, the servers were Dutch based. It therefore follows that there is no bar to admitting intercept evidence in UK criminal proceedings that was lawfully obtained in a foreign jurisdiction, even if the means by which that evidence was gathered would have been unlawful in the UK.

The UK courts have been willing to admit such evidence on a number of occasions in respect of the prosecution of drug offences. The interception of communications in the Netherlands is not automatically rendered inadmissible under UK law.

The current position appears to be that foreign intercepts or ‘wire taps’ provide a ‘back door’ method of introducing evidence which would otherwise be inadmissible. The increase in international cooperation in law enforcement makes this more and more commonplace.

The central question to be determined ahead of or during any legal challenge is whether the relevant authorities have properly applied for and been granted the appropriate judicial authority to hack the Encrochat platform. The warrants are likely to have been issued pursuant to Section 99 Investigatory Powers Act 2016. The relevant one in each case will have to be carefully examined.

The line of authorities that give some guidance, though every case should be treated on its own individual merits, begin with R v Aujla [1998 2 Cr App R 16]. In this case, the defendants were convicted of conspiracy to facilitate the illegal entry of persons into the UK. The intercepts were made up of intercepted and recorded phone conversations, interestingly applied for by the Dutch police AND granted by the judicial authority in the Netherlands. Calls were between the Dutch end of the conspiracy and the UK appellants. Submissions were advanced seeking to exclude the taped phone evidence but unsuccessfully. The Ct of Appeal concluded that the interceptions in Holland did NOT represent a breach of UK law because the intercept occurred in Holland. An argument to exclude the material on the basis of unfairness failed because it was deemed that the domestic laws and procedures in Holland were followed.

In another important case, R v P and Others [2000], where countries were anonymised, three defendants were charged with assisting in the UK in the commission of drug offences in 2 European Union countries identified simply as A and B. The Public Prosecutor in ‘A’ had lawfully obtained an order authorising the interception of X’s telephone calls. The authorities in A were able to record telephone calls made or received by X anywhere in the world. The defendants in this case had conversations with X that were recorded. Legal arguments were made to exclude the recordings. The arguments were advanced that Articles 8 [right to a private life] and Article 6 [right to a fair trial] had been contravened. In their judgment, their Lordships determined that the intercept could amount to an Article 8 interference, but, on the facts of the present case, the authority was lawfully obtained in order to combat the smuggling of drugs. They relied on the fact that this was not pursued for any other ancillary purpose and for no longer than necessary. Accordingly, no breach was found. Of concern to potential Encrochat defendants (see below), is that they found that there was no breach of Article 6 in that the “fair” use of intercept evidence at trial was NOT a breach even if unlawfully obtained. Part of the rationale was that one of the participants in the conversation, ie: the UK end, could give evidence at trial. Whether that applies to text messages is to be determined.

Most recently, in the case of R-v-Russell Knaggs [2018 EWCA Crim 1863] another Dutch based case was considered by the Court of Appeal. In the course of the trial, it was agreed that the effect of Section 17 RIPA was to prohibit reliance on evidence obtained by interception warrant. The UK and the Netherlands were parties to the Convention on Mutual Assistance in Criminal Matters, which required that foreign state requests to intercept telecommunications had to include confirmation that a lawful interception order or warrant had been issued in connection with a criminal investigation. Accordingly, to procure Dutch interception via the Convention, the UK authorities would first have to issue an interception warrant under RIPA, the existence of which would trigger the s.17 prohibition. However, that did not prevent less formal arrangements. If foreign police carried out any intercept during or after such liaison the admissibility of the intercept in the UK would depend upon the facts. There had been no failure of disclosure in relation to the Dutch intercept material and the trial judges had been entitled to admit it. The court refused to admit the fresh evidence.

The National Crime Agency and various police forces arrests in connection with the Encrochat service on 12 June 2020 as part of Operation Venetic. This resulted in resulted in:

776 arrests were made

£54m in cash seized

77 firearms recovered

Over 2 tonnes of drugs seized

What do we know

Whilst there have now been many prosecutions based on evidence from Operation Venetic, the EncroChat hack, the picture is an evolving one. It appears that whilst the authorities have been monitoring the Encrochat service since 2016 when the first code was cracked, and have brought many prosecutions, there remains a huge mine of intelligence and data that will continue to be a resource for Law Enforcement for years to come. In many cases now, EncroChat material is an element of the case without being the principal evidence.

What is known is that the French authorities launched an investigation into Encrochat in 2017 due to its links with criminal activity. A ‘technical’ device was put in place enabling access to encrypted devices. Once this was achieved, mutual assistance and cooperation resulted in a sharing with international law enforcement agencies including the NCA in the UK. What is NOT known, is exactly how the servers were infiltrated. Encrochat claim their servers were seized illegally. What is clear is that the Courts in this country are generally willing to endorse state-sponsored hacking when it comes to law enforcement, and so long as there is at least the pretence of a of foreign power doing the hacking.

There have been a large number of prosecutions, mostly successful and many more arrests are likely more will follow. There will be countless separate cases which flow, and legal teams will need to have a grasp of the legal and technological issues. Clarke Kiernan LLP may be able to help you as we have not only the experience of EcnroChat, but we also offer not only the legal knowhow, but many of our staff are true tech ‘geeks’ with the technological knowhow to fully understand the issues.

Belgian and Dutch police have breached the encryption of users of Sky ECC, the world’s largest cryptophone network. There are significant parallels with the international police operation against the EncroChat cryptophone network which led to hundreds of arrests

When the French gendarmerie, Dutch police and the UK’s National Crime Agency (NCA) infiltrated the EncroChat encrypted phone network last summer, data-security minded users and organised crime groups alike around the world opted to switch to a new phone supplier.

That supplier was Sky ECC, now the largest supplier of crypto communications worldwide, with over 70,000 customers.

Sky ECC bills itself as the “most secure messaging platform you can buy” and is so confident of the impregnability of its systems that it offers a handsome reward for anyone who can break the encryption of one of its phones.

However, as with the French and Dutch operation against the EncroChat encrypted phone network a few years ago, Belgian and Dutch police were able to infiltrate the platform and harvest hundreds of thousands of supposedly unbreakable messages.

They have shared the intercepted material with a “large number” of overseas investigations services after reading encrypted traffic “live”.

The NCA, which played a key role in disrupting EncroChat working with the Dutch police and the French gendarmerie, has yet to comment on whether it has benefited from intelligence from the Sky operation

Sky ECC said initially claimed that allegations that the Belgian and Dutch authorities had cracked the company’s communications software were “false” and that its service had been restored after an outage.

The company said its distributors had alerted it that a fake phishing application, branded Sky ECC, had been loaded into insecure phones and sold through unauthorised channels, however news of the attack broke on 9 March 2021 as Dutch police took down and seized a Sky ECC server.

More than 1,600 Belgian police officers, in some cases accompanied by Belgian special forces, took part in simultaneous raids on 200 homes, arresting 48 suspects.

Those detained included three lawyers in Antwerp who were using Sky ECC cryptophones.

Dutch police raided 75 homes and arrested more than 30 people, recovering at least 28 firearms from raids on suspected drug dealers in Rotterdam, €1.2m in cash, diamonds jewellery, luxury vehicles, three cash machines and police uniforms.

Belgian prosecutors initially refused to confirm or deny that Sky ECC had been breached, but later confirmed at a press conference that police had obtained a datawarehouse full of supposedly secure messages from the network.

Sky ECC resellers told customers that the network had not been compromised, claiming that people had distributed a fake version of the Sky software on unauthorised phones – putting some users at risk.

The Belgian Federal Prosecutor’s Office, described the operation – overseen by an investigating judge in the city of Menchlen – as the largest police investigation ever undertaken in the country.

The breach mirrored the French and Dutch infiltration of EncroChat last year by conducting a two-stage attack on the network.

In the first phase, police intercepted and stored encrypted communications from the Sky ECC network, while experts worked out how to decrypt them.

In the second phase, which lasted three weeks, police were able to read “live” data sent across the Sky ECC network.

Parallels with EncroChat

The UK’s NCA uses a European investigation order to collaborate with a joint investigation team run by the French and Dutch police, in its operation to penetrate the EncroChat phone network last year.

The French gendarmerie, which led the investigation, passed on the Europol packages of messages extracted from EncroChat phones, which it assembled into UK-specific packages and passed on to the NCA.

The NCA drew on support from 10 regional and organised crime units and the Metropolitan Police to make more than 1,000 arrests, seize £55m in cash, firearms and two tonnes of drugs.

The UK side of the EncroChat operation, codenamed Venetic, has proved controversial because of our laws that prevent intercept evidence being used in criminal proceedings.

However, three Court of Appeal judges found that the messages gathered by French and Dutch investigators and passed to the NCA were lawfully obtained through “equipment interference” while they were held in the phones’ memory, rather than through “interception” of messages while they were being transmitted.

Dutch police said in a statement yesterday that following its operation against Encrochat – codenamed Lemont – investigators were able to read “live” communications of a large number of criminals using EncroChat phones.

Police have stored and examined “hundreds of millions” of messages from Sky ECC phones in a data warehouse as part of its anti-drugs operation.

“The information obtained is expected to have an impact on organised crime in the near future,” police said. “The information is also shared with a large number of foreign investigation services.”

According to Belgian prosecutors, there are more than 70,000 active Sky ECC devices worldwide, mainly in Europe, North America, Central America, particularly Colombia and the Middle East.

Van Leeuw said it is notable that about 25% of the active users of these devices are based in Belgium, which has 6,000 users, and in the Netherlands, which has more than 11,000 users.

The phones are most widely used around the port of Antwerp – an important destination for drugs crime.

Sky ECC phones claimed to be most secure available

Sky ECC, which operates from Canada and the US, brands itself as the “most secure messaging platform you can buy”.

The company is so sure of its unbeatable security that it offered a $5m prize for anyone who could hack one of its phones within 90 days.

Its website presents a series of case studies promoting the value of encrypted phone to lawyers, universities, medical organisations, company executives, and to journalists as a tool for protecting confidential sources.

It supplies phones that offer self-destructing messages, secure audio messages, a secure encrypted vault, and an app that in “stealth mode” can disguise itself as a calculator.

Modified phones, which are available in Android, Blackberry and iOS, can be bought online or through “authorised partners” for between €900 and €2,000, depending on model.

The company says it stores the Sky ECC app in a secure container on the phone, which protects it from malware, such as keyloggers or snooping tools, such as the widely used Pegasus spyware supplied by Israeli firm NSO Group.

All messages are encrypted using 512-bit elliptical curve cryptography, while network connections are secured by 2,048-bit SSL encryption.

One of the company’s selling points is that it does not store encrypted messages on its servers.

Privacy and Data Encryption

Belgian investigators said their main purpose was to take down the Sky ECC infrastructure, dismantle it and confiscate the criminal proceeds of Sky ECC resellers, which shows Law Enforcement are increasingly concerned about the public using devices that they cannot access. There are serious Human Rights and privacy concerns and there is a balance to be drawn between the right of privacy and the need for the state to detect crime. It is not illegal to possess an encrypted device, whether it be an EncroChat or Sky ECC device, and many more mainstream providers such as WhatsApp, Telegram, and even Apple openly advertise their security and privacy credentials.

Investigators attempted to show that Sky ECC phones were exclusively used for criminal communications and that Sky ECC was aware that was the case.

How can we help ?

Law Enforcement will increasingly be relying on evidence and intelligence from encrypted platforms such as EncroChat & Sky ECC cryptophone messaging as evidence in criminal cases. The validity of this evidence is complex both legally and technically. Demonstrating our reputation as one of the south east’s leading criminal defence firms, we have experience of arguing both the law and the digital forensic science – including the lawfulness of Targeted Equipment Interference Warrants under the “Investigatory Powers Act 2016.”

If you were an EncroChat or Sky ECC user then the most important action you can take is to assess the risk of being caught up in an investigation, the likely nature of that investigation and plan for such an eventuality. This can only be done with the help of an experienced professional with specific subject matter knowledge in this area of law and with EncroChat and Sky ECC devices. The more time spent getting the right advice before you are arrested, the better prepared you will be.

AnOM

In an example of the increasing action being taken by Law Enforcement globally against encrypted message platforms, police in sixteen countries have launched multiple raids after intercepting the communications of organised criminal groups in the biggest police hacking operation undertaken to date.

The network, known as An0m, offered encrypted Android phones and an encrypted computer platform that claimed to offer its users secure communications.

The FBI created An0m as a closed encrypted platform to target organised crime, drug trafficking and money laundering.

In comparison with other recent attacks, An0m was relatively small with 9,000 users world-wide. Users were unaware that the FBI had been harvesting their private communications.

The platform is the latest in a string of encrypted communications networks, known as Criminally Dedicated Secure Communications (CDSC) networks to be breached by law enforcement.

It follows a police hack on the Sky ECC encrypted phone network in July and on the EncroChat encrypted phone network in April 2020.

Operation Trojan Shield

Operation Trojan Shield brought together the FBI, the US Drug Enforcement Agency, Europol and law enforcement agencies from multiple countries.

Europol described the operation, which it said targeted some of the world’s foremost criminals, as the “most sophisticated effort to date to disrupt the activities of criminals operating from all four corners of the world.”

The An0m network was cracked by a technical expert from the Australian Federal Police (AFP), who developed a “trojan horse app” that was able to decrypt messages and read them in real time.

The first hints of the operation emerged on the morning of 7 June 2021 when German news sites reported that police had raided drug laboratories, cannabis plantations and cocaine storage facilities.

The operation came three months after Belgium and Dutch police announced they had cracked the Sky ECC cryptophone network used by 70,000 people worldwide.

The French Gendermarie, working with the Dutch Police, cracked the EncroChat encrypted phone network in April 2020.

The investigation led to arrests around the world, including over 1,500 arrests by UK police forces led by the National Crime Agency in operation Venetic.

Sixteen countries took part in a co-ordinated operation against criminals using An0m, including Australia, New Zealand, Canada, the UK and the USA.

Austria, Denmark, Estonia, Finland, Germany, Hungary, Lithuania, Sweden, Norway and the Netherlands also took part in the operation.

The FBI began covertly running An0m without the knowledge of organised crime groups.

Mobile phones loaded with the An0m app were sold on the black market. The phones were stripped of their capability so that they could not make calls or send emails.

Users could only send messages to other people with An0m phones.

WAS THE HACK LEGAL?

We have discussed above at some length the complicated legal position, but that is not necessarily the whole story. As a defence solicitor tasked with defending clients arrested because of information accessed via EncroChat’s French server, we must first ask whether the accessing of the server, whether it be EncroChat or Sky ECC itself was legal.

This is not a question that can be answered without understanding the specifics of the hack, but there is some information out there, and we can use it to begin to consider potential defence strategies.

Section 56(1) of the Investigatory Powers Act 2016 (IPA 2016) states that no interception evidence (i.e. ongoing communication that is monitored as it happens) can be relied on, as long as the interception is carried out in the UK and at least one of the parties to the communication is in the UK.

The question will be whether the hack took place in the UK. Different rues apply to intercepts and hacking in different jurisdictions. Some countries have taken the position that they either cannot or will not reply on EncroChat or SkyECC evidence in their jurisdictions.

There remains some debate about the nature of the hack, and we may never get the full picture and Law Enfocement remains reluctant to disclose all the details of the methodology. It appears that the hack itself took place on a French server by French authorities, and so on the face of it s.56(1) IPA 2016 would not apply. However, there is also suggestion that the malware was detected on the units themselves, and it was this malware that provided access to the messages rather than access to the server itself. If this is correct, then there might be an argument that the relevant interception took place in the UK and as such s.56(1) IPA 2016 should apply.

There is also the fundamental issue of whether the prosecution are able link the individual with the phone given the high level privacy; the EncroChat service was marketed with ‘guaranteed anonymity’, and there was supposed to be no way of associating a device or SIM with a customer account. This question will only be answered on a case by case basis, and may well turn on whether the phone was found in the possession of the individual or the police have photographs or other evidence of the device being used by the individual.

It is admitted that a proportion of the 60,000+ EncroChat users hacked were not OCGs. It is not illegal to own and use an EncroChat or Sky ECC phone, and there are many reasons that someone might wish to do so, from extra-marital affairs to celebrities wary of their phones being hacked and photos uploaded to the web. EncroChat, and the other services like Whatsapp, Apple Messenger, Telegram, and Signal are a perfectly reasonable way of obtaining a lawfully required level of privacy, in an era where privacy and data security is becoming more and more important to users. There must be a balance, a balance of the need to protect our citizens from harm but also the balance of protecting our privacy and individual and collective freedoms.

Given this, the question will be whether the evidence obtained from the hack is the sole evidence relied on by the prosecution, or whether that phone evidence led the police to discover additional evidence. For example, those who have been caught in possession of large quantities of drugs, money or firearms as a result of the police obtaining information from the EncroChat hack are unlikely to be able to argue that these items seized should not be admissible in court due to the illegality of the hack. However, there will be those arrested and charged who were not found in possession of such damning items. There will be some for whom the entire prosecution case rests of the evidence obtained from the EnrcoChat hack. These individuals will only be linked to crimes by the allegation that they have been using a phone that was used to plan the commission of crimes, and this will be where the question of the legality of the hack itself will be susceptible to challenge and inevitably will be.

WHAT TO DO NOW?

What is certain is that we are going to be seeing prosecutions arise based on EncroChat evidence for months and potentially years to come. While we see the more serious crimes brought before the court at first, the information gathered by the hack will eventually make its way to the different government agencies responsible for prosecuting criminal offences. One such avenue could be the potential involvement of HMRC means it is likely that we will start seeing arrests in respect of tax evasion and money-laundering offences.

Please contact Daniel Bonich if you would like further advice on this issue or in contesting evidence obtained pursuant to the accessing of encrypted devices.

Daniel is a partner who regularly deals with serious and complex crime, including large scale national and international drug and money laundering conspiracies, and is ranked by the Legal 500 as a “Leading individual” in Crime and fraud work.

Recent developments with Encro devices

In December 2022 during. case before the Investigatory Powers Tribunal (IPT, the intelligence officer who played a key role in the National Crime Agency (NCA)’s work on its Operation Venetic investigation into criminals using EncroChat encrypted phones was accused of not given reliable evidence.

The court heard that NCA intelligence officer Emma Sweeting and the NCA for obtained a surveillance warrant on the basis of Sweeting’s account of an off-the-record discussion she had with a senior French gendarme relating to the type of warrant needed without attempting to seek written confirmation.

The NCA argued it was not a credible interpretation of the law that if the intercepted EncroChat material turns out not to be a stored communication, but was live intercept, that is a breach of the Investigatory Powers Act.

The IPT is considering claims from 10 defendants who argue that the NCA unlawfully obtained a Targeted Equipment Interference (TEI) warrant to allow EncroChat messages to be used as evidence in court by wrongly arguing that the messages were only extracted from the memory of phones.

Defence experts claim that the NCA obtained EncroChat messages through a live interception operation. This meant that, legally, the NCA should have obtained a Targeted Interception (TI) warrant, which would only allow the messages to be used for intelligence gathering, rather than evidence in court.

During the course of the case it was said it was completely impossible to know whether a critical meeting between Sweeting and Jeremy Decou, a senior French investigating officer to verify what type of warrant was needed, took place because there were no witnesses to the meeting and no records of it taking place.

It was alleged that Sweeting had misled the independent judicial commissioners responsible for approving the NCA warrant by wrongly suggesting that her description of the EncroChat hacking operation had been approved by the French gendarmerie when in practice, she had spoken to one gendarme with limited technical knowledge and whose second language was English, the court heard.

The court heard that when Decou was interviewed by the NCA in September 2020, he contradicted the NCA’s claims that EncroChat hacking operation only recovered stored messages from handsets, saying that during stage two of the operation, they were collected as live intercept.

Decou had also written a report on the French EncroChat operation, Operation Emma, on 2 April 2020 which referred to data being collected live and which made no reference to collecting stored data.

The argument from defence lawyers is that these facts were critical to determine whether the NCA could be lawfully granted a warrant, but were not put by the NCA to judicial commissioners.

Bulk interception

In another argument, it was said that the NCA knew it would not be able to take part in the EncroChat operation with the French and the Dutch if bulk warrants were needed and it was suggested that the question of whether the EncroChat interception amounted to bulk interception was never addressed.

It appears that the sole basis for concluding that Operation Venetic did not rely on bulk interception was a 2019 assessment by the NCA that the user base of EncroChat was entirely criminal.

To make matters worse, it now transpires that in internal correspondence, a member of the NCA’s legal team had urged Matt Horne, the NCA’s deputy director for investigations, to avoid putting things in writing, which suggested the NCA had not fulfilled its duty of candour.

One argument is that the NCA’s assertion that EncroChat was exclusively used by criminals was overstated and unjustified.

The NCA relied on a number of submissions to justify to Lord David Anderson, who provided legal advice to the Crown Prosecution Service on the EncroChat warrant applications, that the phone network was solely used by criminals. These included the cost of the service, its use of encryption, and a suggestion that EncroChat phones were not for sale online.

Analysis of the warrant application revealed that earlier versions of the draft of the application claimed there would be minimal collateral intrusion for innocent members of the public.

That was changed on the same day to say that there would be no collateral intrusion to members of the public, even though no new facts had emerged, no doubt to shore up the NCA’s warrant application.

The position was inflated from EncroChat being mainly criminal, to majority criminal, to vast majority criminal with collateral intrusion possible. However, a French legal document showed that of 380 phones active on French soil, 242, or 63.7%, were used for criminal purposes a month into the hacking operation.

Tif this is correct, the allegation is that he NCA closed its mind to the requirement for bulk interception because otherwise it would not be able to take advantage of Operation Emma and the potential treasure trove of data.

Assumed facts

The Investigatory Powers Tribunal initially ordered the NCA to work with a technical expert, to conduct experiments to assess how the implants worked in practice.

But following a closed hearing with the NCA, this plan was dropped and the NCA agreed to proceed with the tribunal on the basis of the expert’s hypothesis that EncroChat messages were obtained through intercept and decryption from the EncroChat server was correct.

The NCA told the court that many of the issues raised by the defendants’ lawyers had already been addressed in criminal hearings, preparatory cases and appeals, and had been rejected.

The core argument is that EncroChat evidence was obtained while in the course of transmission and, as such, the warrant granted to the NCA should be quashed.

However there have been key findings in Crown Court preparatory hearings, which have been upheld by the Court of Appeal, that the EncroChat material was obtained while being stored.