29 Apr EncroChat: the reference for a preliminary ruling to the Court of Justice of the European Union
The Berlin Regional Criminal Court (Landgerith Berlin) has ordered the preliminary referral to the Court of Justice concerning the use of EncroChat messaging data. The order for reference disputes the legality of the European Order of Investigation for the acquisition by the German authorities and highlights the restriction of rights resulting from the impossibility of knowing the technical methods of data extraction, which calls into question its usability as evidence.
The case
In 2020, following a lengthy investigation, the police and judicial authorities of France and the Netherlands, Europol and Eurojust announced that they had dismantled the EncroChat encrypted communications network, which is mainly used by criminal organisations.
The joint investigation activity made it possible to intercept and analyze in real time millions of messages transmitted on the chats.
Based on an extraction of the EncroChat server in Roubaix, France, investigators had developed a trojan virus that was inoculated inside the server itself and then inside users’ devices in the form of a fake system update.
Out of 64,134 registered users, 32,477 from 122 countries were intercepted, of which 380 in France and 4,600 in Germany.
Therefore, between April and June 2020, the French authorities were able to obtain the IMEI[1] of the devices, the email addresses of the users, the date and time of the communication, the location of the antennas through which the access was made, as well as texts and images transmitted in ongoing chats. In addition, the complete memory of the intercepted devices was read, also accessing the chats of the periods before the investigation and that had not yet been deleted.
This was followed by the arrests of numerous suspects, even in countries outside the investigation but particularly affected by the widespread use of encrypted networks by organized crime.
In France alone, the Gendarmerie employed a task force of 60 men to monitor the communications of thousands of criminals, initiating a large number of criminal proceedings.
In the Netherlands, at the same time, the work of hundreds of investigators has benefited from the information extracted from the chats and has managed to arrest over 100 suspects, dismantle 19 synthetic drug laboratories, seize tons of cocaine and crystal meth, as well as weapons, vehicles and millions of euros in cash.
The interception activity finally stopped on June 13, 2020, when EncroChat noticed the violation of the systems by the authorities and immediately sent an alarm message to all users.
The defendant in the present case was also a user of the platform, which he used for drug trafficking activities. In particular, he was charged with 14 counts of trafficking charges and four counts of possession: 188 kg of marijuana and 3.5 kg of cocaine only between April and May 2020.
The proceedings against him arose from the acquisition by the BKA (Bundeskriminalamt) [2] of data concerning users operating in Germany, carried out through external collaboration with the Franco-Dutch Joint Investigation Team. Only at a later stage did the German authorities issue a European Order of Investigation to ask to use the data acquired by the Gendarmerie in its investigation activities.
In the context of this acquisition procedure, which is considered to be contrary to the guarantees laid down by German and European law, The Regional Court of Berlin considered it necessary to refer the question of their legitimacy and the usability of the results to the Court of Justice of the European Union. So far, it is the only higher court that has deviated (already in 2021) from the prevailing orientation whereby EncroChat data would instead be fully usable[3].
The messaging system of Encrochat
The system offered by EncroChat was similar to that proposed by Sky-ECC, which we have already discussed.
Crypto phones were presented to customers as a guarantee of absolute anonymity and complete discretion of both the encrypted interface and the device itself.
First, no association was made between devices or SIM cards and the customer’s account. In addition, the devices had a dual operating system, so that the encrypted system was undetectable. Finally, the GPS, camera, microphone and USB port were disabled.
The functions of the messaging system were also designed to increase the possibility of concealing communications: automatic cancellation of messages on the receiving devices, specific PIN code to erase all data on the device, deletion of all data in case of consecutive entry of a wrong password. In addition, it was possible for users to have their data deleted remotely through reseller assistance.
The crypto phones were sold around 1,000 euros each, with half-yearly subscriptions of 1,500 euros with 24/7 support. [4]
The referral of the Regional Court
The Regional Court of Berlin referred 14 questions to the Court of Justice in its request for a preliminary ruling, in order to determine whether the instrument of the European Investigation Order was legitimately used, whether it is relevant that it is not possible to know the technical means of acquiring the data and, where appropriate, the way in which the data can be used.
It should first of all be pointed out that the operation of the Trojan used by the French police is not currently known or known, as it is protected by French military secrecy.
Similarly, the German authorities have never even divulged the non-secret information they have learned from their French colleagues on the subject.
Moreover, the initial method of reporting by the French was not known at the beginning of the first proceedings in Germany. Therefore, the German Courts based the first decisions, both precautionary and substantive, on the assumption that the investigation findings underlying the proceedings had been sent “spontaneously” to the German authorities and that there had been no active role of collecting the latter by the German investigators.
On the contrary, an informal exchange of information took place at an early stage, in which the German authorities activated monitoring of EncroChat users in Germany for criminal purposes, using the work already in progress in France. According to the Court, this operation constitutes an investigative activity that should have been based from the outset on an OIE, so that its legitimacy under German law can subsequently be assessed and the fundamental rights of suspects guaranteed (by verifying the necessity and proportionality of the order and the legality of the investigative activity with respect to national law).
Already in the past, the CJEU itself [5] has pointed out that the transmission of traffic or location data to an authority is in itself a serious constraint on the fundamental rights set out in Arts. 7 and 8 of the Charter[6].
Moreover, as noted by the Supreme Court with regard to the data of the Sky-ECC chats, also in this case there emerges an insurmountable obstacle to the celebration of a fair trial, which requires that the defenses have the opportunity to fully confront the evidence.
In the opinion of the German court, this is all the more necessary on the basis of European case-law where the evidence in question is the result of a technical field in which neither the court nor the parties have expertise[7].
The usability of EncroChat data would therefore be questioned by the impossibility, in the state, to evaluate the technical methods of interception, hijacking, storage and extraction. The exercise of the right of defence, in fact, is compromised without being able to verify the correctness, completeness and consistency of the data used in court.
On the other hand – the German Court emphasizes – in many cases like that in examination the data of the chat EncroChat constitute the only test in relation to the disputed fact.
In the present case, for example, proof of negotiations on the sale of substances would be sufficient to supplement the crime of drug trafficking. Therefore, it is essential for the defence to be able to evaluate both the individual messages themselves and the temporal and content relationship between messages sent and received.
In fact, errors of a technical nature or incompleteness can lead to distort the meaning of the chats without it being possible to notice them having only the results of the investigative activity available.
According to the criteria developed by the Court of Justice in the Steffensen judgment[8], the mere fact that the data used cannot be verified by the defence via a technical expert would suffice to conclude that it is unusable as evidence.
This has been compounded by the refusal by the European agencies and the German authorities to make available documents which are not subject to French military secrecy and which, however, would have been of defence significance.
In particular, the refusal to share messages exchanged by the German authorities through the SIENA system has been stigmatized [9] and which would at least have made it possible to verify whether technical anomalies have been reported during the initial phase of cooperation with the French investigators and in respect of which data. In fact, one of the few messages of this system that has been incorporated in the acts would suggest that there have been reports on this, but it is not possible to determine which users and periods have concerned.
In addition, the German Court stressed that European case-law has established that combating serious crimes cannot in any way justify indiscriminate and generalised retention of data. There have been rulings which have allowed access to precise traffic and location data for criminal purposes, but which at the same time have linked their legitimacy to compliance with the principle of proportionality, and the constant presence of a review by a judge or an independent administrative authority [10].
In this case (and others related to it) both requirements are lacking. The data collection was carried out on a huge and indiscriminate sample of users (32,477 users out of 64,134), without it being possible to consider a priori a membership of all EncroChat customers to a single criminal network; nor were any very reinforced privacy needs due to the exercise of lawful activities investigated. On the contrary, the equation has been developed whereby for certain costs and functionalities a service must necessarily be provided for illicit activities.
Moreover, the activity of stimulating investigations in Germany did not derive from activities under the control of the judicial authority, but was the result of police cooperation coordinated by Europol. Even later, when the German judiciary intervened, only the results of technical activity performed by the Joint Investigation Team on EncroChat and in particular by the Gendarmerie were acquired.
This has prevented both ex ante control by an independent authority and ex post control in the form of the exercise of the right of defence through evidence in cross-examination between the parties.
The reference for a preliminary ruling was made as a matter of urgency because of the risk that the precautionary measure applied to the accused might lapse as a result of the time-limit, highlighting the importance of the decision also for a large number of parallel proceedings currently pending [11].
It is to be hoped that the decision of the ECJ can contribute to restoring the centrality of the protection of the fundamental rights of individuals in the field of data and the guarantee of the full exercise of the right of defence also in digital age.
Prof. Avv. Roberto De Vita
Avv. Marco Della Bruna
REFERENCES
[1] International Mobile Equipment Identity, the numeric code that uniquely identifies the mobile device.
[2] Federal German police authority under the responsibility of the Federal Ministry of the Interior.
[3] https://www.spiegel.de/panorama/justiz/berlin-landgericht-laesst-encrochat-daten-nicht-zu-a-6dd9be2e-f558-40fa-9995-2f8136581f8e
[4] https://www.europol.europa.eu/media-press/newsroom/news/dismantling-of-encrypted-network-sends-shockwaves-through-organised-crime-groups-across-europe
[5] Cf. CJUE, decision of March 2 2021, La Quadrature du Net and others – C-511/18.
[6] “Respect for private and family life” and “Protection of personal data”, cf. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT.
[7] Cf. CJUE, decisions of March 2 2021 H.K./Prokuratuur – C-746/18, La Quadrature du Net and others – C-511/18, and of April 10 2003 Steffensen – C-276/01; ECHR, decision of March 18 1997, Mantovanelli/France.
[8] Cf. CJUE, decision April 10 2003, Steffensen – C-276/01.
[9] Secure Information Exchange Network Application, a communication platform for European Union law enforcement.
[10] Cf. CJUE, sentenza del 2 marzo 2021 H.K./Prokuratuur – C-746/18 .
[11] Cf. Decision of the Berlin Regional Court of 19.10.2022, https://www.hrr-strafrecht.de/hrr/lg/22/279-js-30-22.php