Cracking apps: are crime fighters going too far to bring down cartels? | Organised crime
Law enforcement sources have described it as an embarrassment of riches, a treasure trove that led to raids across Europe and in Dubai this week that were said to have brought down a supercartel that controls a third of the European cocaine trade.
“It was as if we were sitting at the table with the criminals,” Europol executive director Catherine De Bolle said in a recent interview.
The cracking of an encrypted communications app known as Sky ECC, said to be “best in class security”, and the delivery into the hands of FBI agents and police officers in Europe of 1 billion messages sent among 120,000 users has been a gift that keeps on giving .
The US attorney’s office had publicized the code-breaking triumph in March in an indictment of Jean-François Eap, chief executive of Canada-based communications technology firm Sky Global, accusing him of participating in a criminal enterprise. “which facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communication devices.”
A blizzard of arrests followed, starting with last year’s raids in Belgium and the Netherlands at the level of street lieutenants and culminating in this week’s Operation Desert Light and the arrest of 49 suspects hiding in luxury properties in Spain and Dubai, including six alleged global kingpins.
The incinerators in Belgium are said to be unable to cope with the volume of cocaine being seized in the port of Antwerp, while Dubai’s prisons host a veritable who’s who of the organized crime world, many with links to Daniel Kinahan, alleged Irish crime boss and friend of the two-time world heavyweight boxing champion Tyson Fury.
The bold piece of law enforcement follows on the heels of other recent high-profile police initiatives, including the FBI’s sensational discovery of a private key to unlock a bitcoin wallet in which Colonial Pipeline Co paid $5m (£4m) in ransom to cyber hackers.
However, questions are beginning to be raised in the case of Sky ECC and the cracking of other encryption services, as to whether this brazenness may have gone too far.
A legal motion, replete with internal emails and documents, filed by lawyers acting for Sky Global as part of an effort to recover 116 internet domains it claims were illegally seized by the FBI and other law enforcement agencies, argues that lines definitively being crossed it should worry us all.
Eap, publicly condemned as a friend of organized crime but described by friends as a tech startup geek who has never smoked a cigarette in his life, is said to be heartbroken, and sees himself as collateral damage in a tech arms race between organized crime and their law enforcement enemies.
The Sky ECC encryption platform emerged in 2013 “in response to global increases in cellphone hacking and high-profile data breaches,” according to the motion filed in a US District Court in Southern California.
Sky Global sold secure devices with the app pre-loaded to distributors worldwide. While WhatsApp targeted average customers, Sky ECC was more niche. “Individuals and industries with heightened privacy concerns … consisting of government entities, military contractors, celebrities, and members of the legal, healthcare, and financial industries.”
An email in the file suggests that at some point in 2018, Sky Global offered free samples of the phones to the Ontario Provincial Police. Of course, the company also knew that such technology could be useful to criminals. However, they insist they took all available measures to reduce the risk. An exhibit in the file from May 2020 tells how Sky Global’s support team received a request from a retailer named “Kaan” in Germany asking the company to quickly wipe the contents of two phones.
“PLEASE HELP! Two customers are in trouble with the police. Their devices were confiscated. Please delete two devices and the Sky app.”
The support team responded that they would not wipe a device “that we know is subject to a valid legal investigation”. The email added: “It should be noted that our software automatically deletes all data at least every seven days [fewer, if the user changes their settings] and we cannot prevent such data from being deleted.”
The company argues that just because its technology can be used for nefarious purposes doesn’t mean it’s designed for the world of organized crime.
“What has happened here is the equivalent of authorities seizing Apple.com because drug traffickers use iPhone encryption features to communicate with each other,” Sky Global’s lawyers wrote.
The lawyers also have another argument. When Sky ECC was shut down, which led to the release of 27 employees and 14 contractors, an opening was created in the clandestine communications market. One that the FBI was keen to exploit.
As of 2018, an encrypted service known as Anom had taken off in the criminal underworld despite the cost of $1,700 for the handset and a $1,250 annual subscription. What users didn’t know was that Anom was an FBI invention, and every message on it was read by police.
With Sky ECC down, Anom enjoyed what the FBI admits was exponential growth in its customer base, with 6,000 customers switching over.
The closure of Sky ECC, its lawyers claim, was in part an attempt “to strengthen a separate law enforcement operation at the expense of a thriving and legitimate private business”.
The dramatic scenes of recent days, with images emerging of once cocky men, allegedly responsible for no end of suffering, being led away from their blocks in Marbella and Dubai, can be seen as justifying law enforcement.
But a further concern has arisen which is reflected in cases heard in UK courts. No one outside a small circle of people, and specifically the French authorities who appear to have been instrumental in gaining access to a Sky ECC server in their country, can say how the messages were hacked or whether the data can be trusted.
The Italian Supreme Court last month ordered prosecutors to reveal how the Sky ECC data was obtained, arguing that it was impossible to have a fair trial if the defendant is unable to access the evidence or assess its reliability and legality, a position assumed by NGO fair trials. Whether prosecutors choose to do so could determine whether or not the arrests made this week lead to convictions.
Prosecutors in the UK face a similar dilemma in relation to the hacking of EncroChat, another secret messaging platform that had the added feature of a “panic” button that, when pressed, would immediately delete the phone’s contents.
In the UK, evidence obtained from directly monitored communications where the interception was carried out in the country is considered unreliable. French officials were again instrumental in the hack, and prosecutors will have to show that the wiretapping took place in France, but are reluctant to do so.
“The reality is that no one knows or absolutely no one in this country knows the truth about what they actually did, and that’s part of the problem,” said Julian Richards, head of Reed’s lawyers’ complex crimes team and the attorney for some of the defendants charged in the EncroChat- hacked.
With legal questions about the origin of the communications intercepted in both Sky ECC and EncroChat, there will be concerns at Europol headquarters and elsewhere about whether the treasure unearthed will turn out to be fool’s gold – and what rights have been captured in the collection of it.