The police hacked thousands of phones. Was it legal?
For a week in October 2020, Christian Lödden’s potential customers wanted to talk about just one thing. Every person the German defense attorney spoke to had used the EncroChat encrypted phone network and was concerned their devices had been hacked, potentially revealing crimes they may have committed. “I had 20 meetings like this,” says Lödden. “Then I realized – my God – the flood is coming.”
Months earlier, police across Europe, led by French and Dutch forces, revealed they had compromised the EncroChat network. Malware that the police secretly planted into the encrypted system extracted more than 100 million messages, revealing the interior of the criminal underworld. People talked openly about drug deals, organized kidnappings, planned murders and worse.
The hack, one of the biggest ever carried out by the police, was an intelligence gold mine – with hundreds arrested, homes raided and thousands of kilos of drugs seized. But that was only the beginning. Fast forward two years, and thousands of EncroChat users across Europe – including in the UK, Germany, France and the Netherlands – are in jail.
However, a growing number of legal challenges question the hacking operation. Lawyers argue that the investigation is flawed and that the hacked messages should not be used as evidence in court, saying that the rules surrounding data sharing were broken and that the secrecy of the hacking means suspects have not had fair trials. Towards the end of 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals around Europe. And experts say the fallout has implications for end-to-end encryption around the world.
“Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” says Lödden. “We don’t defend criminals or defend crimes. We defend the rights of accused people.”
Hacking EncroChat
About 60,000 people were registered on the EncroChat telephone network, which was founded in 2016, when it was stopped by the police. Subscribers paid thousands of dollars to use a customized Android phone that, according to EncroChat’s company website, could “guarantee anonymity.” The phone’s security features included encrypted chats, notes and phone calls, using a version of the Signal protocol, as well as the ability to “panic wipe” everything on the phone, and live customer support. The camera, microphone and GPS chip could all be removed.
The police who hacked the phone network did not appear to break the encryption, but instead compromised the EncroChat servers in Roubaix, France, eventually pushing malware onto devices. While little is known about how the hacking took place or what type of malware was used, 32,477 of EncroChat’s 66,134 users in 122 countries were affected, according to court documents. Documents obtained by Motherboard showed that all data on the phones could potentially be collected by the investigators. This data was shared between law enforcement agencies involved in the investigation. (EncroChat has claimed it was a legitimate company and shut itself down after the hack.)
Across Europe, legal challenges are building. In many countries, courts have ruled that EncroChat messages can be used as evidence. However, these decisions are now disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with its own rules around the types of evidence that can be used and the processes prosecutors must follow. For example, the UK largely does not allow “wiretapped” evidence used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone.
