A Berlin court has raised questions over whether data from 120 million messages obtained by police hacking an encrypted phone service can continue to be lawfully used as evidence in prosecutions in Germany and other European countries.
The Landgericht Berlin Regional Court has ruled that text messages intercepted by French police from the EncroChat encrypted phone network cannot be used to prosecute a suspect for alleged drugs trafficking offences in Germany
The decision, by Germany’s largest criminal court, calls into question previous assumptions that under Europe’s mutual recognition principle, intercept evidence obtained by one member state can automatically be used as evidence in other European states.
The court ruling is likely to have implications for the use of evidence obtained from future law enforcement hacking operations into encrypted communications systems, defence lawyer Christian Lödden told Computer Weekly.
Law enforcement operations
EncroChat is one of a series of encrypted phone and messaging services to be infiltrated by collaborating law enforcement agencies across Europe since 2020, sparking prosecutions of organised crime groups for drug trafficking and money laundering in multiple countries.
French and Dutch police harvested messages from 4,600 EncroChat phone users in Germany and tens of thousands of phone users in other countries after infiltrating EncroChat servers hosted at the OVH datacentre in Roubaix, France, in a novel hacking operation in 2020.
A three-year investigation by police into organised crime and drug groups using EncroChat phones led to 6,500 arrests worldwide and the seizure of nearly €900m in cash and assets.
The lawfulness of the use of hacked data from EncroChat and other encrypted phone networks has now been called into question following a ruling by the Berlin Regional Court.
Berlin Regional Court decision raises questions
The months-long trial heard evidence from German investigators and prosecutors, and reviewed translations of evidence disclosed by the UK’s National Crime Agency during criminal trials involving EncroChat in the UK.
A grand chamber of the Berlin Regional Court, made up of five judges found in an oral decision in December that contrary to arguments by European prosecutors, French investigators had not intercepted EncroChat data from a central server in France, but had harvested it from the handsets of EncroChat users in German territory.
Under German law, that meant prosecutors were obliged to seek approval from the German courts to use the French-supplied data in Germany.
However, the presiding judge found that prosecutors had failed to seek judicial approval and that German courts would not have authorised the hacking operation against EncroChat under German law.
Questions to European Court of Justice
The decision came after the Berlin Regional Court submitted questions to the Court of Justice of the European Union (CJEU) asking whether France’s sharing of hacked EncroChat messages with Germany was permitted under European law.
The European court found that, under the European Invesitigation Order (EIO) Directive, France should have formally notified Germany of the interception of EncroChat phones on German soil, and given German authorities the opportunity to object to the operation within 96 hours, if they wished.
The court of justice found, contrary to previous German court decisions, that the protections offered by Article 31 of the EIO Directive were designed to protect the rights not only of the country receiving evidence from another EU state but also the individual users of telecoms services intercepted by law enforcement.
That contradicted earlier findings of the German supreme court that found Article 31 exists only to support the sovereignty of member states, and cannot be claimed by German citizens as a measure to protect their rights.
German courts would not have approved EncroChat hacking
Following the CJEU’s decision, the Berlin Regional Court found in its latest ruling that the principle of mutual confidence in actions of other member states during judicial cooperation only meant Germany should recognise that France’s actions were legal under French law.
The presiding judge, Kristin Klimke, found that the German court still had a duty to examine whether the French operation against EncroChat would be legal under German law. And in this case, a German court would not have approved the operation under German law because the evidence of suspicion did not meet the threshold to justify an equivalent hacking operation in Germany.
The judge also found that prosecutors had not established that evidence of serious crimes could not have been obtained in a less obtrusive way than by intercepting the data of all EncroChat phone users in Germany.
The principle of European cooperation is not intended to require each national law authority to adopt the same criteria for conducting state hacking operations, but is intended to enable cooperation between countries with different laws to protect the privacy and other rights of their citizens, the judge found.
Although the Court of Justice of the European Union allowed German prosecutors to request EncroChat data from France, the CJEU did not go on to say that prosecutors could use the data without approval from a German court.
In another legally significant decision, the judge found that the hacking operation against EncroChat was not simply a French police operation but was a joint European operation involving a number of other EU member states.
France went beyond surveilling the 300 French users of EncroChat, gathering data from all EncroChat users in Europe, the judge found. France had notified its partner countries in advance of the hacking operation.
However French prosecutors failed to comply with European law by failing to follow the correct procedures under EU law to inform Germany of its plans to obtain the phone data of German citizens.
France’s notification should have contained details of the targets identified by phone number, IP address or email, the identity of individuals targeted, including their address, date of birth and social security numbers, as well as a description of the offence committed.
The Berlin Regional Court also found that the French authorities had not disclosed their communications with German police and that no information had been supplied to the court on how the data had been intercepted – raising questions over whether defendants had adequate information to challenge the validity of the data.
German defence lawyer Christian Lödden, who is a member of an international group of lawyers collaborating on EncroChat and similar cases, said the court was the first to try to understand what happened before and during the EncroChat operation. The judge found that Germany, rather than simply taking data France had already obtained from EncroChat, had been informed about the hacking operation in advance and had therefore participated in the operation.
“At the end of the day, she said that under German and European law, the evidence is not allowed to be used in court,” he added.
Lödden said the decision would set a precedent for other cases heard in Germany, though courts elsewhere would make their own decisions on the admissibility of EncroChat evidence. The case is also likely to impact the use of intercept evidence in other cases in Europe, he said.
Dutch defence lawyer Justus Reisinger said the Berlin court’s decision could have “massive” implications for cases in Holland.
“This decision basically confirms our defence arguments in the Netherlands from the recent year. Previously, the Supreme Court rejected my arguments on this point, but along with the Berlin court, even academics are saying that an interpretation like that from the Dutch Supreme Court can’t stand. So a legal landslide is quite possible and justified,” he said.
Bojana Franović, a lawyer in Montengro dealing with evidence from police hacking of Sky ECC and the FBI-run Anom encrypted phone network, said the decision was likely to influence judicial decisions in her country.
Italian lawyer, Daniel Fiorino, said that the Berlin court decision as an “excellent result” but described the legal situation in Italy as “very complex”.
“We have numerous trials still underway,” he said.
“Everyone in the judiciary, at least in Montenegro, is very keen on what the other countries are doing and how they are dealing with those cases,” she said.
A final written version of the decision has yet to be published.
Prosecutors are expected to appeal the decision to the Supreme Court in Germany.
Main points of decision by Berlin Regional Court
- The Berlin Regional Court ruled that EncroChat data cannot be used in evidence in a criminal trial.
- Although data from EncroChat phones was obtained lawfully under French law, a German court is still required to decide whether the interception measures taken by France were permissible under German law.
- Under German law, the suspicion that users of EncroChat were committing crimes did not reach the threshold to justify intercepting all EncroChat communications.
- The principle of mutual cooperation between European member states must recognise national measures to protect citizens’ fundamental rights in cooperating countries.
- Although the European Court of Justice concluded that German prosecutors were permitted to request EncroChat data from France, that does not in itself mean prosecutors could also use the data in prosecutions.
- It was not established that evidence against suspects could not have been gathered by less draconian means other than by than intercepting their communications.
Source: EKSK legal, Joint Defence Team
Source
The new AI bots menu in a WhatsApp beta release for Android. Image source: WABetaInfo
Support for custom AI bot creation in a WhatsApp beta release for Android. Image source: WABetaInfo
Using Google’s Circle to Search AI feature on the Galaxy S24 Ultra. Image source: Samsung
Samsung’s Project Moohan Android XR headset. Image source: Samsung
