'Earthquake for organised crime'read the headline of the press release of 2 July this year from the Public Prosecutor's Office, after it was revealed that more than 20 million intercepted chat messages from criminals had, to a large extent, been read live. It is likely that a software application (malware) was placed on EncroChat's servers that allowed messages to be read along, before they were rendered unreadable to third parties through encryption. After encryption, decrypting the data would have become a tough job. Although it was still successful with data from the company Ennetcom, which had been secured by the Justice Department in 2016.
The installation of malware that invades an automated work is also known as 'hacking'. An order to hack can only be issued by the public prosecutor after prior authorisation from the magistrate. This requirement of prior judicial review aims to protect citizens from arbitrary interference by the government in their private lives. The right to confidential communication is protected by Article 8 of the European Convention on Human Rights (ECHR) and Article 13 of the Constitution.
For instance, it must be clearly established what crime someone is suspected of committing and what facts and circumstances underlie this suspicion. It should also be indicated how long the investigation will take and the automated work should be sufficiently identifiable. The technical device, for instance the malware, should also be described precisely, so that the use of the power can be monitored as well as possible.
In the deployment of investigative methods in the case of EncroChat, things seem to have gone completely differently. Instead of placing malware on a particular suspect, police and the judiciary have now penetrated a server with tens of thousands of users. An 'gamechanger' the prosecution calls this modus operandi. At the press conference called by the police and judiciary, they put forward:
"Normally in a case we are looking for evidence. We have now completely reversed that. All our evidence is now looking for a case. I am convinced that many arrests will follow".
That does not sound like police and the judiciary have complied with the strict conditions imposed on hacking to protect civil rights. EncroChat was also in use by individuals who were not suspected of crimes, but have now been hacked.
The police and judiciary take the view that there is a permissible interference with private life, given the seriousness of the crimes detected and the impossibility of obtaining the information found by other means. However, it should not be overlooked that many crimes were apparently not known before the privacy intrusions took place. It can also be debated whether certain crimes could not have been solved in other ways. The evidence may have been illegally obtained.
In many cases, the hack only yielded starting information. This is information that gives cause to identify certain individuals as suspects. This in turn allows the use of certain special investigative powers such as observation, house searches, etc. But what if this starting information is unlawfully obtained? In Dutch case law, unlawfully obtained starting information does not quickly lead to exclusion of evidence (via the forbidden fruit doctrine). But the way in which the starting information was obtained here may be interesting to get to the bottom of if only with a view to reducing punishment.
Throughout the investigation, the question of whether EncroChat was actually targeting the criminal market will also be able to play a prominent role. After all, that is the reason why the police and judiciary dared this operation. According to the prosecution, there would be 'no visibility' are on legal users of EncroChat, but that does not mean they are not there. If other search terms were entered, legal users could still come into view. But such research is not readily admissible because it touches on the privacy of those involved. Perhaps counter-investigation by the defence offers solace here.
According to its own statement, the company developed the software for celebrities who feared their phones could be hacked. There are plenty of non-criminal reasons to want to use a well-protected device or service. If it comes to light that a significant proportion of users were using the service for legitimate purposes, the legality of the hack comes under pressure for this reason too. The proportionality of this hack will then no longer be as obvious, as the prosecution would have us believe.
Mr. D.M. Penn
See also: https://www.pennadvocaten.nl/de-verboden-vruchten-van-encrochat-deel-2/