Germany: European Court of Justice asked to rule on legality of hacked EncroChat phone evidence

Provenance of EncroChat evidence

A judge at the Landgericht Berlin Regional Court made the referral to the CJEU after hearing testimony from investigators and senior prosecutors involved in the EncroChat operation in a series of hearings that lasted over a week.

The questions centre on whether defendants in EncroChat cases can receive fair trials in Germany without having full access to files explaining how the data was obtained and its evidential provenance, according to a judgment published on Friday.

France, which conducted the hacking operation with the Netherlands in 2020, has refused to disclose information about the operation, which was conducted by the French internal security service, DGSI, citing “national defence secrecy”.

In Germany, according to the court ruling, prosecutors have disclosed only 120 pages of over 1,800 pages in the legal files to defence lawyers in a case before the Berlin Regional Court.

“The most important question is whether there is a European version of criminal procedural law, which could include an unwritten law, which says that if evidence is not disclosed to defendants, can it be used as evidence in court,” said Lödden.

The case concerns a defendant, currently released on bail, charged with dealing in marijuana and cocaine between April and May 2020 on the basis of evidence intercepted by police from the EncroChat encrypted phone network.

The court has submitted a series of urgent questions to the CJEU to clarify whether German investigators have infringed European law in obtaining hacked messages from German EncroChat phones intercepted in France.

The Berlin court also seeks to establish, if there has been a breach of European law, whether that would prevent evidence from EncroChat phones being used in criminal proceedings in EU countries.

The impact of the CJEU’s findings on hundreds of prosecutions under way in the UK is uncertain, because the UK is no longer under the jurisdiction of the CJEU following Brexit.

EncroChat hacking operation

Germany’s BKA began investigating EncroChat encrypted phones after discovering organised criminals were using the phones in Germany in 2018.

The French and Dutch team retrieved decrypted text messages, photographs and other communications data from EncroChat phones used around the world after accessing the EncroChat servers in France and using an updated server to infect phones with a software “implant”.

The implant, uploaded on 1 April 2020, affected 32,477 out of 66,134 users of EncroChat phones registered in 122 countries, including 380 users in France and 4,600 users in Germany.

It enabled the French authorities to identify the IMEI numbers of handsets, email addresses, date and time of communications and the location of radio masts used by the phones.

The BKA argued that the use of an EncroChat phone was grounds for suspicion of criminal activity because the encryption capabilities of the phone, coupled with its high cost – €1,000-€2,000 for a six-month contract – meant it was unlikely to be used for legal purposes. Police had also identified 300 EncroChat devices that had been used in crimes.

European project

The Berlin Regional Court argued in its verdict, dated 19 October 2022, that the hacking operation against EncroChat, known by the French as Operation Lemont and the Dutch as Operation Emma, was not a purely French operation but a “European project” subject to EU law.

The investigation carried out by the French and the Dutch since 2018 had been co-ordinated by Eurojust, the European agency for corporation in criminal justice, and had technical and financial support from Europol.

According to the 30-page decision, because of the secrecy over Europol’s and Eurojust’s communications with German police and prosecutors, German courts have assumed that France “spontaneously” transmitted EncroChat data to Germany without German involvement in operation.

Germany’s Supreme Court, the Federal Court of Justice (BGH), ruled on 2 March 2022 that EncroChat evidence provided by France to Germany could be used as evidence in Germany for investigating serious criminal offences.

The Federal Court found that the failure by the French authorities to inform Germany about a surveillance operation carried out on German territory cannot lead to the exclusion of improperly obtained evidence.

However, the Berlin Regional Court argues in the latest decision that the CJEU did not have access to relevant documents that were obtained later by defence lawyers and is now seeking clarification from the CJEU.

European Investigation Orders

The Berlin Regional Court has raised questions whether European Investigation Orders (EIOs) issued by Germany to France to obtain evidence and data from French investigators were properly carried out.

The court found that the German authorities should have issued an EIO to the French before the EncroChat operation began, which would have had to have been approved by a German court.

Alternatively, the French should have notified the German authorities that French police intended to obtain data from EncroChat phones in Germany.

The German authorities would have been required to notify France if the operation could not have been authorised under German law within 96 hours, and if so, to require France not to carry out the interception.

“The fact that the French authorities had failed to provide this information was known to the German investigative authorities from the outset and they did not raise any objections,” the court found.

Suspicion of offences

The Berlin Regional Court said it did not want to follow the line of argument of the Federal Court of Justice that “unspecified suspicions” of the “multiple offences” were sufficient to comply with the law on issuing EIOs.

The Federal Court of Justice had decided that EncroChat was used by criminals on the basis of findings that EncroChat phones were used in a “very small” number of criminal proceedings compared to the total number of EncroChat users.

To the extent that EncroChat operators were targeting EncroChat to criminals, this only allowed conclusions to be drawn about criminal activity by “some” but by no means “all or most of the users”, the Berlin court said.

German domestic law requires investigators to show “specific suspicion” against individuals targeted for secret telecommunications surveillance – and “vague indications” or “mere conjectures” of general sets of experiences are not enough.

The “non-specific suspicions” given before the start of the hacking operation against EncroChat and the “list of various alternative possible offences” that could be committed by users of EncroChat phones “would not have been permitted” under German law.

Right to a fair trial

The Berlin Regional Court said that the right to a fair trial requires defendants to be given a “genuine opportunity” to give an opinion on the evidence.

The BKA has refused to hand over to German courts information provided by France to Germany before the EncroChat operation began, according to the Berlin court decision.

German investigators have testified that they understood that the French police would extract EncroChat messages from a server in France. But the details of what exactly they understood and what their assessment was based on remained “vague and unconvincing”.

A message sent to the BKA on 27 March 2020 referred to methods used by the French to obtain data from telephone handsets in German jurisdiction, according to the Berlin court.

“The German investigative authorities were either aware from the start that the surveillance measure would not be limited to French territory and that end devices [handsets] on German territory were to be infiltrated,” said the court verdict. “Or they closed their eyes to this legal possibility.”

The use of defence secrecy by the French authorities to protect the hacking method means it is not possible for defendants in Germany to use an IT expert to understand and assess potential sources of error in the data.

“The expert would need various information on the technical basis of the surveillance measure and the transfer of data to the Europol server, but these would not be communicated by the French authorities on the basis of military secrecy,” it said.

“The technical methods used to intercept, extract, store and finally to download the EncroChat data, sorted by country, on the Europol server, raise a number of complex questions,” the Berlin court judgment states.

These include questions over the integrity of the data, “its accuracy, completeness and consistency”, it said, adding: “The possibility of examining these issues is essential for an effective defence.” 

Forum shopping

Under European law, member states can only issue EIOs to require another country to undertake a surveillance operation if the same action would have been approved by a domestic court.

The Federal Court of Justice said in its decision on 2 March 2022 that this principle does not apply to the transfer of evidence to Germany when France had already obtained the data.

But the Berlin Federal Court said this would mean the EIO scheme would not respect the national minimum required to protect individuals’ rights and would not protect investigators from “forum shopping” by law enforcement agencies.

It said Germany and France co-operated on the EncroChat operation informally until June 2020, but that that does not eliminate the need for actions undertaken by France on behalf of Germany to comply with German law.

Wire-tapping law

Under German law, wire-tapping carried out without a judicial order cannot be used in evidence. Evidence can also be banned if the legal conditions for ordering surveillance are not met.

Decisions in German courts on EncroChat have given weight to the interests of law enforcement because of the seriousness of the offences committed when considering whether there were breaches of EU law.

The Berlin Regional Court judgment said it was not clear that this approach was compatible with EU law, however.

It said any breaches could be dealt with either by prohibiting the use of evidence or by giving it less weight or taking the breaches into account in sentencing.

But it said that under EU case law, any infringement almost always results in the exclusion of evidence. “There is a strong case for adopting ‘a ban on exploitation’ under the principles of EU law,” it said.

Principles for fair trials undermined

The Berlin Regional Court said principles required for a fair trial had been undermined in several ways, including the fact that the data requested by an EIO cannot be verified by a technical expert acting for the court because of French confidentiality.

There were “multiple violations” under the EU agreement of EIOs “for which German prosecuting authorities are directly responsible or to which they have turned a blind eye”, it said.

“If all these requirements of EU law had been complied with, the data of the German users would not have been collected or stored by Europol and certainly not transmitted to the German authorities for the purpose of prosecution,” it added.

European agencies and German prosecutors have “further complicated matters” by refusing to disclose material elements of the prosecution file to defence lawyers and by refusing to disclose any procedural documents.

The refusal to include messages sent by Europol to German police on the SIENA messaging system are particularly serious, the Berlin court said.

The inability of defendants to verify the EncroChat data means that courts should consider giving it “a reduced probative value” and that convictions should not be based on the data alone.

No date has been set for the CJEU to answer the questions from the Berlin court.