European lawyers have published an open letter saying that “unprecedented” secrecy around the police hacking operation into the encrypted phone network EncroChat has made it impossible for their clients to have a fair trial.
In the letter, written to members of the European Parliament and the European Commission, lawyers from seven countries say they still don’t know the details of what happened in the hacking operation more than 18 months ago.
They say the lack of information about how the hack was carried out, coupled with conflicting information given by police and prosecutors in different countries, has made it impossible for defendants to check the accuracy of the evidence against them.
“The manner of the infiltration has been suppressed under the shroud of a claim of national defence secrecy by the French authorities,” they write. “This has made it impossible for those accused of crimes to check the accuracy, authenticity, reliability and even the legality of the evidence used against them.”
The document has been signed by an international group of 23 lawyers from Belgium, France, Germany, the Netherlands, Norway, Sweden and the UK. The civil society group Fair Trials has also signed the letter.
The lawyers call for the European Parliament and the European Commission to put a halt to new EncroChat prosecutions until more evidence is disclosed.
Laure Baudrihaye-Gérard, legal director (Europe) of Fair Trials, said in a statement that the secrecy around EncroChat was undermining the rights of defendants.
“Fundamental rights must be upheld for all people, but the secrecy surrounding the EncroChat hack seriously undermines these rights,” she said. “How can you prepare a defence if you cannot access the evidence against you?”
Contradictory information
In the letter, the lawyers say there is an emerging picture of inconsistent and “even completely contradictory” information provided by law enforcement agencies across Europe concerning the details of the EncroChat hacking operation.
“This raises serious concerns about the integrity and reliability of the evidence on which prosecutions across Europe are based,” the letter adds.
The lawyers say the French authorities’ refusal to reveal how the hacking operation was carried out, when each country’s legal system “has specific, robust and world-leading procedures for dealing with sensitive information”, is unprecedented in their collective experience.
They say the lack of disclosure breaches EU standards on procedural safeguards, European Court of Human Rights case law and international best practice guidance.
“It has generated a huge amount of otherwise avoidable litigation and driven a surge in prison populations through recourse to pre-trial detention,” the lawyers write.
“More troublingly, judges are forced to make decisions about complex technical matters based on inference as opposed to being provided with the complete, unadulterated evidence to which they are entitled.”
Europol should explain its involvement
The lawyers call on the European Parliament and the European Commission to require European policing body Europol to fully explain its involvement in the EncroChat operation.
Europol should explain its role in processing, analysing and sharing the EncroChat data, including which countries were involved and when, to the national courts dealing with EncroChat cases, say the lawyers.
They also call for the European Parliament to set up an enquiry into what they describe as breaches of EU law during the EncroChat investigation.
With the EU set to significantly expand the remit of Europol, the letter says safeguards and oversight mechanisms are needed to help prevent fundamental violations of human rights.
Blanket secrecy
Lawmakers should adopt “appropriate safeguards” to ensure that data shared through EU police and judicial co-ordination mechanisms cannot be subject to “a blanket assertion of national defence secrecy” – as the French authorities have done in the case of EncroChat – say the lawyers.
They write: “In the EU legal framework, it is recognised that the fundamental rights of all people, including suspects and accused persons, must be upheld and protected.
“We are very concerned that the current handling of the EncroChat issue threatens the rule of law and fundamental rights protected by EU law, that, if it is allowed to pass unchecked, sets a worrying precedent.”
Fair Trial’s Baudrihaye-Gérard said the European Union should take urgent action to improve transparency and accountability in EU policing.
“The EU must take responsibility for these violations, particularly as Europol played such a fundamental role in facilitating the police action following the hack,” she said. “It must take urgent action to improve oversight, ensure transparency and instil a sense of accountability in EU policing.”
Law enforcement agencies have suspected that EncroChat was used as a communications platform for organised criminal activity since 2016.In 2020, French and Dutch investigators made a breakthrough after tracing EncroChat’s servers to a datacentre run by OVH in Roubaix, France, and were able to apply a “software implant” to infiltrate EncroChat.
The French police managed to harvest 100 million supposedly encrypted messages from the EncroChat phones, along with details of users’ contacts, notes, videos and voice messages, their pseudonyms or handles, and the phone IMEI numbers.
The hacking operation, which began on 1 April 2020, came to a sudden end when EncroChat’s operators managed to send out an alert to their customers on 13 June 2020, advising that the network had been compromised and recommending that users destroy their phones.
‘Extraterritorial jurisdiction’
The lawyers say in the letter that the hack may have involved an exercise of “extraterritorial jurisdiction” by the French Gendarmerie which breached the sovereignty of individual EU member states.
“The likelihood is that the hack involved the fundamental rights of thousands of individual citizens of member states, including at least the right to respect for private and family life, the right to freedom of expression and the right to protection of personal data, while an adequate review by an independent judicial authority is completely absent in this regard,” they write.