The National Crime Agency (NCA) has received a warrant to covertly harvest hundreds of thousands of messages from the EncroChat Encrypted Cell Phone Networkbased on a conversation between a French official and a British law enforcement official that has not been confirmed in writing, a court heard this week.
The claim was made during the second day of a legal challenge in Britain’s most secret court, the Investigatory Powers Tribunal, which will decide whether the NCA had a legal basis to use material exfiltrated from EncroChat in criminal proceedings.
The NCA, in conjunction with the police force, arrested 1,550 people across the UK and seized 115 firearms, £54million in cash and large amounts of drugs by analyzing messages obtained by a French hacking operation on EncroChat phones used by organized criminals, in 2020.
NCA intelligence officer Emma Sweeting wrote an email describing how the French would use an ‘implant’ to extract EncroChat messages from telephone handsets during a meeting at Europol to discuss the French EncroChat operation from February 19 to 21, 2020.
Sweeting told the court that on the last day of the meeting, she showed the draft email to Jeremy Decou, the criminal investigations officer in charge of the French EncroChat investigation, who verbally agreed it was correct. .
The NCA used the email to request a TEI (Targeted Equipment Interference) warrant – which allowed him to use hacked EncroChat messages in criminal proceedings in the UK – without obtaining written confirmation from the French of its accuracy, the court heard.
The French did not use the word ‘implant’
Stephen Kamlish KCtold Sweeting that Decou could not have accepted his email, which described the hack tool as an “implant”, because that was a word Decou had refused to use.
The court heard that NCA officers asked Decou during a September 2020 interview if he wanted to describe the interception mechanism as an implant, tool or technical device.
“Jeremy always uses a tool, or a capture tool or a technical device. Once when asked if he wanted to use the word implant or something else, he used the world tool and he never used the word implant,” Kamlish said.
Decou “slipped” in the interview saying the tech device retrieved data from OVH’s server – a data center in France that hosted EncroChat.
The NCA had obtained its TEI warrant on the basis that EncroChat messages were extracted from telephone handsets.
Decou corrected himself by saying he couldn’t comment on the technicalities, Kamlish told the court.
Sweeting said she couldn’t respond to what Decou said in the interview. “The truth is as I describe it. I asked this to Jeremy Decou and he confirmed that it was accurate and true.
The French warned of possible problems
Decou emailed Sweeting in January 2020 suggesting the French hacking technique might not be accepted in court cases in the UK, the court heard.
“I remember at our meeting you said you can’t have an intercept on a phone in a court case,” he wrote. He said the same problem could apply to intercepting telephone data.
He told Sweeting he hoped the magistrates would find a solution to allow the NCA to use data from the French operation.
The gendarmerie officer wrote that the telephone date would be accessible “live or almost live” from “our server”.
“This sounds alarm bells for anyone applying for a TEI warrant,” Kamlish said.
Sweeting said she understood Decou was referring to a server set up by the French to receive the data, not the EncroChat server.
The NCA could seek a TEI warrant to use material extracted from telephone handsets as evidence for prosecution. If the TEI was not appropriate, they could apply for a targeted interception (TI) warrant, which would allow the use of EncroChat material for intelligence purposes.
“We were trying to find the right mandate, TEI or TI,” she said. “If it was TI, we could use it as intelligence.”
Europol meeting note
Kamlish asked Sweeting about notes taken at the Europol meeting by NCA officer James Willmott, who noted that data would only be collected in France from the server rather than targeting every EncroChat device.
“Legal advice must now be sought to consider the new definition of activity,” Willmott wrote.
Kamlish asked if Sweeting had arranged a call with the NCA’s legal department because she was “so concerned” about the content of Willmott’s memo.
“We had regular conversations with NCA’s legal department,” she said. “It wasn’t something that worried me that much, it was just a legal update.”
Sweeting said she did not recall the conversation with the NCA legal department, but leaked her notebooks.
The NCA intelligence officer was also asked about a memo drafted by a senior NCA officer, Brendon Moore, sent to senior NCA officers in early February ahead of the Europol meeting.
The memo stated that the NCA “knew” that the technique used by the French would be based on “TEI not TI”.
“I didn’t feel like as an agency we had a definitive opinion,” Sweeting said. “I can’t explain what Brendon wrote.”
Kamlish said there were at least three emails in which Sweeting referred to a TEI warrant without referring to a TI warrant, including one that said “deemed to be TEI” before the Europol meeting.
NCA did not ask questions
Sweeting admitted that she had not had a technical officer ask Decou any further questions about the French hacking technique before the meeting at Europol.
“There’s a reason you didn’t ask. You didn’t want to have a formal answer saying it’s TEI,” Kamlish asked.
“There was no conscious decision. It was in the context of a Europol meeting where we were going to find out more,” she said.
Sweeting said it was wrong to suggest that discussions that did not provide the answer the NCA sought were buried.
“Minutes have been provided, emails have been provided. There were no discussions that we got rid of,” she said.
Duty of candor
Simon Csoka KC asked Sweeting if she was aware that she had a duty to provide information to the judicial commissioner who authorized the ANC warrant, “even if it was information that would not help what you were trying to accomplish”.
She agreed that the NCA’s TEI warrant says nothing about the circumstances under which Sweeting met Decou. She does not recall any discussion about whether to include this information in the TEI.
Csoka asked Sweeting why she hadn’t sent the email she showed Decou at the Europol meeting in Decou to get confirmation of its accuracy in writing.
“Are you suggesting that the French didn’t want to say if the implant was taken from the device or from the server,” he asked.
Sweeting said she wasn’t suggesting that. “I am only explaining the course of events at Europol.”
“In that case, why not ask Mr. Decou to confirm formally,” Csoka asked.
Sweeting told the court, “I just didn’t choose to take this course of events.”
Earlier, she had told the court that she knew she would not get a full description of the technical details of how the implant works in writing.
The case continues.