TY - JOUR
T1 - Encrochat
T2 - The hacker with a warrant and fair trials?
AU - Stoykova, Radina
N1 - Funding Information:
The digital investigation of the encrypted criminal communication network Encrochat is one of the first in Europe on such a scale and demonstrates the coordinated cooperation between a French-Dutch joint investigation team (JIT), Europol, and Eurojust (Eurojust-Europol, 2020). Europol suspected that Encrochat services were being used for the purpose of serious organized crime since 2017. Encrochat phones were equiped with anti-forensics technology to destroy evidence and to make law enforcement investigative measures difficult. All communication between Encro-devices was end-to-end encrypted (O'Rourke, 2020) making decryption warrants or server access warrants useless. They support dual operating systems – one for standard use and one modified. Encrochat installed their own encryption programmes, routing communication to their own servers and physically removed the GPS, camera, and microphone, GPS and USB port functionality from the phone (Zagaris and Plachta, 2020). Data port, recovery mode and debugging facilities were removed which prevent law enforcement forensic methods from accessing the phones (Gardiner and Sommer, 2021). The phones had other security features such as: Panic pin (instant handset wipe – wipes full phone contacts and messages with no back up memory); password wipe and wiping of the phone on request to the Encrochat dispatcher; messages seven days burn time to deletion on both sender and receiver phones (Gardiner and Sommer, 2021). The communication was end-to-end encrypted using an OTR-based messaging app which routed conversations through a central OVH-server based in France, EncroTalk, a ZRTP-based voice call service. It also contained EncroNotes, which allowed users to write encrypted private notes. A unique session key was generated for each communication. The session key was renewed for each message. The phones supported instant messaging, VoIP, IP calls. Encro-phones had an IMEI number, which can uniquely identify the device and a SIM card from the Dutch telecommunications provider KPN, but not necessarily the owner. Since encryption and decryption of messages was only possible on the phone, the only option to expose Encrochat as a network facilitating criminal communications was trough police hacking.
Publisher Copyright:
© 2023 The Author
PY - 2023/9
Y1 - 2023/9
N2 - This paper introduces the Encrochat operation as an example of the technological, cross-border, and cross-disciplinary complexity of one contemporary digital investigation. The use of encryption for large-scale criminal activity and organized crime requires law enforcement to act pro-actively to secure evidence, to rely on cross-border evidence exchange, and to use more efficient digital forensic techniques for decryption, data acquisition, and analysis of volumized evidence. The Encrochat investigation also poses the question whether the traditional fair trial principle can still ensure minimum state intrusion and upholding of legitimacy in the new ubiquitous investigation process, where digital forensics methods and tools for hacking and data acquisition are used to identify and arrest thousands of suspects and collect evidence in real-time during criminal activity. The operation is examined through the lens of the right to a fair trial, as codified in Art. 6 ECHR, in order to exemplify three challenging aspects. Firstly, in cross-border investigations there are no binding digital forensics standards in criminal proceedings or forensic reports exchange policy which demands reliability and compliance with Art. 6 ECHR-based evidence rules. Secondly, the defense's stand is not sufficiently addressed in current digital evidence legislation or mutual trust-based instruments at the EU level. Finally, the judicial process lacks scalable procedures to scrutinize digital evidence processing and reliability and is exposed to technology dependences. The identified gaps and their practical impact require a novel approach to digital evidence governance.
AB - This paper introduces the Encrochat operation as an example of the technological, cross-border, and cross-disciplinary complexity of one contemporary digital investigation. The use of encryption for large-scale criminal activity and organized crime requires law enforcement to act pro-actively to secure evidence, to rely on cross-border evidence exchange, and to use more efficient digital forensic techniques for decryption, data acquisition, and analysis of volumized evidence. The Encrochat investigation also poses the question whether the traditional fair trial principle can still ensure minimum state intrusion and upholding of legitimacy in the new ubiquitous investigation process, where digital forensics methods and tools for hacking and data acquisition are used to identify and arrest thousands of suspects and collect evidence in real-time during criminal activity. The operation is examined through the lens of the right to a fair trial, as codified in Art. 6 ECHR, in order to exemplify three challenging aspects. Firstly, in cross-border investigations there are no binding digital forensics standards in criminal proceedings or forensic reports exchange policy which demands reliability and compliance with Art. 6 ECHR-based evidence rules. Secondly, the defense's stand is not sufficiently addressed in current digital evidence legislation or mutual trust-based instruments at the EU level. Finally, the judicial process lacks scalable procedures to scrutinize digital evidence processing and reliability and is exposed to technology dependences. The identified gaps and their practical impact require a novel approach to digital evidence governance.
KW - Criminal procedure
KW - Digital evidence
KW - Digital forensics
KW - Fair trial
KW - Mutual trust
KW - Police hacking
KW - Presumption of innocence
KW - Reliability
UR - http://www.scopus.com/inward/record.url?scp=85167997406&partnerID=8YFLogxK
U2 - 10.1016/j.fsidi.2023.301602
DO - 10.1016/j.fsidi.2023.301602
M3 - Article
AN - SCOPUS:85167997406
SN - 2666-2825
VL - 46
JO - Forensic Science International: Digital Investigation
JF - Forensic Science International: Digital Investigation
M1 - 301602
ER -