The National Crime Agency (NCA) has been ordered to covertly collect hundreds of thousands of messages from the encrypted mobile phone network EncroChat, based on a conversation between a French police officer and one UK that was not confirmed in writing, a court said. said this week.
The claim was made during the second day of a legal challenge in Britain’s most secretive court, the Investigative Powers Tribunal, which will decide whether the NCA had a legal basis to use material extracted from EncroChat in criminal proceedings.
The NCA, in collaboration with police forces, arrested 1,550 people across the UK and seized 115 firearms, £54m in cash and large quantities of drugs by analyzing messages obtained by a French hacking operation on EncroChat phones used by organized criminals in 2020.
NCA intelligence officer Emma Sweeting drafted an email describing how the French would use an “implant” to extract EncroChat messages from phones during a meeting at Europol to discuss the French EncroChat operation from 19-21 June. February 2020.
Sweeting told the court that on the last day of the meeting he showed the draft email to Jeremy Decou, the criminal investigations officer responsible for the French EncroChat investigation, who verbally agreed that it was correct.
The NCA used the email to apply for a Targeted Equipment Interference (TEI) warrant, which authorized it to use hacked EncroChat messages in criminal proceedings in the UK, without getting written confirmation of their accuracy from the French. the court heard.
The French did not use the word ‘implant’
Stephen Kamlish KCtold Sweeting that Decou could not have accepted his email, which described the hacking tool as an “implant” since that was a word Decou had refused to use.
The court heard that NCA officials asked Decou in a September 2020 interview whether he wanted to describe the interception mechanism as an implant, a tool or a technical device.
“Jeremy always uses a tool, a capture tool or a technical device. One time when he was asked if he wanted to use the word implant or something else, he used the world tool and never used the word implant,” Kamlish said.
Decou “made a slip” in the interview by saying that the technical device had retrieved data from the OVH server, a data center in France that hosted EncroChat.
The NCA had obtained its TEI warrant on the basis that EncroChat messages were extracted from the phones.
Decou corrected himself by saying that he could not comment on the technical aspects, Kamlish told the court.
Sweeting said he couldn’t vouch for what Decou said in the interview. “The truth is as I describe it. I told that to Jeremy Decou and he confirmed that it was accurate and true.”
French warned of possible problems
Decou emailed Sweeting in January 2020, suggesting the French hacking technique might not be accepted in UK court cases, the court heard.
“I remember in our meeting you said you can’t wiretap a phone in a court case,” he wrote. He said the same problem could apply to phone data interception.
He told Sweeting that he hoped the magistrates would find a solution to allow the NCA to use data from the French operation.
The gendarmerie officer wrote that the phone date would be accessed “live or almost live” from “our server”.
“That sounds alarm bells for anyone applying for a TEI warrant,” Kamlish said.
Sweeting said he understood Decou to be referring to a server set up by the French to receive the data, not the EncroChat server.
The NCA could apply for an order from TEI to use the material taken from the phones as evidence for trials. If the TEI was not adequate, you could apply for a Directed Intercept (TI) order, which would allow the use of EncroChat material for intelligence purposes.
“We were trying to find the right order, TEI or TI,” he said. “If it was IT, we could use it as intelligence.”
Europol meeting note
Kamlish questioned Sweeting about notes taken during the Europol meeting by NCA officer James Willmott, which recorded that data would only be collected in France from the server rather than targeting all EncroChat devices.
“Legal advice should now be sought to consider the new definition of the activity,” Willmott wrote.
Kamlish asked if Sweeting had arranged a call with the NCA’s legal department because she was “very concerned” about the content of Willmott’s note.
“We had regular conversations with the NCA legal department,” he said. “It wasn’t something that worried me that much, it was just a legal update.”
Sweeting said he couldn’t legally recall the conversation with NCA, but had disclosed his notebooks.
The NCA intelligence officer was also questioned about a memorandum written by a senior NCA officer, Brendon Moore, sent to senior NCA officers in early February before the Europol meeting.
The memorandum said that the NCA “knew” that the technique used by the French would be based on “TEI not TI”.
“I didn’t feel like we as an agency had a definitive vision,” Sweeting said. “I can’t account for what Brendon wrote.”
Kamlish said there were at least three emails in which Sweeting referred to a TEI warrant without referring to a TI warrant, including one that said “considered TEI” before the Europol meeting.
NCA asked no questions
Sweeting acknowledged that he did not instruct a technical officer to ask Decou more questions about the French hacking technique before the meeting at Europol.
“There’s a reason you didn’t ask. You didn’t want to have a formal answer saying this is TEI,” Kamlish asked.
“There was no conscious decision. This was in the context of a Europol meeting where we were going to find out more,” he said.
Sweeting said it was disingenuous to suggest that discussions that did not provide the answer the NCA sought were buried.
“Minutes have been provided, emails have been provided. There were no arguments that we got rid of,” she said.
duty of frankness
Simon Csoka KC asked Sweeting if he knew he had a duty to provide information to the judicial commissioner who authorized the NCA order, “even if that information would not help what he was trying to achieve.”
He agreed that the NCA’s TEI order is silent about the circumstances in which Sweeting met with Decou. He did not recall any discussion about whether to include this information in the TEI.
Csoka asked Sweeting why he didn’t send her the email he had shown Decou at the Europol meeting to get written confirmation of its accuracy.
“Are you suggesting that the French didn’t want to say whether the implant was being removed from the device or from the server?” he asked.
Sweeting said he wasn’t suggesting that. “I’m just explaining the course of events at Europol.”
“In that case, why not ask Mr. Decou to confirm it in a formal sense?” Csoka asked.
Sweeting told the court, “I just didn’t choose to follow that course of events.”
Previously, he had told the court that he knew he would not get a written description of the full technical details of how the implant worked.
The case continues.