By Robert Bateman

A U.K. court has ruled that prosecutors may submit evidence gathered by French and Dutch police through hacking defendants’ phones, in a judgment that has critical implications for the interpretation of the country’s surveillance laws.

The Court of Appeal’s judgment, delivered in February, related to data exfiltrated from EncroChat devices — subscription-only mobile phones used for encrypted communications.

The Feb. 5 ruling could open the door to more trials based on evidence obtained from EncroChat devices. But some legal experts told Digital Privacy News that the case had implications for the privacy of lawful EncroChat users.

Anthony Eskander, a lawyer with U.K. law firm Church Court Chambers, said it was necessary to consider “both sides of the argument.”

“On the one hand, certain characters use advanced technological developments to facilitate the conduct of criminal activity, with the primary objective of reducing the chance of discovery by law enforcement,” Eskander said.

“On the other hand, the legislature must protect the privacy of law-abiding citizens who decide to use a perfectly legal means of communication,” he told Digital Privacy News. 

“Was it fair, necessary, proportionate to breach their rights?” he asked. “Was the law designed to allow this to happen?”

Legal Foundation

The case provides an important interpretation of U.K. surveillance law, which prohibits data intercepted “in transmission” from being submitted as evidence at court.

Under the U.K.’s Investigatory Powers Act 2016 (IPA 2016), law enforcement agencies must obtain a targeted interception (TI) warrant before intercepting data in transit, or a targeted equipment interference (TEI) warrant before exfiltrating data stored on a device.

“Was it fair, necessary, proportionate to breach their rights? Was the law designed to allow this to happen?”

Anthony Eskander, Church Court Chambers law firm. 

The IPA 2016 bars intercepted communications from being examined in court proceedings because of the risk of exposing U.K. authorities’ intelligence-gathering practices.

The trial defense argued that, as the evidence had been exfiltrated from the devices’ random access memory (RAM), this was part of the transmission process — and the evidence should be inadmissible.

But in a unanimous verdict, the court found the data had been extracted “in storage” and was, therefore, admissible.

Better for the Public

Neil Brown, director of U.K.-based law firm Decoded.legal, said it might not be in the public interest to exclude such evidence from trials.

“If evidence is available, why should it not be put before the courts?” he posed.

“If the activity could have been authorized under a TI warrant, but was instead authorized under a TEI … it gives defendants a chance to learn more about the case against them, and contest it — which they would not have had if something had been achieved under a TI warrant,” Brown told Digital Privacy News.

“Admissibility as evidence does not lead to a free-for-all.”

Neil Brown, Decoded.legal.

Brown was skeptical that the EncroChat decision would lead to more state surveillance.

“TEI (warrants) are subject to the same high thresholds for warrantry for TI,” Brown said. “The agency still needs to demonstrate that what they are doing is necessary and proportionate, and obtain independent verification of that,” he said.

“Admissibility as evidence does not lead to a free-for-all.”

‘Semantic Construction’

Tim Forte, a defense lawyer and expert on EncroChat cases from the 3 Temple Gardens law firm in London, told Digital Privacy News that the admissibility of foreign-intercept evidence was “nothing new” in the legal system of England and Wales.

“The main plank of the decision to rule the material admissible was a semantic construction of whether the material was ‘in storage’ or ‘in transit,’” he said.

“The interception of such data has always, with the requisite permissions, been permissible in this jurisdiction,” Forte explained. “What has been proscribed has been the evidential use of such material, once obtained, in the trial arena.”

“It is unlikely that the rulings in this case will substantially impact the volume of ‘snooping’ carried out.”

Tim Forte, U.K. defense lawyer.

The main impact of the decision, Forte suggested, might be a review of U.K. surveillance law, which he described as “antiquated” and “failing to keep up with the technological arms race being run by the criminal encrypters and law enforcement decrypters.”

“It is unlikely that the rulings in this case will substantially impact the volume of ‘snooping’ carried out,” Forte said. “But it will arguably permit more product of that snooping to be used against you.”

Robert Bateman is a writer in Brighton, U.K.

Sources:

• Approved Judgment: England and Wales Court of Appeal (Criminal Division) Decisions 
• The Times: Hacked messages can be used as evidence in court