How far are criminal investigations inhibited by the wide availability of end-to-end encryption (E2E)?
The Home Office and UK law enforcement agencies think the problem is urgent, hence the politically tricky decision to use a little-known feature of the Investigatory Powers legislation – the Technical Capability Notice – to seek to impose back-door conditions on Apple’s Advanced Data Protection (ADP) system. Most observers see this as a test case for future control over many other E2E services such as WhatsApp, Facebook Messenger, Signal and Telegram.
But an examination of some recent high-profile cases show that successful prosecutions are possible even where apparently robust end-to-end encryption (E2E) has been deployed by suspects. What needs to be understood is that E2E communications are often only one element in a possible criminal enterprise and that other traces of criminal activity can be found by conventional investigatory techniques.
Moreover elsewhere in the Investigatory Powers Act (IPA) 2016 is the ability to obtain warrants to hack – referred to as Equipment Interference. Where end-to-end encryption is deployed, encryption and decryption only take place on the smartphone handset or a computer rendering data traffic unreadable even by Apple or WhatsApp and other service providers. But if you can hack the device remotely to read its contents those contents will be viewable unencrypted.
Operation Venetic
This is what happened in the National Crime Agency’s to date biggest investigation, Operation Venetic. The handsets in question, called EncroChat, used a variety of anti-surveillance techniques which for a while between 2016 and 2020 gave their customers, many of them involved in serious organised crime, the illusion of safety from scrutiny. E2E was used for handset-to-handset communications. The phones themselves were highly resistant to conventional forensic examination, even when seized.
The break-through technique was developed by the Dutch and French with the French in operational control and consisted of using a “tool” or “implant” to hack. The tool was uploaded covertly and enabled covert data exfiltration. Legally it fell into the category of Targeted Equipment Interference under Part 5, IPA 2016.
Between April and mid-June 2020 vast quantities of messages and photos were downloaded and the UK-related ones ended up as evidence in UK trials. Defence lawyers and experts mounted a number of vigorous objections to the admissibility and reliability of the Venetic evidence but in the end in nearly all cases the product was admitted and in the words of the NCA, thousands of conspiracies involving wholesaling of narcotics and murder were successfully penetrated.
Covert hacking tools
There is no serious shortage of “tools” available to law enforcement to achieve covert hacking. Among such tools that have been identified are Pegasus from the Israeli NSO Group, Hermit, Graphite and Predator. Within the Snowden files, now over 11 years old, are references to Tailored Access Operations. It is a reasonable assumption that there are other such tools which have avoided publicity.
But there were many successful prosecutions of serious criminal activity before the Dutch/French intervention. Suspects were found in possession of EncroChat phones – their contents could not be read but there was enough evidence available by conventional means.
I acted as a prosecution expert in many of these cases brought by the NCA and Regional Organised Crime Units (ROCUs). They included Operations Tradite, Meropia, Clubman, Hammer, Sparkle and others. My role was as a supplement to already well-researched investigations – to describe the known functions of the phones and to point to their very high cost – £1500 outlay and £800 to renew after 6 months. I must have considered over 100 such phones.
Other sources of evidence
So what were the ingredients of those successful pre-Venetic EncroChat cases? Among them, simple observation of people with apparently suspiciously excessive lifestyles, open source intelligence of social media, informants, formal directed surveillance, CHIS (covert human intelligence sources), CCTV both public and private and information from other investigations.
Once there was reasonable suspicion, warrants could be obtained for communications data. Encrophones could only communicate with other Encrophones so that everyone that had one also had a regular smartphone.
Communications data shows who is in contact with whom to discover conspiracies plus the geo-movements of the phone’s owner which might reveal county lines of drug distribution via cellsite analysis.
Financial records could be obtained. The activity of identified vehicles could be tracked by ANPR (automatic number plate recognition). In suitable circumstances a “property interference” warrant enabled audio and video bugs to be placed in buildings and vehicles.
Equipment Interference
According to the Investigatory Powers Commissioners Office (IPCO), some 1100 equipment interference warrants have been issued to law enforcement annually, though most of these do not produce admitted evidence as the authorities have sought public interest immunity (PII) certificates to prevent their disclosure.
Also possible, though only usable for intelligence not evidence, were warrants for interception of traffic in transmission. Finally, as an investigation reached a crescendo – premises searches might produce drugs paraphernalia, weaponry, untoward quantities of cash and unfortunate items of literature.
A particularly important ingredient has been the use of link analysis software which combines and visualises all these separate strands of evidence. They are great for investigators but also useful to produce court exhibits to show to juries.
Examples are available from Chorus, I2, Cambridge Intelligence and others. Similar techniques can be and are used in terrorist cases and against paedophile rings. In cybercrime and IP piracy cases “communications data” can also include IP addresses and logging activity.
All of these techniques present few of the political challenges faced by the Home Office’s attempt to bring into the definition of the Technical Capability Notice the attempt to “break” strong encryption.
The political challenges include the risks of weakening the legitimate use of encryption in e-commerce, online banking, health records and compliance with data protection legislation. And, more recently, US sovereign objections to UK law enforcement issuing broad-based orders to major US companies.
Professor Peter Sommer is a digital evidence expert witness
