A Spanish court has raised questions about the validity and reliability of intercepted phone data, acquitting multiple defendants of drug trafficking charges in a case that relied solely on intercepted evidence from the encrypted phone network Sky ECC.
The case is the most significant rejection by a court of the validity of electronic evidence intercepted during an international police hacking operation against an encrypted phone network used by criminal groups.
The provincial court in València found that prosecutors could not rely on digital evidence to prove their case when defendants had been refused access to the raw data harvested from Sky ECC – denying experts the ability to test the reliability and authenticity of the data.
The decision, released on 23 January, will have implications for future prosecutions that rely on interception from police hacking operations into the Sky ECC and EncroChat encrypted phone networks, where there is no other evidence to prove criminal behaviour.
Julio Sánchez, a lead defence lawyer on the case, told Computer Weekly that the court decision will set a new benchmark for future prosecutions based on intercepted phone data.
The court had recognised that “the right to a fair trial requires that the defence has access to the original data in order to adequately exercise their right to [challenge the evidence] and defence,” he said. “I know that there are already judges, police officers and prosecutors studying how to act right now. They certainly did not expect this.”
Defendants denied access to raw intercept material
Defendants in EncroChat and Sky ECC cases have been routinely denied access to the raw data intercepted by joint French and Dutch investigators from the phone network services hosted in the OVH datacentre in France. The French government has also refused to disclose details of how investigators obtained data from the network, citing French military secrecy.
Police investigators have been able to identify the users of Sky ECC and EncroChat phones by mapping their phone movements, placing suspects under surveillance, or using automatic number plate recognition (ANPR) to identify vehicles. In some cases, suspects posted “selfies” of themselves or colleagues, which allowed police to identify them as owners of anonymous “handles” assigned to each phone encrypted user.
However, there have also been a significant number of prosecutions brought in which the only evidence of a crime came from intercepted messages themselves, with no supporting evidence from drug seizures or recovered firearms. Many of the people charged in the UK have pleaded guilty to avoid longer sentences.
The València court ruling will make prosecutions based on intercept evidence alone more difficult and will put pressure on police to make the raw intercept data available to defendants so that they can independently assess the reliability of the intercept material – something that prosecutors have so far resisted.
Cocaine discovered in shipping container
The police investigation in València began in August 2020, when Spanish police and customs surveillance officers found an open shipping container at the APM container terminal in the city’s port. They discovered three black bags holding more than 100 tablets of high-purity cocaine among the cargo.
Spanish police were unable to identify who was responsible for the drug smuggling operation and dropped the investigation. But just over a year later, prosecutors applied to France for copies of phone messages intercepted by French investigators from the Sky ECC mobile phone network, which they used to identify and arrest suspects.
Electronic evidence lacked digital signature
The 44-page judgment reveals that the French authorities sent Spanish police an email containing a URL to a zip file containing intercepted messages from Sky ECC relevant to the Spanish investigation. Spanish investigators downloaded the files to a USB stick presented to the court.
Defence lawyers argued that the files had been downloaded without using a digital signature to record a hash value that would ensure the integrity and authenticity of the messages.
The court agreed that the digital evidence obtained from Sky ECC was the product of at least two filtering and selection processes, by French and Spanish law enforcement authorities, that lacked “intrinsic elements that guarantee their authenticity and integrity”.
“For this reason, the electronic evidence provided lacked the only elements capable of guaranteeing the integrity and authenticity of digital evidence,” the judgment added.
Only evidence from intercepted chats
Most importantly, the court said that digital evidence from chat messages on Sky ECC provided was the only evidence supporting the prosecutor’s claims that most of the defendants were involved in criminal acts.
Although the police had produced reports on security camera recordings, which prosecutors said implicated some of the defendants as possible participants in the removal of drugs, defence lawyers raised “serious and very reasonable doubts” about the report which the court said “cannot be ignored”.
The Sky ECC intercepts “were the only evidence that could prove the participation of each and every one of the defendants”, it said.
Defence should be given ‘raw’ intercept data
In the absence of any other evidence against them, the defendants should have been provided with access to the raw data intercepted by the French, so that independent experts could test its reliability and challenge the evidence, the court found.
The European Court of Human Rights (ECHR) established in the case of Yüksel Yalçinkaya v. Türkiye that defendants must be allowed to access the raw data obtained from the interception of encrypted communications systems.
“The unavailability of such raw data, of such original digital evidence, in these proceedings…means that the digital evidence provided against them is not sufficient to rebut the presumption of innocence of the accused,” the court found.
Court had no choice but to acquit
The defence did not dispute the discovery of cocaine in a container at the Port of València. But the court found that in the absence of any valid evidence beyond Sky ECC that the defendants were involved in a drug trafficking operation, “there is no choice but to acquit them of the crimes of which they were accused”.
Julio Sánchez told Computer Weekly that the case was the first trial in Spain in which there was no other evidence apart from the decrypted intercepts from Sky ECC.
“The court also recognises that the digital evidence provided lacked intrinsic elements that would guarantee its authenticity and integrity, such as a digital signature or hash value,” he added. “Furthermore, the court considers that, according to the doctrine of the ECHR, when digital evidence constitutes the only incriminating evidence, the right to a fair trial requires that the defence has access to the original data in order to adequately exercise their right to contradiction and defence.”
He said that the case will set a benchmark for other Sky ECC cases regarding the value of digital evidence and the “necessity for it to be original, authentic and integral. In short, it must be reliable to be used in court. This will be crucial.”
The Spanish decision follows a ruling by an Antwerp court last year to adjourn a prosecution after unexplained changes were found in evidence files containing intercept material from Sky ECC. Two Italian courts last week also raised questions about the reliability of Sky ECC evidence.
Man-in-the-middle attack
Dutch and Belgium police began an investigation into the Canadian company Sky Global, which provided mobile phone encryption software, known as Sky ECC, after seizing encrypted phones during a drug trafficking investigation in 2016. Belgian investigators were subsequently able to buy a Sky ECC cryptophone from a distributor they met at the back of a “seedy” café, who insisted on receiving cash and refused to provide a receipt.
Investigators later established that the Sky ECC network was hosted on two BlackBerry Business Enterprise Servers at the OVH SAS datacentre in Roubaix, France.
In May 2019, Belgium, Dutch and French investigators met at Europol in the Hague to discuss a joint investigation into the criminal use of Sky ECC phones, while the US agreed to pause its own investigation into Sky Global.
Dutch developed decryption technique
French investigators obtained a warrant to install a “data capture device” on a Sky ECC which allowed them to intercept and decrypt messages posted in group discussions by intercepting the encryption keys shared by the group owner.
A team of Dutch researchers subsequently developed a technique to decrypt individual messages by installing a man-in-the-middle (MITM) server to intercept Sky ECC traffic before passing it on to the legitimate Sky ECC server.
The MITM server sent out a specially designed “push notification” to prompt Sky ECC handsets to transmit the cryptographic data needed to decrypt individual messages, allowing police to intercept and decrypt messages in “real time”.
Spanish police issued a European Investigation Order to France requesting Sky ECC data to assist in identify suspects connected to the cocaine discovered at the Port of València in 2021.
The court acquitted all defendants last week. It found that the only issue that remained unresolved is the lack of legal recourse for people accused of crimes outside of France to challenge the lawfulness of the French judicial operation against Sky ECC’s servers in France.
The judges said it was not necessary to consider the issue as none of the defendants had attempted to bring a legal challenge in the French courts. Prosecutors have 10 days from the date of the judgment to file an appeal.
The 14 individuals acquitted were: Daniel Serrano Ramos, Fernando Moreno Sorní, Quintín Martínez Albalate, Jokin Larraona Ariño, Iván Torrijo Ríos, Onofre Garrido Rufino, Andrés Doménech Mocholí, Norman Pérez Galdón, Manuel Garrido Magdaleno, Javier Cutillas Riaza, Borja Manzano Ribes, and Lázaro Antonio Caparrós, Horatiu Armanca and Enrique Blanch Caparrós.
