EncroChat | Venetic Evidence, Dilemmas and Decisions

Copyright Notice:
EncroChat dilemmas © 2026 by Peter Sommer is licensed under CC BY-ND 4.0

Operation Venetic, the exploitation of the breaking of the EncroChat strongly encrypted smartphone service used by serious organised criminals, was at one level a considerable law enforcement success in the UK. But the trials proceeded on the basis that the key evidence was withheld from testing. Many long-term lessons now need to be learnt both in the UK and internationally.

EncroChat was a service which provided extremely secure strongly encrypted smartphones. They were expensive to purchase, usually £1400, and the cost of renewal subscriptions was high, £800 for 6 months. The main customers were top level criminals involved in serious organised crime, chiefly the importing and wholesale distribution of narcotics. There was also inter-gang warfare in which murder contracts were taken out against rivals and in some instances executed. The service enjoyed wide popularity from 2016 until mid-2020 when it was realised that the service had been compromised by international law enforcement. At its peak there were some 60,000 subscribers. In effect, for a certain sort of narcotics trafficker, possession of an EncroChat phone was almost essential. Across Europe over 6,500 suspects were arrested, 103 tonnes of cocaine and 160 tonnes of cannabis were seized as well as over 900 weapons. The system was breached as a result of work by the Netherlands Forensic Institute and an international operation which was run chiefly by French law enforcement. Texts and photos hitherto unavailable and encrypted became readable for over 74 days. Believing the system was secure subscribers had exchanged messages of great candour. Across Europe data retrieval was carried out on almost 40,000 handsets.

Evidential material was passed to the United Kingdom National Crime Agency (NCA) and its exploitation took place under the name Operation Venetic. Within the UK the police say that some 2,200 criminals were convicted, 200 threats to life were dealt with, 8 tonnes of class A drugs – mostly cocaine – were referred to and £84 million in criminal funds seized. At the time Venetic was said to have been the largest and most extensive UK law enforcement operation ever.

There have been several TV documentaries but the makers were dependent on law enforcement support and in any event had to make the result televisually attractive. There was heavy reliance on reconstructions using tough-looking actors standing in for criminals, noisy police raids, flashy graphics, moody nighttime shots of city landscapes and soundtracks of fractured music. These documentaries and articles that appeared in the national press were not necessarily inaccurate or wrong but they failed to feature the many technical and legal issues with which the police, prosecutors, lawyers and defence experts had to grapple. There have also been a number of websites and YouTube videos of varying levels of accuracy and objectivity.

There have been some academic articles which have dealt with some of the legal factors – a short list of them appears at the end of this article – but the aim here is to reach a broader audience to highlight the main investigatory and prosecution issues.

The question I wish to raise is: “Good result, worrisome methods?”

EncroChat: the system

There has long been a customer base for highly secure phones. Quite high levels of security are available to all smartphone users at no additional cost though they require a modest level of knowledge and management self-discipline to get the greatest benefit. All that is required is to download and run appropriate apps and services, such as Signal, WhatsApp, Telegram, Threema and Cryptomator. But “high net worth” customers can be persuaded that by paying premium prices and going to specialist suppliers higher and safer levels of security can be obtained. Earlier secure phones concentrated on scrambling voice transmissions but with the arrival of the smartphone many more possibilities opened up as security features could be baked in via apps and modification of operating systems. “High net worth” could mean businessmen and their advisors and prominent showbusiness individuals but also obviously includes criminals wishing to conceal their activities.

Earlier offerings included those based on the then popular Blackberry system such as Phantom Secure, PGP Safe (the latter not directly connected to the developers of the public domain asymmetric encryption software) and Ennetcom, closed down in 2016. Other offerings have included Sky.ECC and Anom. The latter was in the end run by the FBI as a honeypot trap. A more recent service was called MATRIX, closed down in December 2024.

EncroChat started to appear in 2016. There is no generally accepted account of its origin although there are conflicting rumours. It may have been designed in the Netherlands or in Canada; several names are being suggested for the entrepreneurs and inventors, but these have yet to be definitively proven. Actual marketing was via re-sellers not, as far as can be determined, directly by the system’s organisers.

Whoever they were they knew their stuff. The EncroChat system had two components, handsets and servers.

Handset

The handset was a very heavily modified Android smartphone. Over the life of the system several models were used as the hardware basis, the most common were in the BQ Aquaris family. BQ is a Spanish company. Later, Carbon models from a German company were used. The regular Android operating system was removed/overwritten. In earlier models on powering up an apparently regular Android opening screen appeared but most of the apps didn’t work. The screen was designed to fool only the most casual of investigations. The phone had a second, concealed, partition. The method of access to it required a combination of key presses, though that changed over the life-time of the service. The next thing a user saw was a request for a 15-digit passphrase; too many unsuccessful attempts resulted in “bricking” the phone. But if successful the user then saw the full range of facilities.

In later models the initial dummy Android screen was dropped and on power-up the user was taken immediately to the passphrase input request.

Actual communications used a data-only SIM issued by KPN, a Dutch telecommunications provider. The SIM had world-wide roaming facilties. As with BQ, Carbon and the French hosting company OVH that were used by the Encro system, their involvement was wholly innocent.

The facilities included:

• EncroChat, end-to-end messaging using the Whisper protocol. In addition to text messages it was also possible to send photographs. This was the main type of evidence produced in trials.
• EncroTalk -a voice-based service using the ZRPT protocol, though none of these conversations were ever produced in evidence, perhaps because capture proved difficult
• EncroNotes – encrypted note-taking
• Camera for taking photos
• Remote wiping

Users were identified by “handles”, pseudonymous names; one of the early tasks of investigators was to link a handle to a real person whom they wished to investigate and charge. Transmission of messages used end-to-end encryption – if done properly encryption and decryption take place only on the handsets of sender and recipient and no one else can eavesdrop.

A default facility, but which could be altered, was that messages stored on handsets would automatically delete after 7 days – this was referred to as the “burn time”. This feature was significant when one came to examine what was presented in evidence.

Encro was a closed system – users could only communicate with other Encro subscribers and that included the photos. Most users also carried regular GSM smartphones for wider calls and messages to non Encro-owning individuals

Server Infrastructure

Encro required a central resource to manage its activities – a server.

Although some Encro literature refers to several servers only one appears in all the proceedings – a device resource at a cloud services company called OVH in Roubaix, near Lille, Northern France –it was simply selling facilities for customers to use as they wished. The server was subjected to warrants by the French authorities and was subsequently examined. Some other encrypted phone services set up their servers in jurisdictions where the local authorities were less likely to grant warrants.

Inside the server was a relatively conventional set up – it consisted of a series of virtual machines (VMs) each with a specific function and which interacted with each other and the external Encro world of handsets. The services supported, among other things, text, media, voice calls and notes but also management tasks to register and de-register handsets, subscriptions, deal with re-sellers through a portal, manage updates, manage funds, link SIMs to devices, host encryption keys and so on.

Evidence Collection

Law enforcement investigators in several of the countries where Encro handsets were turning up in raids decided to make covert purchases of phones and subscriptions so that they could understand Encro’s capabilities and functionalities and to determine how the handsets could be breached.

In the UK from 2017 EncroPhones were being widely recovered during investigations on narcotics traffickers but at that stage could not be penetrated. There were a large number of trials of cases where there was enough material for success using conventional evidence such as surveillance followed by vehicular stops and premises raids. But prosecutors thought that it would still be useful to inform juries about the phones, their capabilities and costs. They decided it would be better if that information came from an independent expert witness rather than a police officer. It was at this point I became involved. Several years earlier I had been invited to apply to join a register of experts maintained by the NCA for the benefit of UK law enforcement as a whole and I had written many reports and made many court appearances. I was shown a number of the covertly-purchased Encro phones, some of the analyses of their functionality and invited to form my own opinions. I also conducted separate investigations. On this basis I started to produce expert witness statements for a number of trials. These were of course limited to the phones’ functionalities and costs. At one stage this activity became almost a production line.

A number of companies offer facilities for breaking into smartphones, even when password protected, and extracting data from them. Some countries also have their own specialist units, such as the UK’s National Technical Assistance Centre (NTAC). But not all smartphones can be breached, and that was the case with EncroPhones. The normal way of breaching a smartphone is via the dataport and taking advantage of existing built-in facilities for engineers. In the Android world this is ADB – Android Debugging Bridge. Almost certainly this was the route by which Encro’s suppliers modified the standard Android firmware by loading the handsets with their own secure variants. When they did this they also removed the ADB facility so that subsequent attempts at access would fail.

This meant that alternative routes to access had to be found and used. The routes were via the GSM mobile phone network and wifi. All smartphones have arrangements to receive updates of apps and operating systems and Encro’s designers had left these in so that they could send out updates of the Encro apps. An examination of the Encro server at OVH to which the French had obtained access showed that there were facilities for sending out updates.

It appears that it was principally the Dutch who came up with a solution – use the update facility to transmit a modification to handsets so that they could be accessed. Once access had been achieved decide which internal files would be useful to acquire and design a further command-and-control facility so that the files could be exfiltrated at will. The Dutch were also using such techniques on another secure smartphone service, Sky.ECC. Backdooring and exfiltration of smartphones was nothing new – such software was constantly being written by the hacker community and also by national intelligence agencies. Whilst the principle of such software was well-known the practical problem was to keep its activity hidden from targets, particularly during a prolonged set of exfiltrations. Another problem was identifying what data would be useful to extract.

From their examination of the covertly-acquired handsets the law enforcement software engineers knew that at the very least the handsets would contain stored data for the most recent 7 days, prior to its being automatically deleted. That represented one task. Later this would be referred to as Phase 1 collection. But they also needed to see what could be collected “live”, while the message was being transmitted and received – this was Phase 2 collection.

The result was referred to as a “tool” by the French but the UK used the term “implant”.

Finally, once extractions were being received at law enforcement-controlled facilities they had to be processed so that they were of use to non-technical criminal investigators. These were the people who had to link the Encro data and “handles” to real individuals. Any such system also had to be robust and be capable of dealing with many simultaneous transactions – up to 60,000 handsets all exchanging messages with each other. In the event over 115 million conversations were captured during the live operation between April and mid-June 2020.

One can envisage the pressure on the programmers and coders tasked with producing the tool/implant and the server processing facilities. They had a series of complex tasks which required careful testing for robustness while their investigating police colleagues wanted quick results in order to tackle a large volume of serious crime. In the event the operation, due to start in April 2020 ended prematurely when Encro realised what was happening. Subsequent examination of the evidence files produced by the tool/implant revealed some anomalies.

The French decided that the tool/implant was a national defence secret, not to be disclosed even to other national law enforcement partners. They repeated this position in December 2023 when they produced a partial explanation of their processes in response to a formal Letter of Request from the UK authorities under a mutual legal aid agreement – the MLAT letter. The obvious reason is that they decided that they would want to use something similar in future operations and did not wish to provide hostile elements with information which might be turned into evasive measures. But the decision not to disclose how the tool/implant worked created many difficulties for future criminal trials. The expectation in a trial is that all evidence can be fully tested and that there is no magic box which cannot be examined but asserts the guilt of an accused person.

Acquisition and Delivery to Law Enforcement Partners

The Dutch and French formed a Joint Investigation Team, a JIT, which carried out the core work and operations but kept in touch with other national law enforcement agencies who had reported the appearance of Encro phones. Prominent among these agencies was the UK’s National Crime Agency, not the least because large numbers of such phones had been discovered in raids. But the UK had decided to leave the European Union and the Dutch and French wanted the JIT to work under EU auspices. The small team within the NCA, at that point running a Project rather than a full Operation, became very interested observers who attended occasional meetings, exchanging emails, hearing reports on progress with the tool/implant via what was termed an Operational Task Force. The French called their activities Operation Emma and the Dutch Operation Lemont. Collected data would go to the same data centre as that used by Encro administrators, at OVH Roubaix.

The name Operation Emma was also adopted by Europol, which is the law enforcement agency of the EU and Eurojust, which deals with judicial co-operation in criminal matters among agencies of the member states.

The UK was asked to provide its consent and a legal basis for the JIT to use the collected data, otherwise the data would be collected but not used. The JIT sought an undertaking that, until the situation changed, any data supplied would be used only for intelligence purposes and not provided as evidence; along with that undertaking was that knowledge of Operation Emma would be strictly limited.

After some false starts it was decided that definitive collection of data would start on 1 April 2020 and run for 3 months. In the event the Encro administrators discovered the breach and notified their subscribers on 13 June. The exercise ran for 74 days. It collected 7 days of not-yet-deleted messages on the phone and then the following messages as they occurred.

As part of the processing of the harvest from the tool/implant geolocation data was identified. The data was based on the identities of the cellsites/towers to which the Encro phones had connected. It was thus possible to divide the individual evidence packs into national jurisdictional areas so that the NCA received UK evidence packs for the “234” and “235” codes but not for other countries. Although data collection was taking place all the time the evidence packs, combined into archive files, were usually sent out every 24 hours. An exception was where there were worries about threats to life – TTL – identified by looking for obvious keywords in the evidence stream. Separate arrangements were made to allow law enforcement early and timely access.

Under a European Investigation Order, EIO, the NCA received the evidential files from Europol in an archive format called TAR, which had originally been developed when computer data was stored on tape. The transfer was via Europol’s Secure Information Network Application – SIENA. Each evidence file was identified by its IMEI, the hardware identifier baked into every mobile phone. The NCA then had to open and process these to produce individual file packs which could be used by investigators. Each file had five sub-folders – CSV, Images, json, Raw and TARS. It was never clear what the various files held or, more importantly, how they had been created. Had any of them come direct and unmodified from the individual targeted handsets? If they were creations of the C3N processing, what had actually been carried out?

The files that were easiest to use were those in CSV format which could be fed into Excel spreadsheets. The Images folder contained photos. Json files – Javascript Object Notation -were human-readable but also easy to feed into computers for further analysis.

UK Law Enforcement Reaction

The NCA along with other national law enforcement agencies had to address two immediate problems. First, they needed to relate the evidence packs to specific individuals who could be investigated and charged. Second, they had to identify specific charges and that in turn required them to ensure that the evidence they had received was admissible, that the courts would accept it for consideration.

Attribution

The process of linking an evidence pack to an individual is called attribution. The same technique that enabled Europol to divide up the Operation Emma harvest into national jurisdictions could be used to further sub-divide the UK material for delivery to the UK’s various Regional Organised Crime Units – ROCUs. There are 43 territorial police forces in the UK plus a unified one for Scotland. But for specialist activities such as organised crime there is some co-operation. There are 9 ROCUs.

The geo data in the evidence packs gave both the broader Location Area Code – LAC – and the specific Cellsite Identity – CID. It was relatively easy to infer that if a particular CID appeared frequently that would give the approximate location of the EncroPhone’s user home or business address. The result is approximate because cell towers cover an area which might be over a mile wide in urban areas and over 25 miles in rural environments. More granular detail of location was possible when the evidence packs also contained wifi data – which could point to specific Internet distribution hubs which in turn could link to those who had subscribed to the hubs.

But this might be sufficient if the ROCU already had suspicions based on conventional observation and surveillance who the likely possible criminals were. After that investigators could look at the content of the messages and photos in each evidence pack. In a number of instances the photos were unambiguous in showing individuals; in others there were photos of locations and vehicles of significance. The text messages might show nicknames, names of partners, children and pets.

Where the location of a phone kept moving it was possible to trace journeys, indicating moves from wholesalers to local dealers and from there via couriers along the “county lines” by which a Merseyside gang might ultimately be supplying street dealers in the UK’s South-West. Police frequently make use of link analysis software which can take quantities of communications data and other data sources and present them visually to show who contacted whom over a period of time and across a location map.

The narcotics trade has its own slanguage but it was fairly easy to decode and the conversations recovered were highly informal. Examination of Messages, Notes and Contacts within the evidence pack provided considerable detail of the activities of the owner of the EncroPhone. As a result in many instances police investigators could show whole transactions with dates of locations, travel, people involved, money paid and quantities of narcotics supplied.

Admissibility

The French decision to declare their tool/implant a national defence secret and not share details with the NCA let alone provide information and a witness for court created significant difficulties. There were also potential problems about how the French obtained their warrants to run Operation Emma on handsets and at the OVH server. Not the least of these was cross-border jurisdiction – how far and in what circumstances do the UK courts accept “foreign” legal authorities?

One early route invoked by prosecutors was to seek to invoke a doctrine that records of computer evidence should be presumed to be accurate unless proven otherwise. This doctrine is now under severe questioning following the Post Office Horizon trials and the UK Home Office has been consulting about a revised doctrine. But this route would have failed once defence experts were able to show anomalies in the records.

UK law is unusual in that it says that while warrants to intercept the contents of telecommunications traffic can be obtained the results cannot be used in court and inferences that the contents may have been obtained by this means cannot be made either. However if the same content can be found stored on a device then it can be admitted.

This oddity started with the Interception of Communication Act, 1985 (IoCA). Historically the telephone system had been part of the General Post Office, a government department, and only split off as British Telecom in 1981 and privatised in 1984. Carrying out eavesdropping on phone calls had been relatively informal between police and a government department, requiring a Home Office Warrant – a HOW. But a case in 1984 involving an antique dealer went to the European Court of Human Rights (ECtHR) which decided that interception without clear legal basis violated the right to a private life. IoCA set out arrangements for warrants to be issued but the decision was made to keep the results inadmissible in order to protect methods, capabilities and personnel and worries about the costs of data storage and transcription – and the implications of disclosure. The inadmissibility feature was carried on in IoCA’s follow-up, the Regulation of Investigatory Powers Act, 2000 (RIPA) and again in a modified form in the Investigatory Powers Act, 2016. By then what was intercepted was not just analogue telephone voice calls but a great deal of digital material – Internet traffic, emails, web browsing, social media.

The overall result is that police can only use intercept as intelligence material, not as evidence. The intelligence could be used to obtain admissible evidence such as the results of surveillance and raids – and material found stored on computers and phones. This remains the position today despite a number of enquiries by committees and articles by analysts who say that intercept should now be admitted and treated like all other types of evidence. The current law is in s 56 and Schedule 3 para 2 Investigatory Powers Act 2016.

One consequence is that interpretations of when something is “stored” and when it is “in transmission” have become increasingly difficult. Emails, for example, do not go directly from the originator’s device to that of the recipient – they are stored at facilities owned by the recipient’s Internet Service Provider. This is so that the email is still received even if at the time of original sending the recipient’s device is offline or out of range. But where is storage occurring – on the originator’s device prior to sending, at the ISP, on the recipient’s device? And if so, in what circumstances is the traffic being captured “in the course of transmission”? And what are the start and end points of a “telecommunications service”? There are other examples of “store-and-forward” operations and of “caching” of data.

These difficulties created problems when the EncroChat/Venetic cases came to court.

From the perspective of the NCA and the Crown Prosecution Service seeking successful prosecutions they had to argue that the evidence packs had originated from storage on the handset. The tool/implant inserted by the French via its Gendarmerie Cybercrime Department unit C3N had plainly involved hacking even if the internal details were not being disclosed. UK legislation provides for law enforcement to apply for and get an appropriate warrant and the harvest, unlike that for intercept, is admissible. The arrangements were made explicit in Part 5 of the Investigatory Powers Act 2016 (IPA). Investigators had to make a request to, in this case, the head of the NCA and then, under a “double lock” provision introduced into IPA, get a sign off from judicial commissioners (current and former judges) at the Investigatory Powers Commissioners Office (IPCO). There were two categories of warrant – Targeted and Bulk. As the names suggest, a targeted warrant was against identified individuals, a bulk warrant against a class or category of persons but is directed at “overseas-related communications”. Targeted warrants can also be “thematic”, against an identifiable group – s 101 IPA. Law enforcement could only get a targeted warrant, bulk warrants were solely for the intelligence and security agencies.

The warrants were for “Equipment Interference”. The slightly convoluted term was used because there were already warrants for property interference – used when audio and video bugs/listening devices were installed on premises and vehicles.

NCA sought advice. The French were not going to help but did engage in informal conversation. However at various stages they referred to “interception” as simply acquisition by any means and not in the more specialised English legal sense of traffic captured in transit between devices. Lawyers were also consulted and provided sufficient comfort so that the targeted equipment interference route – now given the acronym TEI – could go forward as part of a prosecution case. IPA has a Code of Practice for equipment interference and also guidance on how IPA interacts with the UK’s main legislation on computer hacking – the Computer Misuse Act 1990.

Project Venetic and later Operation Venetic was kept largely secret to those who absolutely had a need to know and only publicised when in mid-June 2020 Encro publicly announced it had been breached and was closing down. Europol issued a release and held a press conference. The need for secrecy was prompted by fear that once the breach was known the targets of the operation would take evasive action. Only a small group within the NCA and law enforcement were within the secrecy circle.

The evidence packs had started to become available from April 2020 and these had prompted investigations including attribution exercises and the examination/interpretation of the test messages and photos. Arrests and charges started quite early on after mid June 2020.

Overseas Evidence

Investigators in the ROCUs started to turn the content of the evidence packs into narratives about conspiracies and their activities. It is these narratives that would form the basis for eventual charges. Each evidence pack showed with whom the handset owner had been in contact, at what times and, from the message detail, for what purposes. ROCU detectives already knew that narcotics trafficking depended on a hierarchy of actors – importers, high level wholesalers, major dealers, minor dealers, couriers (of drugs and cash) and street dealers. It became clear that all of these apart from the street dealers used EncroPhones.

Link analysis software was used to map out relationships but also movements over time. It was in some instances possible to show the structure of “county lines” operations where a Liverpool based dealer might have substantial end-user customers in Plymouth.

What also became clear from these analyses was that some top-level players were not based in UK. Their messages and photos could be seen in the evidence packs of those based in the UK but actual evidence packs directly attributable to these players were not available because Operation Emma/Europol distributed evidence packs on the basis of the location of the cell towers being used. The owners being based in Dubai or Spain or the Netherlands, evidence packs were not provided to the NCA.

In order to create a picture of the activities of these overseas actors, intelligence analysts assembled artificial evidence packs using as source material the interactions with UK based individuals. These artificial packs were referred to as “virtual packs” and “overseas packs”.

These packs lacked a lot of the detail to be found in the regular evidence packs. In addition, to the extent that the evidence packs used to compile the virtual packs lacked reliability, the virtual packs would be deficient as well.

Defence Postures

Those accused contacted solicitors who in turn wanted to get appropriately experienced barristers on board. Solicitors and barristers sought out the small handful of us who might act as expert witnesses to explain the evidence. To the calls I had I said that I already knew quite a bit about the functionalities of EncroPhones. As an independent expert witness with an over-riding duty to the court I could accept instructions from defence interests though I did establish with those who ran the NCA Experts’ Register that there would be no conflict of interest with my earlier role. I had not been involved in the NCA’s work under Project and Operation Venetic.

What was obvious to defence lawyers, even on the most cursory of reading the legal bundles provided to them, that it would be far better for their clients if the Encro evidence packs, the messages and photos, never reached a Crown Court jury by getting them declared inadmissible The clearest argument would be to visit the “from storage or in the course of transmission” implications of the prosecution case. Once experts became involved they asked whether the evidence packs could in fact be relied on. But before all of that there was an over-riding question – can you have a fair trial when a critical part of the evidence is being withheld and cannot be tested? Following on from that: if the French continued to withhold detail, how far would it be possible for defence experts to reverse engineer the Dutch/French processes if necessary by carrying out their own detailed hardware and software examinations?

All of these main questions had associated further sub-questions.

The mechanism by which these questions could be resolved was a series of Preliminary Hearings. Most Crown Court trials start with hearings well before the actual trial when lawyers and the judge discuss how many days the trial will require, which evidence might be agreed and which witnesses need to be called. But there are also opportunities to discuss any outstanding legal issues in a voir dire (trial within a trial) and situations where defence lawyers seek further disclosure from prosecutors. There are nearly always reporting restrictions and defendants are referred to in documents by alphabet letters rather than their actual names. The aim is to ensure that the eventual trial is not prejudiced by what jury members may have accidentally picked up.

Whereas there was, in effect, initially only one main prosecution team each defendant had their own set of solicitors and barristers. Whilst the defence experts most of whom knew each other well, would have liked to work together, the lawyers operated rather more separately. This was partly to protect their clients in case some defendants pleaded and said things which might compromise those who wanted to go to a full trial and partly because some of the barristers wanted individual glory for what was obviously going to be an exceptionally interesting and challenging set of cases.

The first case likely to come to trial was against a Merseyside gang at Manchester Crown Court. Many of the issues arose there in preliminary hearings which later went to appeal. But for the purposes of this article I am going to concentrate on the main issues and arguments though in fact they emerged over several cases and several hearings and over several years.

Continuity, non-disclosure/hearsay

There were two overwhelming features visible at the outset. Lack of continuity and refusal to provide details of acquisition methodology.

“Continuity of evidence” is also sometimes referred to as “chain of custody”. It is that for any physical object or any electronic material produced in evidence there should be a complete explanation of its provenance and then a further complete explanation of all that has happened to it until it is produced in court. For a physical object – a knife, gun, cash, phone – it starts with a photo of the object in situ accompanied by a statement by a police officer. There will be a specialist Exhibits Officer. Typically the object is placed in a bag which is then sealed; the bag has a unique serial number which is recorded in an exhibits book – bagged and tagged. The object is then transported to secure storage. It may be taken out for examination later and on several occasions for forensic examination; each time fresh bagging and tagging takes place and each person involved signs off on their activities. For electronic material a similar process is used; a “hash” or unique digital signature is created at the earliest possible time, notes made of exact copies created, examining technicians provide notes for all their activities. The hash can be checked later to show that the source electronic material remains unaltered. The reason for requiring records of continuity is to show that the evidence has not been tampered with or inadvertently contaminated. In the Venetic cases detailed continuity was only available once the evidence packs created by the French in their Operation Emma were received by the NCA. The French did not provide explicit continuity.

The second overwhelming feature of the prosecution case was that it was unable to show how its main exhibits, the Encro evidence files, had been created because the French had declared their tool to be a national defence secret. In a regular criminal trial the police have collected evidence and the CPS selected a series of charges. The prosecutor stands up before a jury (in a Crown Court trial) and says s/he will persuade jurors by producing the evidence and making arguments while the defence counsel invites the jurors to test the evidence and listen to any explanations a defendant makes. The assumption is that the evidence is there to be tested.

At this point we need a bit of an interlude to see how the law and the courts deal with potential evidence where the Prosecution wishes to avoid publicity for certain items of evidence.

In a criminal case the Prosecution has an obligation to disclose “to the accused any prosecution material which has not previously been disclosed to the accused and which might reasonably be considered capable of undermining the case for the prosecution against the accused or of assisting the case for the accused”. This is laid down in s 3 Criminal Procedure and Investigations Act 1996.   The duty to disclose is ongoing and continuing; the defence is expected to provide a Defence Case Statement outlining their main arguments, for example alibi, misconstrued prosecution evidence, incorrect application of the law, and so on. Disclosure obligations are also strongly implied under Article 6(1) ECHR.

Where prosectors wish to withhold some disclosure they can apply to the court for a Public Interest Immunity (PII) certificate. A typical example is to protect the identity of an undercover witness – a CHIS or Covert Human Intelligence Source – on the basis that their life may be placed in danger. A judge has to conduct a balancing test – the need to protect sensitive information against a defendant’s right to a fair trial.

In the case of Equipment Interference, it could be claimed that revelation of technical methods might lead them to be compromised for future use. In fact it looks as though PII is frequently sought for EI. IPCO issues statistics for the number of TEIs granted each year to law enforcement agencies – there are separate statistics for the intelligence and security agencies – and annually there are between 1000 and 1300. Very few of these result in court appearances. A typical situation might be that the TEI is used to access suspects’ computers and phones and the resulting intelligence then informs the next steps in an investigation. If the computers and phones are later seized in a raid or otherwise acquired the court-tendered evidence comes from their physical examination – about which there is no need for secrecy. And that points to how a judge normally makes a ruling about PII – is the Prosecution able to make its case from other evidence and not expect a jury to accept evidence which cannot be tested?

Back now to the specifics of Operation Venetic. The duty of the Prosecution is limited to what it has in its possession. Prosecutors did not have details of the Dutch/French tool and so could not be required to disclose it. There was also the question of how they were going to explain to the court how the Encro evidence packs had come into existence.

The French had made it very clear that they would not provide a witness or a direct witness statement. Any French witness who appeared would be committing an offence under French law. What UK prosecutors did have were NCA officials who had attended meetings with the French and with Europol and the notes they had made. It will be recalled that the UK had tried quite hard to obtain French witnesses.

But what the NCA had was not direct evidence but hearsay. In the classic explanation: if A hears B say that they (B) had murdered some-one, A’s evidence is limited to what they heard B say, not proof that B committed murder. Hearsay evidence is normally inadmissible. There are however exceptions. Under s 116 (2) (c) Criminal Justice Act 2003 a judge has discretion to admit hearsay if the witness is a “person is outside the United Kingdom and it is not reasonably practicable to secure their attendance”. In this instance the person was an officer of the French Gendarmerie.

This was enough for the judge in the early hearing – he made his arguments quite carefully. At the Court of Appeal it was accepted that he had applied the section 116 exception correctly and it was not for an appeal court to question the facts he had considered. On this basis the Encro evidence packs were admissible.

From Interception or Storage?

This takes us to the “interception or storage?” arguments. The French hearsay material didn’t clearly address this and the Prosecution said that at that stage they had not been able to reverse engineer the Operation Emma processes. But what experts, prosecution and defence, had was their knowledge of how the Android operating system and messaging apps normally work. The Encro phones, however modified, were based on Android.

An early defence analysis was provided for the first provisional hearing, but the judge said that while he could take it into consideration he could make up his own mind. Here is a paraphrase of what he concluded: We are talking about two classes of message. Messages sent and received were stored on the handset for (usually) 7 days and then automatically deleted or “burnt” – Phase 1. These 7 days’ worth of messages were obviously “from storage” and thus admissible. But the other messages, the bulk of them, were not stored and had been deleted. How then was the tool able to acquire them? Phase 2. The judge went on to say that it is agreed that Encro messages were end-to-end encrypted. That meant that encryption and decryption took place only on the handsets. Quite visibly in the evidence packs the messages were unencrypted so that they could only have come from storage on the handsets, even if the messages had only existed very briefly while they were being collected. Those other messages therefore were admissible as well.

Over several cases and in other preliminary hearings a series of alternative explanations came from defence experts. Even though we don’t know how the tool worked an entirely feasible explanation is that the tool/implant modified or disabled the end-to-end encryption so that the session keys for messages became known to the French investigators. They could then decrypt at their own facilities on a server which they controlled. This would then be interception and the results, the tendered evidence packs, would be inadmissible. The were some supporting arguments to support this hypothesis – that the system traffic would be smaller and therefore more efficient and that such was the level of messages that the server would require load balancing facilities which in turn could only function on unencrypted data.

A further problem, not very extensively followed up, was referred to earlier – where does “storage” end and “in transmission” start? There were particular difficulties with the way in which photos were passed between Encro owners – they didn’t go to the recipient’s handset direct; instead the recipient received a message to say that the photo was waiting on a server at OVH but could be summoned down on request. Is the photo on the server “in storage” or “in transmission” between the sender and the originator? And what has the tool/implant captured?

As far as the courts were concerned it was the “from storage” argument that prevailed.

In turn defence experts said that they really needed to find out how the tool/implant functioned and asked for access to the hardware for examination. I cover this below.

There were some further associated defence concerns. One was whether the circumstances were such that targeted warrant was valid. Was the information that was provided to the judicial commissioners at IPCO when they exercised their “double lock” warrant authorisations as full and candid as it should be? Did the way in which the warrants were applied in fact “bulk” on the basis that they appear to have been used against all Encro users and not just those who were suspected of criminality? Were the criteria met for a “thematic” targeted equipment interference warrant? In early statements the NCA made it clear that in its opinion the only users were criminals. Bulk equipment interference warrants are only available to the intelligence agencies not law enforcement. Again, the UK courts were accepting the evidence packs on the basis that they were properly authorised under French law – but was this the case? Arguments about French warrants and European law continue.

Evidence testing – reliability

The NCA and Crown Prosecution Service, as far as can be discerned from the available papers, considered that the evidence packs they received were reliable. The French provided firm assurances that everything they had done had been fully and exhaustively tested. Defence experts felt, even on a cursory view of the evidence packs, that they should query this. Perhaps this was a route to evidence exclusion and even if not, might provide important arguments in a substantive trial.

The route to possible exclusion is via s 78 Police and Criminal Evidence Act 1984 (PACE):

(1)In any proceedings the court may refuse to allow evidence on which the prosecution proposes to rely to be given if it appears to the court that, having regard to all the circumstances, including the circumstances in which the evidence was obtained, the admission of the evidence would have such an adverse effect on the fairness of the proceedings that the court ought not to admit it.

It is a matter for judicial discretion though in practice judges are reluctant to exclude in other than the most extreme circumstances. Counsel can make their arguments only for judges to say that while they recognise the possible presence of unreliability they would not withdraw the material but leave a jury to make up its own mind.

ACPO Guidelines Compliance

Since 1998 UK police have had a series of published guidelines about the handling of computer-derived evidence. They cover such matters as avoiding contamination when collecting and where possible to carry out examinations on forensic copies of evidence such as hard disks and phones so as to leave the original intact. The guidelines were originally issued by the Association of Chief Police Officers (ACPO) which has since been replaced by the National Police Chiefs’ Council (NPCC) and the guidelines have subsequently been updated as computer technology has evolved. But the Principles remain unaltered.

Principle 3 says:

An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4 says:

The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

The ACPO Guidelines are not statutory which gives limited wriggle room if they are not followed.

After October 2023 there was some statutory guidance in the Code of Practice of the Forensic Science Regulator. The FSR had existed, albeit originally in a shadow format, since 2008 but had only properly come into existence after an Act of 2021. A key feature of the Code is that all methods for examination and testing need to have been fully validated. Validation is a formal external process. But non-compliance does not make the results inadmissible. All that is expected that a court may take into account the consequences of a failure.

The ACPO Guidelines appear in a slightly different form in a 2015 publication of the European Network of Forensic Science Institutes (ENFSI).

Under Operation Emma the French gendarmerie provided neither validation nor an audit trail for the functioning of its tool, the actual extractions and the subsequent processing prior to delivery to Europol’s SIENA. Once the evidence packs were in the hands of the NCA an audit trail could be discerned, including all the stages by which they were delivered to investigators at the ROCUs.

Arguments in front of judges that s 78 PACE should be applied were not accepted, they were not prepared to withdraw the material from juries. But counsel was free to persuade juries at trial.

Viewing of evidence

The experts started to look at the evidence packs. Most of the evidence seen by digital forensics experts comes in a small number of well-established and well-tested forms – forensic images of hard disks and smartphones, telecommunications call data records, banking and credit card transaction records. But what was being provided under Operation Venetic was entirely new. The easiest initial way to view was via the CSV files which could be read into Excel spreadsheets.

There was very little by way of explanation for a number of the columns in the spreadsheet. Some could be guessed at – “body” of messages, “from” and “to” but what did “dateCreated” and “dateRead” mean – the actual time of the message, the time when it was captured by the tool, the time it was processed by the French server, the time the recipient read the message? What were “nicknames”? What was the significance of all of the many columns beginning “contact_extra”? The “source” column was a bit clearer – “DB” signified the message came from the data stored on the device prior to being “burned” – the Phase 1 collection, “Live” came from the Phase 2 collection from temporary storage. Over a period some clarity was obtained, partly as a result of interactions between defence experts and the main NCA technical expert. A particular initial puzzle was resolved when there was understanding how “images” (photos) were handled by Encro, which were different from regular text messages.

But there were other problems visible on casual viewing. Not all the evidence packs had an identical number of fields (columns in the spreadsheet), some had more than others. A number of disparate messages seemed to be occurring at the same time. There appeared to be gaps when messages were not being recorded.

The NCA had asked themselves questions whether the traffic was acquired from storage or collected in the course of transmission but appears not to have queried the reliability of the material. The French repeated that everything had been carefully tested using the highest standards. Leading NCA officers said that the evidence packs were in line with their expectations of what TEI evidence looks like.

Testing Evidential Reliability

If the French are unwilling to provide details of their methods, if there is no audit trail for crucial activity and if usual standards for handling evidence are not followed, how else may we test for reliability? There appear to be three possibilities:

Finding Another Source for the same data The obvious alternative source for each evidence pack would be the handset with the same IMEI, hardware identity, as the evidence pack. This route occurred to the NCA but with very limited results. After the announcement that Encro had been breached many users dumped and destroyed their phones. Of those that were recovered the NCA lacked the passcodes to give them access. Of those that they were able to get into there was poor date matching – the dates for messages on the handset didn’t easily align with the dates of the messages in the evidence file. At best the results of this test were inconclusive. Much later an EncroPhone with aligning dates was found but here there were further puzzles – some of the messages could not be matched leading to the hypothesis that they had been mis-sorted – assigned to the wrong IMEI. However this hypothesis cannot be fully proved.

Looking for Internal Consistency in the records being produced This route required the use of software to look for matches of messages and images, or situations where that didn’t occur. How this was done appears in the next section.

Looking at the Content of the Messages for corroboration In practice this was, from the perspective of the Prosecution, the winning strategy. The text messages and photos were examined in order to attribute an evidence pack and Encro “handle” to a real person but often they went much further. Details of drug deals and other activity could be linked to evidence obtained by surveillance, hits on the Automatic Number Plate Recognition (ANPR) system for which there ae 90 million vehicle “reads” daily from more than 18,000 cameras nationwide in the UK, mobile phone movements and in some instances photos of people, places, and drug packages. As we have seen, investigators in the ROCUs became adept at showing how various deals and courier runs had taken place.

Computer aided analysis

One defence expert, Duncan Campbell, thought it would be useful to test the Encro data for internal consistency by using a computer program. The approach involved taking several evidence packs from “handles” that had been contacting each other, feeding them into a relational database and then formulating queries. The full evidence pack was used rather than the CSV conversions.

The most obvious query was message matching. If handle A sends a message to handle B then there should be copies of the message in the evidence packs of both A and B. He and the other experts with whom he shared his ideas found that there were very high rates when message matching didn’t take place or at least was not being recorded. A message might be sent but apparently not received and messages were received without apparently having been sent. Similar failures could be found in the methods by which photos were transmitted and shared. Failures in excess of 20% were common, sometimes much higher. Most of these failures could not be explained because one handset was not operational at the time as the evidence pack showed there was some activity. Nor could it be fully explained by saying that owners had selectively deleted some messages.

Other queries were able to show when, for each handset, it appeared that the tool/implant had stopped working and sending data to the French, only to be restarted later. Sometimes there were extensive gaps and the tool/implant worked less than half the entire period during which Operation Emma was run. Another set of tests looked at the way in which images/photos were sent. Soon the results of these tests started to appear in defence expert reports.

The main prosecution technical expert decided to write his own similar program. Significantly he did so using a different programming environment from that used by Campbell’s programmer. He came up with very similar results. In the end the courts asked the defence and prosecution experts to harmonise their programs so juries did not have to deal with two similar but non-identical results. Over a period of time more queries and tests were added.

The prosecution then had to admit that the French tool/implant could not be wholly relied on. The prosecution position was that the content of each message did not appear to be compromised and that many of the messages could be relied on. The defence maintained that the record of transactions and activity between defendants was obviously incomplete. In some instances there appeared to be indications that there was also mis-sorting – messages intended for a specific person were recorded as delivered to another person altogether.  There were particular concerns about the position of suspects who had been based overseas and whose evidence packs were “virtual” assembled from elements in UK evidence packs which were themselves incomplete. In addition the absence in the evidence packs of any voice calls meant that the court was only getting a partial view of the activities of an accused and that the missing traffic, if it had been obtained, might cast a rather different light on events.

In some of the later UK trials, defendants who had been based outside the UK and had been extradited back started to appear. When defence lawyers drew attention to the defects of virtual packs, prosecutors considered introducing evidence packs which had been collected within the countries where the defendants had been living. What was curious about the evidence packs from Dubai-based phones were significantly different from those associated with UK-based phones. The information was supplied simply as CSVs rather than the “raw” and “json” files also present in the UK packs, moreover the formats seemed to change within the files indicating a less than rigorous methodology. As far as I know these overseas-sourced packs were not presented in evidence and the trials were pursued on the basis of the virtual packs.

Attempts to persuade judges to exclude the evidence under s 78 PACE were unsuccessful but the failures were explained to juries in many Venetic trials. I used the findings of these computer analyses in many of my own reports.

Disclosure/Reverse Engineering

While the reliability and storage/transmission arguments were going on other defence experts were attempting to understand the French tool/implant and the operation of the server by using reverse engineering.

In order for reverse engineering to take place, experts required:

• an EncroPhone that had not been subject to the tool/implant and with an available bootpin/access code
• an EncroPhone that had been subject to the tool/implant and with an available bootpin/access code
• an image copy of the Encro server at Roubaix at the relevant time.

Even this short list was problematic as the EncroPhones went through a series of versions – of the hardware platform and of the Encro operating system and apps.

Not unexpectedly prosecutors sought to resist. One argument was that the EncroPhones were exhibits and no regular means of making forensic image copies had been found. There were disputes as to what useful EncroPhones the NCA had in its possession. In addition some of the obvious reverse engineering techniques would result in irreversible contamination of original evidence. This would be particularly true if “chip off” methods were used. In “chip off” the phone is physically opened up and selected chips de-soldered from the motherboard so that they can be placed into specialised examination kit. “Chip off” is a difficult technique which at many points can go wrong; in any event, the phone itself is effectively destroyed and cannot be re-assembled. There were also ad hominem attacks on the qualities of some defence experts.

Several defence teams made a number of appeals to the courts. Defence lawyers alleged a lack of candour on the part of the NCA as to what devices and other potential evidence it actually held. There were also concerns that NCA officials had not maintained all their relevant notes and emails. Phones which had been used for messaging between UK and French technicians/investigators had been replaced. Some technical experts dropped out, one promising team stopped work when its leader, Ross Anderson, unexpectedly died. Not the least of the problems was funding; those on legal aid would struggle to persuade the Legal Aid Authority that this was an effective route. There were however defendants whose families had the resources to commission work.

After more than 4 years the first plausible reverse engineering route reports started to appear. Unhappily they were only partially successful in reaching conclusions. Complete reverse engineering success would require full explanations of the functions of the many software modules in the phones and server together with a working model of messages, images etc being transmitted and received. What was delivered – at least to date – are the identification of a number of important software modules and descriptions of their functions.

But these did not provide definitive answers to the key questions defence lawyers wanted.

On the “data acquired from storage or in the course of transmission?” question it appears that both explanations remain viable. Of the suggestion that the tool weakened the encryption so that messages could be read at the French controlled server, it could be said that there would less traffic in and out of a handset making it less likely that it would be detected. On the other hand it was not possible to destroy the argument that under end-to-end encryption the only places where messages existed in clear were the handsets and that the Phase 2 messages must have existed even temporarily. But that still leaves arguments about interpreting the distinctions the law seeks to make between “storage” and “in transmission”. The reality is that Parliament in 2016, when IPA was passed, did not consider and anticipate how modern telecommunication traffic and apps would work.

In the end…

Verdicts in criminal trials are arrived at on the basis of the total evidence produced. In many Venetic trials once investigators had made use of the Encro evidence packs they were also able to locate other more conventional types of evidence – unexplained quantities of cash, traces of cocaine and other narcotics, chemicals used to dilute pure cocaine prior to its distribution to end users, vehicles adapted with concealment partitions, guns and so on. In some instances however the only evidence was the Encro material.

Many defendants decided, having recognised the failure of the admissibility arguments, that their best interests were to plead and expect the courts to give a discount on their sentences. Others wanted and got a full Crown Court trial.

Some EncroChat users migrated to Sky.ECC and some to Anom, the encrypted phone system with a permanently open backdoor to the FBI, Australian authorities and others.

Sky.ECC, Anom

Sky.ECC, the similar service also investigated by the Dutch, did not make as much an impact in the UK as EncroChat. This is almost certainly due to what is sometimes called the “network effect” – once a certain level of popularity has been achieved there are strong motivations for newcomers to join it rather than rivals because of the strength and size of the community it holds. But in many overseas jurisdictions Sky.ECC was popular and many of the legal arguments being advanced in their cases also have implications for views about EncroChat. The reference to “ECC” is to Elliptic Curve Cryptography, the precise encryption method used.

Whereas my knowledge of EncroChat is largely direct from personal experience and access to sources this brief account of Sky.ECC has had to rely on third parties.

The company appears to have been launched in 2008 by Jean-François Eap in Canada. The hardware platforms used included Blackberry, Nokia, Google and Apple. The features were very similar to those seen in EncroChat, including end-to-end encryption, self-destructing messages and a remote kill-switch. At its height, world-wide it had, according to some accounts, over 170,000 subscriptions mainly in Belgium and the Netherlands but also in North America, Columbia, Brazil, Mexico and the Middle East. A more realistic figure might be 70,000 active accounts, still larger than EncroChat.

The service was raided in March 2021 by Belgian police. Three days after the Belgian operation the US Department of Justice issued indictments against Eap and an alleged former distributor Thomas Herdman under US anti-racketeering legislation. The US authorities had held back in order to give the Belgians a free run. Herdman found himself extradited to France. Another reason for the agreed delay by the US authorities was to force Sky.ECC’s customers on to Anom, the phone service which the FBI controlled.

There appear to have been several locations for servers but one of them was OVH, as used by Encro.

No more is known of the hacking and retrieval tool used by the Dutch, Belgians and French than for its EncroChat equivalent; the method remains secret. The output, as with Encro and Operation Emma, was distributed via Europol. Belgian police say that the various joint teams had access to over 1 billion messages.

In the UK after the close-down of EncroChat in June 2020 several subscribers moved to Sky.ECC. However I have been unable to trace any instance where the Sky.ECC evidence was directly challenged, on either admissibility or reliability grounds. The best-known trial was of eight individuals finally convicted in November 2025 after trials at Winchester and Salisbury Crown Courts. At least two of the accused had had EncroChat phones. The non-Sky.ECC evidence included the results of conventional police surveillance, findings in drug raids, vehicles modified with hidden compartments and the results of examining and cross-referencing dealing and telecommunications records.

Legal challenges to the Sky.ECC evidence in other jurisdictions have included lack of compliance Article 6 of European Convention on Human Rights (ECHR – guarantee of a fair trial), with the validity of the French warrants to collect data, the extent to which these warrants impact on proceedings in other jurisdictions, concerns that the emergency threats to life facility was being abused, the extent to which a jurisdiction should accept evidence that cannot be tested and allegations that the French failed to notify overseas jurisdictions that they proposed to carry out cross-border investigations. There have also been queries about the reliability and completeness of supplied data. In Spain there have been claims that Spanish investigators had direct access to live intercepts, and not the daily compilation packages which featured in the UK EncroChat material. There are further allegations of evidence tempering. Within each affected jurisdiction there have been specific subsidiary arguments about process and privacy. In the United States there is the ongoing case of a former boxer, Goran Gogic, alleged to be involved a 18-tonne cocaine importation. Defence lawyers in a number of jurisdictions have accused investigators and prosecutors of “forum shopping” – evading local laws about warranting and admissibility by saying that the relevant evidence has been obtained – lawfully – from another jurisdiction.

The story of Anom is extensively written up in Joseph Cox’s book Dark Wire. Some users had handsets from EncroChat, Sky.ECC and Anom.

Observations

Some readers may have noticed how few are the references to specific cases, hearings, trials and named individuals. This is deliberate. In many of the cases there were multiple arguments – it would have been necessary to say something about the defendants, explain the circumstances and quote from judgements. In some instances there were multiple preliminary hearings over several days. One of the rulings in an early preparatory hearing runs to 129 pages. This article could easily be twenty times in length. In addition I was instructed in a significant number of Venetic cases and even though there were guilty pleas and findings of guilt there are still possible aspects which are covered by confidentiality. I do not wish to have to worry about where I may stray.

Instead I have made this article an exercise in journalism rather than academic scholarship. I hope I have reflected the gist of the interesting and novel dilemmas and decisions in that this means it finds a wider and broader readership. I also hope that those who have had direct involvement in Venetic trials will understand why particular details and wrinkles are not fully referred to.

Here are some observations.

The statistics of convictions, quantities of narcotics and cash, threats to life averted tell their own story. At one level Operation Venetic has been a significant success. Officers and intelligence analysts in the NCA and in the ROCUs used considerable skills to use the Encro evidence packs to identify serious organised criminals, their organisations and their activities and to enable charges to be framed.

But the criminal justice system works on precedents. There is formal legal precedent setting when the decision on a point of law by a higher court binds lower courts. There are also less formal precedents involving investigatory procedures – if a particular method is evolved and deployed to address a serious problem on one occasion what happens when it is later used in far less serious circumstances? There are a number of features of how Venetic progressed which must give cause for concern. There are also areas which point to some reform of legislation and associated Codes of Practice and the Criminal Procedure Rules.

1. Can you have a fair trial if evidence can’t be tested?

The most concerning is the decision to prosecute when the central evidence cannot be tested because the supplier had said they were unwilling to reveal the technical method.  Parliament’s view of the need for fair trials is, among other things, shown by the decision to have a statutory Forensic Science Regulator who prescribes requirements and standards for the testing of forensic science methods and tools. The French made their tool/implant a national defence secret but the UK prosecution went ahead. The FSR did not become a statutory body until the related Act came into force in April 2021 and the FSR Code was only formalised in October 2023, but the general intentions were clear by 2008. Police views on obligations of handling computer derived evidence were set down in 1998 and with its Principle 3 requiring an audit trail of all processes and that “an independent third party should be able to examine those processes and achieve the same result.”

It is also instructive to look at the Criminal Practice Directions and its expectations of expert evidence:

7.1.3 In addition, in considering reliability, and especially the reliability of expert scientific opinion, the court must be astute to identify potential flaws in such opinion which detract from its reliability, for example:

• • being based on a hypothesis which has not been subjected to sufficient scrutiny (including, where appropriate, experimental or other testing), or which has failed to stand up to scrutiny;
  • being based on an unjustifiable assumption;
  • being based on flawed data;
  • relying on an examination, technique, method or process which was not properly carried out or applied, or was not appropriate for use in the particular case; or
  • relying on an inference or conclusion which has not been properly reached.

The courts discounted all these arguments and in the end there was an agreement between prosecution and defence that the tool was defective and did not capture all the activity one might reasonably expect.

The inability to test applied not only to reliability but also to a judicial finding that the material had been obtained from storage and not in the course of transmission. Although the judge who made that finding did so carefully and his conclusions are plausible they do not eliminate the alternative explanation that the tool/implant modified the encryption method such that data could be read between handsets and not just on handsets.

Declaring the French Encro material inadmissible would not necessarily have prevented charges being laid. The Encro files could still have been used as intelligence though not as direct evidence. The intelligence would have provided vast detail into the activities of organised crime groups and their membership and that could have been used for surveillance and raids on properties and on vehicle stops. In many of the successful Venetic prosecutions the Encro evidence was only part of what had been gathered by police investigators.

2. Interception law

Considerable amounts of time were expended on determining whether the Encro tool/implant was engaged in interception and we are surely now at a point where we should abandon the special status of intercept material. Back in 1985 when the inadmissibility rule was introduced the main traffic was voice-based and the telephone equipment had no storage ability, consisting in effect of a microphone, a loudspeaker and a dial. Intercept was what was gathered between two telephones either along a wire or at a telephone exchange. Today most traffic is digital and nearly all devices which communicate have storage capacity. IPCO says that in 2023 there were 3376 targeted interception authorisations but 4574 in 2022.

The arguments historically advanced in the subsequent numerous reviewing committees no longer make sense. Looking at transcription costs: back in 1985 it meant some-one listening to voice conversations and typing them out, but digital material doesn’t need transcription and voice to text software is extremely accurate. Turning to storage costs: this used to mean quantities of magnetic tape or paper bundles but today a fingernail-sized 1 TB micro SDXC card costs £90 and can hold 500 million pages of simple text or 100 million formatted pages or over 500 movies each 1 hour long. A 10 TB external hard disk costs £200. The problem of making proper disclosure while protecting the privacy of innocent third parties: this is an existing difficulty for stored digital data including that on smartphones, PCs and corporate systems – it is not unique to intercept material – AI techniques for searching against criteria can assist. And worries about disclosure of methods of interception: most interception will take place at the premises of and in association with the equipment owned by telecommunications companies and major Internet service providers including social media. There are published standards – by ETSI and CALEA – for how intercept can be reliably captured and preserved and one can easily find advertisements for specialised capture hardware and software. Where these are not used prosecutors can still make PII applications for non-disclosure. But there are still problems about interpreting the separation between storage and “in transmission” where systems may find it very convenient to temporarily store data – “store and forward” – as it moves from sender to recipient.

3. Problems for judges – training, access to technical advice

The Venetic hearings provided significant challenges to judges. At various points they were asked to interpret a complex item of legislation one consequence of which could have resulted in declarations of inadmissibility, understand a novel forensic tool and the implications for admissibility and reliability, consider applications that evidence should be excluded for gross lack of reliability, consider defence applications for disclosure and understand the functioning of the software used to analyse the evidence packs. At the heart of some of the judgements are balancing tests – the revelation of technical and other sensitive material under the disclosure rules against the need for a fair trial and the need to preserve the privacy of individuals.

The 2016 Investigatory Powers Act has some 272 sections and 10 Schedules. Elsewhere I have written about difficulties in some of the definitions in and in particular problems arising from extending the definitions of “communications data” which attempted to preserve the inadmissibility of content. The legal definitions do not easily match to the definitions used by Internet engineers. Particular problems arise out of the “telecommunications definitions” in s 261, the concept of “secondary data” in s 137, what is meant by “interception-related conduct”, where a “telecommunication system” starts and ends and Schedule 3 which contains exceptions to the main inadmissibility section – s 56. There are other sections which also require interpretation.

The French said that they would not disclose the operation of their tool/implant yet judges had to assess how it worked.

The December 2020 ruling in R v Coggins and others at Liverpool Crown and which was later upheld by the Court of Appeal in R v A, B, D & C [2021] EWCA Crim 128 is instructive to read, all of its 129 pages and almost 42,000 words, because of the large number of legal and technical issues involved. The hearing lasted over 14 days. This is what the judge said:

At the outset it is worthwhile to record a number of preliminary points. Firstly, as I observed during the course of the hearing, whilst the expert evidence is capable of providing assistance in relation to technical issues which it cannot be assumed would be within the knowledge of the court, such as the components and operation of a mobile phone and the apps that are commonly operated within it, the expert evidence alone cannot provide the answer to the legal questions which need to be resolved, such as whether the EncroChat material properly falls within section 4(4)(a) or 4(4)(b) of the 2016 Act. Secondly, and in a related fashion, whilst in providing a technical explanation the experts might use terms such as “stored” from their scientific perspective, that is not a substitute for a legal judgment in relation to that term when it is used within the legislation. Thirdly, whilst the expert evidence has been provided to assist the court in relation to the technical issues, the court still needs to form its own conclusions in relation to, for instance, the operation of the implant.

The ruling and appeal are very closely argued though it appears that the judge did not seek direct independent advice on the technical issues but relied on what he heard in court. The judge did not directly consider the problem of allowing evidence where facilities for testing were being deliberately withheld.

In other trials there were extensive arguments about disclosure – the criteria for releasing evidence packs, what those evidence packs contained and, for those experts seeking to reverse engineer the French techniques, what the prosecution should be ordered to disclose. Judges had to understand complex issues around the underlying technologies; not all succeeded.

There do not appear to be substantive regular arrangements for judges to obtain advice independent of the submissions of prosecution and defence. If they exist they were not used. The extent and quality of relevant judicial training also needs examination.

There are related problems for the judicial commissioners at IPCO who grant interception and equipment interference warrants. IPCO does have access to technical advice via a Technical Advisory Panel – TAP. IPCO annual reports tell us who the members are and also something of their activities. The weakness is not their lack of technical competence but that in order to serve on the TAP extremely high levels of security clearance are required. That process tends to exclude experts with criminal defence experience who might have a more questioning approach to some of the issues EncroChat/Venetic has presented.

4. Equipment Interference procedures/ Standards for TEI

The current Code of Practice for Equipment Interference (issued under Schedule 7 of IPA 2016 in relation to Part 5 of IPA) explains the various terms used in the Act, interactions with other items of legislation and the processes for applying for warrants. But it does not cover reasonable expectations for achieving reliable evidence by this class of method. There do not appear to be any published standards in the way there are for the remote acquisition of stored data on computers and phones or communications data from telecommunications companies and Internet service providers.

5. Broader Revision of Legislation

The current Investigatory Powers Act dates from 2016 and much has changed in terms of IT hardware and software facilities, the evolution of new commercial structures and the functioning of the Internet. The types of digital evidence potentially available expands all the time. It is not surprising and in the eyes of many commendable that digital forensic technicians examine each new type for how they should be acquired and handled – but also for the benefits to investigations. But there can then be problems in applying existing, older legislation to the new circumstances, as can be seen in a number of the Operation Venetic judgements. Judges are being asked to interpret law by looking at Parliament’s intentions but in situations which had not at the time been considered or anticipated.  Interception, mentioned above, is only one issue.

There is a broader aspect as well – striking the right balance between law enforcement powers in order to keep the public safe and safeguards for the privacy of individuals and protections against abuse. In a democracy the extent to which the police and intelligence agencies should have powers of surveillance and the controls placed on those powers is a matter for Parliament. Novel investigatory techniques appear and are being deployed without adequate discussion and scrutiny by parliamentarians. Ten years since 2016 is too long a gap. Here are my comments on a review held 5 years after IPA 2016 came into force.

Articles

• Encrochat: The hacker with a warrant and fair trials? Radina Stoykova FSI:DI
• Digital evidence, police investigations, and lessons learned from EncroChat: Is it time for a new framework for the admission of digital and communication evidence? Cerian Griffiths, Adam Jackson Criminal Law Review, (7), 436–457.
• Intercepted Communications as Evidence: The Admissibility of Material Obtained from the Encrypted Messaging Service EncroChat: R v A, B, D & C [2021] EWCA Crim 128 Cerian Griffiths, Adam Jackson
• ‘It takes one to know one’: analyzing the EncroChat operation in light of article 8(2) ECHR and existing surveillance frameworks : Clementine Bosland https://arno.uvt.nl/show.cgi?fid=162749
• Encrochat and Sky ecc Data as Evidence in Criminal Proceedings in Light of the cjeu Decision Vanja Bajović, Vesna Ćorić https://brill.com/view/journals/eccl/33/3/article-p235_002.xml
• Legal Aspects of the EncroChat Operation: A Human Rights Perspective  J.J. Oerlemans and D.A.G. van Toor  https://brill.com/view/journals/eccl/30/3-4/article-p309_006.xml?ebody=Article%20details
• Evidence from hacking: A few tiresome problems Peter Sommer FSI:DI https://doi.org/10.1016/j.fsidi.2022.301333
• Counter-Terrorism, Ethics and Technology Adam Henschke, Alastair Reed, Scott Robbins & Seumas Miller , Advanced Sciences and Technologies for Security Applications 2021 https://library.oapen.org/bitstream/handle/20.500.12657/52393/978-3-030-90221-6.pdf?sequence=1#page=150. An End to Encryption? Surveillance and Proportionality in the Crypto-Wars, Kevin Macnish; Privacy, Encryption and Counter-Terrorism Seumas Miller and Terry Bossomaier
• LSE Briefing on Interception Modernisation Programme
• Encro Update 25 Bedford Row 2023
• Two applications concerning remote retrieval of EncroChat user data and their transfer to UK authorities declared inadmissible ECHR 244 (2024)
• Dark Wire, Joseph Cox, Public Affairs, Hachette, 2024
• Details about European judicial proceedings: www.joint-defense-team.com