Law enforcement sources have described it as an embarrassment of riches, a treasure trove that led to raids across Europe and in Dubai this week that were said to have brought down a super-cartel controlling a third of the European cocaine trade.
“It was as if we were sitting at the table with the criminals,” the executive director of Europol, Catherine De Bolle, said in a recent interview.
The cracking of an encrypted communication app known as Sky ECC, said to be the “best-in-class security”, and the deliverance into the hands of FBI agents and police officers in Europe of 1bn messages sent among 120,000 users, has been a gift that keeps on giving.
The US attorney’s office had gone public with the triumph of code-cracking last March in an indictment against Jean-François Eap, the chief executive of the Canada-based firm Sky Global, which owns communications technology, accusing him of participating in a criminal enterprise “that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communications devices”.
A blizzard of arrests followed, starting with last year’s raids in Belgium and the Netherlands at the level of the street lieutenants and culminating in this week’s Operation Desert Light and the arrest of 49 suspects hiding out in luxury properties in Spain and Dubai, including six alleged global kingpins.
The incinerators in Belgium are said to be unable to cope with the sheer scale of cocaine being seized at the port of Antwerp, while Dubai’s prisons are playing host to a veritable who’s who in the organised crime world, many with links to Daniel Kinahan, the alleged Irish crime boss and friend to the two-time world heavyweight boxing champion Tyson Fury.
The audacious piece of law enforcement follows in the fashion of other recent eye-grabbing policing initiatives, including the FBI’s intriguing discovery of a private key to unlock a bitcoin wallet in which Colonial Pipeline Co paid $5m (£4m) in ransom to cyberhackers.
Questions are beginning to be raised, however, in the case of Sky ECC and the cracking of other encryption services, about whether this audacity may have gone too far.
A legal motion, brimming with internal emails and documents, filed by lawyers acting for Sky Global as part of an attempt to reclaim 116 internet domains that it claims were seized unlawfully by the FBI and other law enforcement agencies, argues that lines are definitively being crossed that should worry us all.
Eap, publicly condemned as a friend to organised crime but described by friends as a tech startup nerd who has never even smoked a cigarette in his life, is said to be shattered, regarding himself as collateral damage in a tech arms race between organised criminals and their law enforcement foes.
The Sky ECC encryption platform emerged in 2013 “in response to global increases in cellphone hacking and high-profile data breaches”, according to the motion filed at a US district court in southern California.
Sky Global sold secure devices with the app preloaded on to distributors around the world. While WhatsApp targeted average customers, Sky ECC was more niche. “Individuals and industries with heightened privacy concerns … consisting of government entities, military contractors, celebrities and members of the legal, healthcare and financial industries.”
An email contained within the file suggests that at one stage in 2018 Sky Global offered free samples of the phones to Ontario provincial police. The company also knew, of course, that such a piece of technology could be useful to criminals. They insist, however, that they took every measure available to reduce the risk. One exhibit in the file from May 2020 chronicles how Sky Global’s support team received a request from a reseller named “Kaan” in Germany asking the company to urgently wipe the contents of two phones.
“PLEASE HELP! Two customers have problems with the police. Their devices were confiscated. Please delete two devices and the Sky app.”
The support team responded that they would not wipe a device “that we know is subject to a valid legal investigation”. The email added: “It should be noted that our software automatically erases all data at least every seven days [fewer, if the user changes their settings] and we are unable to prevent such data from being erased.”
The company argues that simply because their technology could be used for nefarious purposes does not mean it was designed for the world of organised crime.
“What has happened here is the equivalent of the government seizing Apple.com because drug dealers use iPhone encryption features to communicate with each other,” Sky Global’s lawyers wrote.
The lawyers have a further argument too. When Sky ECC was closed down, leading to the release of 27 staff members and 14 contractors, an opening in the secret communications market was created. One that the FBI was keen to exploit.
From 2018, an encrypted service known as Anom had been gathering momentum in the criminal underworld despite its cost of $1,700 for the handset and a $1,250 annual subscription. What its users did not know was that Anom was an FBI invention and every message on it was being read by law enforcement.
With Sky ECC down, Anom enjoyed what the FBI admit was exponential growth in its customer base, with 6,000 customers switching over.
The closure of Sky ECC, its lawyers claim, was in part an effort “to bolster a separate law enforcement operation at the expense of a thriving and legal private business”.
The dramatic scenes of recent days, with photographs emerging of once cocky men, allegedly responsible for no end of suffering, being led away from their pads in Marbella and Dubai, may be seen to justify law enforcement’s means.
But a further concern has arisen that is being echoed in cases being heard in UK courts. No one outside a small circle of people, and specifically the French authorities that seem to have been instrumental in accessing a Sky ECC server in their country, can say how the messages were hacked or even whether the data can be relied upon.
The Italian supreme court ordered prosecutors last month to disclose how the Sky ECC data had been retrieved, arguing that it was impossible to have a fair trial if the accused is unable to access the evidence or assess its reliability and legality, a position supposed by the NGO Fair Trials. Whether prosecutors choose to do so could determine whether the arrests made this week lead to convictions or not.
Prosecutors in the UK face a similar dilemma in relation to the hacking of EncroChat, another secret messaging platform that had the added facility of a “panic” button that when pressed would immediately erase the phone’s contents.
In the UK, evidence obtained from live monitored communications where the interception was conducted in the the country is deemed unreliable. French officials were again instrumental in the hack and prosecutors will need to show that the interception took place in France but are loath to do so.
“The reality is that nobody knows or certainly nobody in this country knows the truth of what they actually did do and that’s part of the problem”, said Julian Richards, the head of Reeds solicitors’ complex crime team and the lawyer for some of the defendants charged following the EncroChat hack.
With legal questions over the provenance of the communications intercepted in both Sky ECC and EncroChat, there will be concern at Europol HQ and elsewhere about whether the treasure unearthed proves to be fool’s gold – and what rights have been traipsed over in the gathering of it.