EncroChat - Another Sad Day for Privacy & Encryption

Introduction

It has been a fair few months since the EncroChat story has been in the media, yet the effects and fall out from the whole thing is certainly still ongoing. Despite it being a while since any mainstream articles have featured, I still deem it essential to talk about, not because I’m interested in the impact on the criminal world it has had but rather the effect it is having towards the idea that privacy & more specifically encryption techniques are too strong.

EncroChat - What is it?

If you’re not involved in the privacy world, or it isn’t really a priority of yours, you might not have heard about EncroChat. To understand the points I would like to make, I first need to explain & explore EncroChat as a business & service.

EncroChat was a privacy-focused communications network & service provider based out of the Netherlands. EncroChat offered two primary services; “secure phones” and a network contract to allow your phone access to their proprietary network.

The EncroChat devices service had a large number of privacy-centric features consisting of both hardware & software measures. For example, the phones had their camera, GPS, microphone, and USB data port disabled and totally removed. This was to stop unnecessary information from being leaked. Arguably the most significant privacy feature would be the total removal of GPS tracking & any GPS enabled modules. In addition to this, a panic wipe feature would allow a user to type a pin from the lock screen and instantly wipe the device’s data. This is a feature we see in other “secure phones” and it is massively important for a whole host of different users. A good example would be journalists & whistleblowers who are routinely forced by law enforcement to unlock their devices more often than not without a legal basis. There are many more privacy features that Encro provided, which you can view at a cached version of their website https://encro.co.

By no means is Encro the first company to come out with such a product, nor by any means would I say they “did it best” after all, there are hundreds of these phones, and they all more or less have the same features. I’m also not suggesting Encro is nothing new. I never personally used the product, and therefore I cannot outright say that they weren’t improving standard concepts. What’s interesting is the popularity that this product gained specifically, in-fact it gained so much popularity that a global multi-government movement came into play to take it down due to its significant use in the criminal underworld. As I mentioned previously, I am not particularly interested in the impact the takedown has caused in the criminal underworld, but instead, I am really interested in the fact this whole thing is very likely to become another bargaining chip in the ongoing effort to weaken personal privacy & encryption by governments across the globe.

Law Enforcement Response to EncroChat

The first documented discovery of Encro phones by law enforcement came in 2017 by the French National Gendarmerie while conducting independent operations against organised crime gangs. A few incidents happened in the UK where it was believed that Encro phones had played a part. As such, the NCA attempted to gain access to the phones as part of a murder investigation in the UK; however, NCA struggled to access the devices since a total wipe was performed if an incorrect passcode was entered on the device too many times. Due to this, the devices piqued the interest of multiple governments, and in 2019 the investigations accelerated after the EU granted funding.

After a few months of collaboration, the NCA, National Gendarmerie, and Dutch police were able to access & read messages that were being sent across the network. This access came after the National Gendarmerie installed malware on the Encro servers, which were being hosted in France. This malware allowed them to read messages and, in addition to this, record screen lock passwords of individual devices. On the 15th of March, after successfully gaining access to around 50% of the devices in Europe, the National Gendarmerie formed a specialist unit to investigate the hacked information. From here, an agreement was signed with the Dutch police to form a Joint Investigation Team (JIT) via Eurojust with the support of Europol. Now a JIT was formed. The data retrieved from the hack was shared with other European partners such as the UK, Sweden, and Norway.

On April 1st, 2020, the NCA began to receive data from the investigation and promptly began to analyse all of that data to identify & locate offenders. In May 2020, the device wipe feature was disabled by law enforcement in another malware attack. Initially, the company tried to push an update to devices believing what had happened was a bug, but then law enforcement launched further malware attacks, which meant they could actually alter the lock screen passwords of individual devices. On the night of the 12th-13th June, Encro finally suspected that law enforcement was launching sustained attacks on their devices. At that point, they pushed the following message to the devices:

Today we had our domain seized illegally by government entities(s). They repurposed our domain to launch an attack to compromise the carbon units. ... Due to the level of sophistication of the attack and the malware code, we can no longer guarantee the security of your device. ... You are advises [sic] to power off and physically dispose your device immediately.

A few days later, an email associated with Encro sent an email to Vice Motherboard stating that the platform had no choice but to shut down, and that pretty much concludes the story in terms of the response from law enforcement on this platform. Even now, law enforcement is still going through data obtained from the malware, and arrests are continuing to be made off the back of that data. Now you’ve read the takedown story of Encro, I want to talk about this whole situation and, more specifically, raise points about how Encro was taken down.

A Disaster for Privacy & Privacy Systems?

One thing that should stand out in the above account of the situation is how the platform was brought down. See, it certainly isn’t the first time that a government illegally took down a platform, that’s for sure. What strikes me as impressive is that this was all because they, more or less, assumed that the platform was being heavily used by organised crime groups. That leaves me with one question, does that make it justified? I mean, is the takedown of the platform justified because their assumption led to a large number of criminals being captured & arrested?

This situation really falls under the question “Should we break encryption & encryption systems because terrorists are using it?” and if you know me, you know what side of that coin I fall on. Personally, I do not believe that this was a justified response towards the technology or the company. While international law might deem that the takedown was totally legal, I feel strongly that doesn’t make it right.

The problem I have when things like this occur is that; innocent users are caught up in the whole thing, and in some cases, innocent users are put in danger. The biggest example here would be journalists & whistleblowers. The second thing that bugs me is that this sets a further precedent that governments hacking or breaking technology designed for privacy is okay because “we’re catching bad guys”. What I mean by this is when the next system comes along that the “bad guys” are using law enforcement have yet another example that “if we break it (illegally or not), then we’ve done a good thing!”. To the general public, this mantra is obviously something they are going to believe in. After all, the general public feels like their law enforcement agency just made things safer for them, and in a way, they did. But what about the rest of us? What about the people that care for privacy and even more so, the people that need privacy at all costs? What happens to those people? Truthfully, that’s a whole new conversation for a recent article because it’s such a huge topic to explore, and it really does fall in with this entire “crypto is too strong” argument that governments are pushing.

Conclusion

This post might seem relatively futile to some of you. In-fact you might be wondering why I am writing about this so long after the peak, especially when this whole timeline can be found elsewhere on the Internet. Ultimately I am writing this to spark the conversation around privacy, privacy systems, and governments/law enforcement’s response to them. I deem it very important that we continue to explore and develop this conversation around how these things are handled and ultimately, why privacy should trump the crimes committed via these platforms.

I might use this post as a springboard to launch another article sometime centered more around those points and really explore my opinion, but for now, you have this half-assed case study, which hopefully provokes a few thoughts to those that care about privacy & perhaps some that didn’t until now.