Sunday, November 27, 2022
Home TECH NCA 'deliberately withheld' information when seeking EncroChat orders, court hears

NCA ‘deliberately withheld’ information when seeking EncroChat orders, court hears

The National Crime Agency “deliberately withheld” information when seeking a court order to access hundreds of thousands of messages and photos intercepted from the encrypted mobile network EncroChat, a court heard.

The claim was made this week during the first day of a hearing by the Investigative Powers Tribunal (IPT), Britain’s most secretive court, in a case that is likely to have significant ramifications for the use of intercepted evidence in criminal proceedings.

As part of Operation Venetic, the National Crime Agency (NCA), in collaboration with law enforcement, previously arrested 1,550 people across the UK and seized 115 firearms, £54m in cash and large quantities of drugs according to information seized by the French. Gendarmerie of EncroChat encrypted telephone network.

The court case follows an appeals court decision in 2021 that found jamming messages and photographs from the EncroChat phone network could be used as evidence in court because they were legally obtained through equipment rather than interception. .

But lawyers representing the defendants say the NCA failed to give the independent judge, known as a judicial commissioner, who authorized the NCA surveillance order, a full explanation of the basis for their understanding of how the operation worked. of French piracy.

Matthew Ryder KC told the court that the NCA had decided it wanted a Targeted Equipment Interference (TEI) order, the only order that would allow intercepted EncroChat messages and images to be used as evidence in court.

An analysis of the Investigative Powers Act showed that the correct order for EncroChat’s operation would have been a Directed Intercept (TI) order, Ryder told the court, which would not allow collected EncroChat messages to be used as evidence.

“The NCA started with the result it wanted and tried to fit it into the Investigative Powers Act. They wanted a TEI and nothing else”, horse rider he told the court. “Her motive for him was understandable. They wanted the interception to be available in court.”

The NCA sought approval from the Commissioner for Investigative Powers, Sir Brian Leveson, for a hacking technique without knowing how the technique was carried out. “The obvious risk is that the warrant may be issued in error,” Ryder said.

The NCA made “serious and fundamental errors” in basing its request for an injunction on a position that was “weak at best”.

“The National Crime Agency’s determination to view it as a Directed Equipment Interference and not a Directed Interception led to officers’ willful blindness or, at the very least, a wholly inadequate analysis of the information they are required to present to officers. court commissioners,” Ryder said.

Conversation-based order

The warrant request was based on an account of a conversation between an NCA intelligence officer, Emma Sweeting, and Jeremy Decou, ​​the head of the French Cybercrime Center, C3N, after a meeting at Europol in February. 2020, the court Heard.

“That account should have been treated with much less weight,” Ryder told the court.

Ryder told the court that the NCA “deliberately withheld” information about the “tenuous basis” for the request for the warrant from the court commissioner who authorized the warrant.

“It’s one thing for the National Crime Agency to proceed with tenuous information. Another is not to tell the judicial commissioner,” Ryder said.

“They deliberately took no steps to resolve the tenuous nature of that information. That was a deliberate decision,” he said. “That was a serious mistake.”

The judicial commissioner may have been briefed on the NCA’s account of the intercept technique obtained by Sweeting, Ryder said.

“Information that could allow a judicial commissioner to make an informed decision is important information,” he said.

“The judicial commissioner could say: ‘I can authorize the interception. But I can’t give you a TEI order. I can give you a TI because that covers store and intercept.”

europol meeting

Former NCA technical officer Luke Shrimpton, three other NCA officers, along with two or three Scottish policemen and a man from another unidentified agency, met with French and Dutch law enforcement officers at the Europol meeting on 19 as of February 21, 2020.

Interrogated by defense attorney Simon Csoka KC Shrimpton agreed that during the meeting he had not been given a precise idea of ​​how the implant would work.

The court heard that Shrimpton had written “it appears to be interception” in his meeting notes. He also wrote a note asking if the database dumps were intercepted as well.

It was not discussed at the meeting that the EncroChat operation would extract data in two different stages, the technique ultimately used in the operation against EncroChat, the court heard.

Shrimpton agreed that the Dutch had a greater pedigree at the time of the decryption, but could not say whether the implant had been designed by the French or the Dutch.

NCA did not scan infected phones

The court heard during Shrimpton’s cross-examination that the NCA had taken no steps to analyze how the French implant worked by allowing one of its EncroChat phones to become infected with the French implant.

Csoka asked: “Put what happened [at the Europol meeting] between February 19 and 21 at its peak, must it have been apparent that there was the ability to get more details by allowing one of the devices to become infected?

“I didn’t consider that option at the time,” Shrimpton said.

The former NCA tech agreed that allowing an EncroChat phone to become infected could provide a definitive answer as to how the implant collected the messages, and that answer could be different from the information the NCA relied on to get its data. court orders.

Shrimpton said there were no instructions from the NCA not to turn on EncroChat phones after April 1, 2020, when the French hacking operation began, to prevent NCA phones from being infected.

He said he didn’t allow the EncroChat devices he was working with to connect, so as not to alert the EncroChat administrators. No other NCA EncroChat phones were infected, the court heard.

Csoka questioned Shrimpton about Europol meeting notes taken by NCA officer James Wilmott, which recorded that from the information provided at the Europol meeting, prospective data would only be collected from the server “instead of pointing to each device.

Shrimpton agreed that he was in post-conference discussions every day during the Europol meeting with his colleagues.

But he did not recall any conversation with Wilmott about his conclusions. “If that is proven, I would question the technical validity of the statement,” he said.

NCA developed its own EncroChat implant

Shrimpton agreed that the NCA had developed its own implant to intercept EncroChat data, before the French gendarmerie infiltrated the encrypted telephone network.

He said during cross-examination that he had access to images from EncroChat servers around the end of 2018 that the French police had not provided to the NCA.

But the court heard that Shrimpton could not reveal who supplied the server images because the subject matter was “sensitive”.

An email discussed in court showed that Shrimpton wrote to NCA technical officer Greg Elliot in January 2020 to report that it appeared the French were planning some “significant activity” on EncroChat.

Shrimpton wrote that he suspected the French implant would exploit a CVE (security vulnerability) and be deployed to phones via an update server.

He suspected that the French would intercept messages from the EncroChat server and decrypt them.

The email said that the NCA had developed its own implant, which Shrimpton was considering redesigning to make it “less persistent.”

The implant would take the phone’s database and encryption key, and leak it before being wiped clean and removed from the device.

The note said that Shrimpton wanted to make sure the NCA didn’t have a working implant in a device when the French attacked him.

Asked about the email by Csoka, Shrimpton said he believed the French would exploit a publicly known security vulnerability to access EncroChat.

Csoka said a known vulnerability with EncroChat, which used the Signal protocol, was that the random number generator, used for encryption, could be overridden by an attacker.

Shrimpton said he wasn’t thinking about this particular vulnerability, but agreed that it was a known vulnerability.

Under questioning, Shrimpton agreed that he had not disclosed this email to a previous legal hearing: “Clearly I had missed it.”

Shrimpton confirmed that he was able to set up an emulation of the EncroChat system using EncroChat phones purchased by the NCA in 2018.

The NCA obtained a TLS encryption key, which was needed to “spoof” the EncroChat server, in 2018, and a second TLS key from the French in 2020, to perform forensic analysis on EncroChat phones.

ephemeral storage

The court heard the NCA argue that information can be transmitted and stored at the same time due to the concept of “ephemeral storage”.

Ryder told the court that if this were the case, the implications would be enormous and would destroy the “main and understood” line between what a TEI order requires and what a TI order requires.

“It doesn’t just mean a phone, it means any physical device, your server, your load balancer, anything that touches a communication for a picosecond is a stored communication,” he said.

Reports from the watchdog body, the Investigative Powers Commissioner’s Office (IPCO), suggested that the NCA was one of the top applicants for TI arrest warrants.

But Ryder said he doesn’t understand why that would be the case if every intercept can be authorized by a TEI warrant.

“We are concerned that the interpretation in these proceedings is not the interpretation that the NCA uses in practice,” he said.

“If they’re right about ephemeral storage, then a live video call on a phone is a stored communication because for one picosecond it’s stored on the device,” he said.

The case continues.


How a small electoral business became a conspiracy theory target

At an invitation-only conference in August at a secret location southeast of Phoenix, a group of election deniers revealed a new conspiracy theory about...

A huge new data set pushes the boundaries of neuroscience

So neuroscientists use an approach called "dimensionality reduction" to make such a visualization possible: They take data from thousands of neurons and, by applying...


Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

A Guide to Helping Your Partner Overcome PTSD

If you’re reading this, it’s likely that you have a partner who is suffering from post-traumatic stress disorder...

Technology must allow doctors to be doctors

When my doctor walks into the exam room, I want him to pay attention to me, not the computer. Not only is that...

System outages reported at some public hospitals and health facilities in Singapore

Over the past six weeks, system outages have been reported at some public hospitals and health centers of the National Health Group and the...

Mental health crisis teams are no longer just for cities

Tony Leys and Arielle Zionts NEWTON, Iowa — Jeff White knows what can happen when 911 dispatchers get a call about someone feeling down or...