Months earlier, police across Europe, led by French and Dutch forces, revealed they had compromised the EncroChat network. Malware the police secretly planted into the encrypted system siphoned off more than 100 million messages, laying bare the inner workings of the criminal underground. People openly talked about drug deals, organized kidnappings, planned murders, and worse. The hack, one of the largest ever conducted by police, was an intelligence gold mine—with hundreds arrested, homes raided, and thousands of kilograms of drugs seized. But it was just the beginning. Fast-forward two years, and thousands of EncroChat users across Europe—including in the UK, Germany, France, and the Netherlands—are in jail. However, a growing number of legal challenges are questioning the hacking operation. Lawyers claim investigations are flawed and that the hacked messages should not be used as evidence in court, saying rules around data-sharing were broken and the secrecy of the hacking means suspects haven’t had fair trials. Toward the end of 2022, a case in Germany was sent to Europe’s highest court. If successful, the challenge could potentially undermine the convictions of criminals around Europe. And experts say the fallout has implications for end-to-end encryption around the world. “Even bad people have rights in our jurisdictions because we are so proud of our rule of law,” Lödden says. “We’re not defending criminals or defending crimes. We are defending the rights of accused people.” Around 60,000 people were signed up to the EncroChat phone network, which was founded in 2016, when it was busted by cops. Subscribers paid thousands of dollars to use a customized Android phone that could, according to EncroChat’s company website, “guarantee anonymity.” The phone’s security features included encrypted chats, notes, and phone calls, using a version of the Signal protocol, as well as the ability to “panic wipe” everything on the phone, and live customer support. Its camera, microphone, and GPS chip could all be removed. Police who hacked the phone network didn’t appear to break its encryption but instead compromised the EncroChat servers in Roubaix, France, and ultimately pushed malware to devices. While little is known about how the hacking took place or the type of malware used, 32,477 of EncroChat’s 66,134 users were impacted in 122 countries, according to court documents. Documents obtained by Motherboard showed all data on the phones could potentially be hoovered up by the investigators. This data was shared between law enforcement agencies involved in the investigation. (EncroChat has claimed it was a legitimate company and shut itself down after the hack.) Across Europe, legal challenges are building up. In many countries, courts have ruled that messages from EncroChat can be used as evidence. However, these decisions are now being disputed. The cases, many of which have been reported in detail by Computer Weekly, are complex: Each country has its own legal system with separate rules around the types of evidence that can be used and the processes prosecutors need to follow. For instance, the UK largely doesn’t allow “intercepted” evidence to be used in court; meanwhile, Germany has a high bar for allowing malware to be installed on a phone. Lödden, who is not involved in the case that has reached the CJEU but is coordinating with around a dozen other lawyers involved in European EncroChat cases, says people were offered good deals by judges and took reduced sentences for pleading guilty in some of the first cases he worked on. Since then, he has used several lines of defense. His challenges often involve questioning what legal basis was used to justify capturing the data from people’s devices. Another approach involves questioning the data itself. “You don’t know how the French got the data,” he says. “The only thing that is clear is that it’s not the full data, because there are gaps, and the data they got is not fully decrypted.” There is no set date for the European Court to review the case; although in another high-profile legal challenge, two British EncroChat users have taken their case to Europe’s top human rights court. However, a French case, which is set to be decided this month, could make a difference to other cases across Europe. In October, the French Court of Cassation questioned previous EncroChat legal decisions and said they should be re-examined. “The judge who authorized this measure was not in charge of 60,000 investigations, but only one, and therefore ordered a disproportionate act,” say lawyers Robin Binsard and Guillaume Martine, who are challenging the collection of the data. “We have to defend our clients without knowing how the investigators acted,” they say. Despite the legal challenges, police forces across Europe have lauded the EncroChat hack and how it has helped put criminals in jail. When the hack was announced in June 2020, hundreds of people were arrested in huge coordinated policing operations. Police in the Netherlands discovered shipping containers that were being used as “torture chambers” by criminals. Since then, there has been a stream of EncroChat cases reaching courts and people being jailed for some of the most serious crimes. The data from EncroChat has been a real boon to law enforcement—organized crime arrests in Germany soared by 17 percent following the police busts, and at least 2,800 people have been arrested in the UK. Cases in the UK have seen two men who planned a revenge shooting sentenced to 18 years in jail each, a drug dealer jailed for 14 years for supplying 8 kilograms of cocaine and heroin, and six men jailed for a combined 140 years after plotting to smuggle ecstasy internationally inside the arm of a digger. And in June last year, police in the Dominican Republic reportedly arrested the alleged masterminds behind the EncroChat system itself. EncroChat isn’t the only encrypted phone network police have hacked or dismantled. Law enforcement operations against Ennetcom, Sky ECC, and Anom—the FBI covertly took over the latter and ran the network—highlight broader tensions around encryption. For years, police have complained that encryption stops them from accessing data, while at the same time having multiple alternative ways to get around encryption. In Europe and the US, laws are being proposed that could weaken encryption as the technology becomes the default. Breaking phone networks billed as encrypted and highly secure—some may be legitimate, while others are shadier—raises questions about law enforcement tactics and transparency. “What we’re seeing is that policing authorities and law enforcement authorities are effectively normalizing a policing practice that sets a really dangerous precedent in terms of surveillance,” says Laure Baudrihaye-Gérard, the legal director for Europe of criminal justice nonprofit Fair Trials. Cerian Griffiths and Adam Jackson, law professors at the UK’s Northumbria University who have been analyzing EncroChat legal issues, say there is a “judicial appetite” to use the collected data to convict criminals, but that the correct processes must be followed, as more cases like this may happen in the future. “You want bad people to be prosecuted for the seriously bad things that they’re going to do,” they say. “You just want to make sure that it’s done properly, in a way that is evidentially sound. And that means that they don’t get appeals down the line that undermine those convictions.” One court in Finland has already ruled that data gathered by the FBI from Anom couldn’t be used—the severity of the alleged crimes did not justify the way the data was accessed, local reports claimed. Meanwhile, Italy’s Supreme Court has said the methods used to access Sky ECC messages should be disclosed. More than 100 Dutch lawyers have warned that the lack of transparency around the hacks could create a slippery slope. In the future, the lawyers wrote in an open letter, Signal or WhatsApp could be targeted. “These services are also already placed in a suspicious corner or are likely to get there, while that suspicion is only based on the use of strong encryption and the protection of one’s own privacy.” Jessica Shurson, a lecturer in law at the University of Sussex and a former US prosecutor, says the hacking cases should be included in broader debates about the importance of encryption for people’s security. “They’re finding ways to access encrypted systems, through hacking, through their own malware,” Shurson says. “Can we really say that law enforcement is ‘going dark’ because of encrypted data when we see these cases coming up every couple of years showing that, actually, they can access the encrypted systems?”